cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting AIP Authentication Token For A Service Account (Classic Client)

alexduffellprotirus
Copper Contributor

‎Nov 07 2019 07:46 AM - last edited on ‎May 24 2021 02:08 PM by

‎Nov 07 2019 07:46 AM - last edited on ‎May 24 2021 02:08 PM by

Setting AIP Authentication Token For A Service Account (Classic Client)

We are using the AIP Classic Client to apply classification to documents.

 

We have an internal solution for gathering files to apply classification to and would like to automate the classification of these files.

A dev has created a PowerShell script that takes in a list of files and uses the Set-AIPFileLabel cmdlet to classify all the files passed to the script. We want to move this system into production however have encountered a roadblock.

 

In our production system, the service account we want to use does not have log on locally permissions. It is a service account and has log on as batch rights. We just want to run the script on a windows task once every arbitrary amount of time.

Before you can use the Set-AIPFileLabel cmdlet, you must first set the aip token with the Set-AIPAuthentication cmdlet.

 

This cmdlet is interactive, when an account can log into the machine, it can run this cmdlet with ease (obviously supplying the $WebAppId, $WebAppKey, $NativeAppId values).

Obviously this interaction is interactive, I went digging the Microsoft docs and found the following pages (about the scanner, but hoping the principles transfer):

Deploy the scanner with alternative configurations.

Restriction: The service account for the scanner cannot be granted the Log on locally right

Specify and use the Token parameter for Set-AIPAuthentication

These instructions boil down to:

  • Create a script that runs Set-AIPAuthentication
  • Run the script to generate a token
  • Copy that token back into the script (script would look like this):
    $AIPToken = ""
    $WebAppId = ""
    $WebAppKey = ""
    $NativeAppId = ""

    Set-AIPAuthentication -WebAppId $WebAppId -WebAppKey $WebAppKey -NativeAppId $NativeAppId -Token $AIPToken
  • Copy that script to the server you want to set auth for
  • Create a windows task to call the script, make the service account run the script
  • Run the script, check the service account has a token

When i run the script, no script is created but a log file is generated. Inside is the following error:

One of two conditions was encountered: 1. The PromptBehavior.Never flag was passed, but the constraint could not be honored, because user interaction was required. 2. An error occurred during a silent web authentication that prevented the http authentication flow from completing in a short enough time frame

 

I have passed the token and followed the microsoft documentation however it fails to set the token by what looks to me like an error in logic in the application.

 

The AIP Unified Labelling Client can set auth tokens on behalf of users, this issue affects only the classic client.

 

Repost from Server Fault.

1,755 Views
0 Likes
1 Reply
Reply
1 Reply
rdankhara123

‎Jul 26 2023 05:05 AM

‎Jul 26 2023 05:05 AM

Re: Setting AIP Authentication Token For A Service Account (Classic Client)

have you ever got this working? If yes. can you please share details or the sample script you are using.
0 Likes
Reply