Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AIP Scanner - Unable to authenticate and setup Microsoft Azure Information Protection

Copper Contributor

Hi All,

 

I'm getting stuck in below issues to test AIP Scanner.

 

Error

Set-AIPAuthentication : 

 

zwethuko_0-1624342986858.jpeg

 

 

As I worked through below the steps I had faced the following issue and cannot move forward.

 

https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/deploy-aip-scanner-configur...

or

https://alberthoitingh.com/2020/07/21/azure-information-protection-scanner-2/

 

I have done these steps

  1. Install Win Server 2019 & SQL Express on VM Workstation.
  2. Install AIP Client
  3. Install AIP Client on PowerShell and it's running in services.msc

              Install-AIPScanner -SqlServerInstance AIPSCANNER\SQLEXPRESS -Profile Cluster1

  1. Create AD on premise (GG.COM) and installed AD Connect (Express Setting) to Azure AD (testing.onmicrosoft.com)
  2. Create User on premise (aipscanner) role (Administrator) and sync to Azure AD (aipscanner@testing.onmicrosoft.com) and assigned E5 license.
  3. Login with GG\aipscanner  on Win Server 2019.
  4. Get APPID, App Secret, Tenant ID from Azure Portal
  5. I tried to get the token run below the command but no ok.

 

$pscreds = Get-Credential "testingtenant101.onmicrosoft.com\aipscanner"

 

Set-AIPAuthentication

-AppId "bac7ce5e-7a0b-40da-bb89-888888888"

-AppSecret "6192e5b8-afb0-49bc-9a0e-888888888"

-TenantId "623c0945-6ee5-42a1-8894-888888888"

-DelegatedUser aipscanner@testing.onmicrosoft.com -OnBehalfOf $pscreds

zwethuko_1-1624342986861.jpeg

 

I think something wrong in authentication on-premise to azure (-DelegatedUser). Please kindly help me to move forward.

 

31 Replies
Hi,

please make sure that you have connectivity to the AIP Service = Internet access. The error could be caused by that.

Try with the Onpremise account for the OnBehalfOf.

$pscreds = Get-Credential "<local domain>\aipscanner"

 

@zwethuko 

Ever get this working? Got the same issue. Thank you
I got the same in a heavily locked down environment. Process of elimination lead me to

https://learn.microsoft.com/en-us/powershell/module/azureinformationprotection/Start-AIPScannerDiagn...

As mentioned previously by @Peter Forster this revealed a connection issue to a https://login.windows.net. We entered the URL into a browser and it was failing due to certificate mismatch via a proxy. Once the root certification authority that generated the certificate was resolved the process completed successfully.

Hi,

I'm currently stuck with the same error "Unable to authenticate and setup Microsoft Azure Information Protection".

I have a service account, synced with AAD, all permissions granted in server machine and so on.
I'm executing the command using the -OnBehalfOf.
When i run the "Start-AIPScannerConfiguration" i get success with the connectivity to "*login.windows.net*", "*protection.outlook.com*", "*aadrm.com", connection to database also successfully but then is prompted the error message: "TokenCache is missing for ..." which suggests to run the "Set-AIPAuthentication".

I also verified the requirements regarding Network connectivity (https://learn.microsoft.com/en-us/microsoft-365/compliance/deploy-scanner-prereqs?view=o365-worldwid...), but without success so far.

Any suggestions on how to resolve?

Thanks.

@andrevrodrigues @Victor_Lea 

 

were you able to resolve this issue? I've done the following and no luck:

  • Exclude svc_aipscanner account from MFA registration
  • Added E5 license to svc_aipscanner account for AIP licensing
  • Verified Tenant ID, App ID, Secret ID values and svc_aipscanner credentials
  • Verified access to key URLs from the endpoint to confirm communication with AAD service

Any information or guidance would be appreciated.

Were you able to resolve the issue? Any information that you can provide?
Hi,

Yes, try this:

Create the bellow registry , restart the service and check if the authentication is successful this time.

Add the following reg key and put the value of 1 to swap using ADAL authentication, then restart AIP service and run authentication again.

Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP
key: AuthenticateUsingAdal
value (DWORD):
1 - ADAL
0 – MSAL

@andrevrodrigues 

 

I ran into this exact issue this week with another scanner and Microsoft provided me with that registry key which solved my issue.

Entered the registry key forcing ADAL authentication and it did not work immediately. Tried switching the registry entry to MSAL and it failed again. Switched back to ADAL and it failed. The scrip was ran the next day and it worked fine. Not sure if that was your experience, but it did end up working. Thank you!
Thank you for confirmation, it also worked for me (eventually)!

Hi, how are you? @andrevrodrigues 

Were you able to resolve this? I have the same issue:

This is the error message I'm getting:

 

 

PS C:\Users\*****> Start-AIPScannerDiagnostics

Scanner information:

SQL server: *******.

Cluster: *******.

Scanner user: *******

 

Connectivity check for: https://login.windows.net/common completed successfully

Connectivity check for: https://dataservice.protection.outlook.com completed successfully

Connectivity check for: https://api.aadrm.com/ completed successfully

Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-AIPScanner. Make sure all nodes run the same AIP client version.

SQL error: Message The database owner SID recorded in the master database differs from the database owner SID recorded in database ‘*******'. You should correct this situation by resetting the owner of database *********' using the ALTER AUTHORIZATION statement.

TokenCache is missing for ***\****. Scanner authentication failed or was reset. Run Set-AIPAuthentication (using OnBehalfOf Parameter if needed) to acquire the authentication token. Learn more at: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipauthentication?...

Hi,

Have you tried the steps above?
It worked well for me and apparently, it also worked for Victor_Lea and for JXG2300.


For some reason, it did not work immediately for me. It did work however the day after when we tried it again. Just something strange to keep in mind - based on my experience.
Thank you for your response. I have tried all the possible steps, but no luck.
Our network is very restrictive. Based on the DLP scanner documentation, I have allowed my server to reach out to these URLs.

Source- AIP-Scanner Server
Destination: Below URLs/ Wildcards
*.aadrm.com
*.azurerms.com
*.informationprotection.azure.com
informationprotection.hosting.portal.azure.net
*.aria.microsoft.com
*.protection.outlook.com

Am I missing anything?
I am having the same issue. When I run Set-Aipauthentication without parameters, it brings up a connection to Azure Information Protection and asks for credentials. When I run the full command, it does not. This is the problem. How I get around that is another question. I will post when I find an answer.

@mykhan In my case, I recreated the secret in the app registration and it worked. I don't know if there was a copy/paste error in the original, but it is working now. If you haven't already, please check your settings using this guide: - https://learn.microsoft.com/en-gb/azure/information-protection/rms-client/clientv2-admin-guide-power....

The registry entry worked for me, again... except not immediately, again. After adding the registry entry, we re-ran the Set-AIPAuthentication command and it did not work immediately after, we came back to it the next day and it worked.

@JXG2300the only thing I can think of that would cause this would be the server was rebooted or patched afterwards. I rebooted my server and it was still doing it.