search cancel

Azure Information Protection (AIP) Plugin Revocation Function Unable to Check Certificate Status

book

Article ID: 202180

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The customer has configured the AIP plugin on their detection server, the plugin is configured to communicate with Microsoft Azure via a proxy server and appropriate firewall/proxy rules and/or bypass have been configured.

The Azure Information Protection (AIP) plugin (aka Microsoft Information Protection Plugin) fails to fetch an access token. The Content Extraction Service log (ContextExtractionHost_fileReader.log) contains the following error message:

<date> <time> | INFO  | cehost | MicrosoftInformationProtectionPlugin [7364] | [8232] | failed to fetch access token. curl_easy_perform() error(35): schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.(attempts: 4) | AuthDelegateImpl.cpp (175)

Cause

Inspecting traffic from the detection server reveals that a transparent proxy is adding its certificate to the trust chain, but this certificate is not issued by a well-known certificate authority (CA).

Hypertext Transfer Protocol
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 6680
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 6676
            Certificates Length: 6673
            Certificates (6673 bytes)
                Certificate Length: 1272
                Certificate: 308204f4308203d… (id-at-commonName=stamp2.login.microsoftonline.com,id-at-org...)
                Certificate Length: 1949
                Certificate: 308207993082058… (id-at-commonName=myProxy,dc=myDomain,dc=com)
                Certificate Length: 1864
                Certificate: 308207443082052… (id-at-commonName=myIntermediateCA1,dc=myDomain,dc=com)
                Certificate Length: 1576
                Certificate: 308206243082040… (id-at-commonName=myRootCA1,dc=myDomain,dc=com)

Resolution

Obtain a copy of the Root CA public key and use keytool to import this certificate into the cacerts file.

keytool -import -alias myRootCA -file path/to/MyRootCA.cer -keystore path/to/cacerts -storepass changeit

Additional Information

The location of the cacerts file varies on the version of ServerJRE installed on the detection server:

[Windows]
C:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\lib\security\cacerts

[Linux]
/opt/Symantec/DataLossPrevention/ServerJRE/<version>/lib/security/cacerts

Consider adding the Java bin directory to the path variable to simplify the command line parameters:

[Windows]
set JAVA_HOME=C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181
set PATH=%PATH%;%JAVA_HOME%\bin

[Linux]
export JAVA_HOME=/opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181
export PATH=$PATH:$JAVA_HOME/bin