Error whilst configuring MIP/AIP with proxy settings on Windows
search cancel

Error whilst configuring MIP/AIP with proxy settings on Windows

book

Article ID: 278568

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

  • You are attempting to connect to Azure from your Enforce server and on-premise detection servers as per the Symantec documentation 
  • You have consulted the proxy settings documentation, but see no guidance for Windows platforms
  • When you attempt to add the MIP profiles on the Enforce server under System | Settings | MIP Credential Profiles you receive and error and see this message in the logs
Level: SEVERE
Source: com.microsoft.aad.msal4j.ConfidentialClientApplication
Message: [Correlation ID: d5419124-1e04-48d1-83d4-4a459f0fdef4] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed.
Cause:
com.microsoft.aad.msal4j.MsalClientException: java.net.SocketTimeoutException: connect timed outcom.microsoft.aad.msal4j.MsalClientException: java.net.SocketTimeoutException: connect timed out

Environment

15.8, 16.x

Cause

The proxy's certificate was issued by a customer root CA that was not present on the Enforce server in the java cacerts keystore. 

Resolution

Identify the certificate in use:

  1. Navigate to https://api.aadrm.com in a browser on the Enforce or detection server.
  2. The site will show a forbidden error but you can click on the padlock icon in the URL window to inspect the certificate and click on details to check the issuer
  3. Once you have identified the correct certificate or root CA certificate that the proxy has used, export it from your Enforce server using the Windows certificates Management Console Snap-in (command: mmc.)

Import the Certificate Into the cacerts keystore

Perform the below on the Enforce and Detection servers. Note that the file paths are default installation locations and version-specific so they may be different in your environment. 

    1. Take a backup copy of the cacert file, default location: C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\lib\security
    2. Navigate to the java bin directory, default location:
    cd C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin

3. Run the command below, substituting your values for the underlined ones:

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore ..\lib\security\cacerts

 

Powered by Wolken Software