Handeling errors – Information Protection Scanner

Posted by

This week I was working with a client on installing and configuring the Information Protection scanner. The main goal was to run this scanner in “discovery mode” as to detect any sensitive information on the file-share environment.

We ran into some difficulties, but with the help of people in the Microsoft product group, these were solved in the end. It did allow me to get to know some (perhaps lesser known) error-messages. Before I describe these, here’s some additional information.

First of all, the Information Protection client used by the scanner creates a lot of logfiles. These are stored in the c:\users\<scanner-account\AppData\Local\Microsoft\MSIP folder. There are logfiles related to the scanner, the client, PowerShell usage and more. To get the logfiles, you can also run a diagnostic check by using PowerShell: Start-AIPScannerDiagnostics. This will give you a direct overview of the correctness of the settings and will export all the logs in a zipfile.

Ok, now back to the errors. Here’s three which you might encounter sometimes and which can be solved. First, you might see a message in the detailed report that takes up a lot of space. Somewhere in this error-message is a mention like:

Failed,”””Client application failed to provide authentication token for HTTP request.

If you look closely, you will notice that the tenant-id which is part of this message is not the same as your tenant-id. The conclusion is simple: this is a document from another tenant and therefor protected by a different RMS tenant.

The second message reads like this:

Failed,Repository configuration is incorrect.

As this message indicates, this is because of a setting in the repository. And it is this setting: Label files on content. This setting needs to be set to “On” in order for the scanner to access the content in the file and to match for sensitive information types. I was a bit confused by this, because I thought this meant ” labeling the files” – but I wanted a simple discovery. So, even though it’s only for discovery – set this setting to “On” and leave all other labeling settings to “Off” .

This last one is a bit embarrassing to admit. As part of my research, I also upgraded the scanner (client). I had my PowerShell window open during this upgrade (installing the client). After the upgrade, I ran the “Upgrade-AIPScanner” cmdlet and this worked as-planned.

Or did it? In the portal I got the message:

Error: DB Schema is not up to date

Which was weird. The scanner was running, and I could start a scan. But this didn’t do anything. In the end, it was due to the fact that the PowerShell cmdlet was still open. So if you want to upgrade the scanner, make sure to run the cmdlet in a new PowerShell window. Just open this after running the client-installer. After this, the database was ok and the scans worked perfectly.

That’s it. Some of my experiences and how to solve these errors. Thanks to the people at Microsoft I was able to sort these out. And I hope they may be of use to you too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s