统一标记本地扫描程序部署故障排除Troubleshooting your unified labeling on-premises scanner deployment

适用于:Azure 信息保护、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2Applies to: Azure Information Protection, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2

相关内容:仅限 AIP 统一标记客户端。**Relevant for: AIP unified labeling client only.

使用本文中的内容可帮助进行本地扫描程序部署故障排除。Use the content in this article to help you troubleshoot your on-premises scanner deployment.

使用扫描程序诊断工具进行故障排除Troubleshooting using the scanner diagnostic tool

如果 Azure 信息扫描程序出现问题,请使用 Start-AIPScannerDiagnostics PowerShell 命令验证部署是否正常:If you're having issues with the Azure Information Scanner, verify whether your deployment is healthy using the Start-AIPScannerDiagnostics PowerShell command:

Start-AIPScannerDiagnostics

该诊断工具将检查以下详细信息,然后导出包含结果的日志文件:The diagnostics tool checks the following details and then exports a log file with the results:

  • 数据库是否是最新的Whether the database is up to date
  • 网络 URL 是否可访问Whether network URLs are accessible
  • 是否存在有效的身份验证令牌,是否可以获取策略Whether there's a valid authentication token and the policy can be acquired
  • 配置文件是否已在 Azure 门户中定义Whether the profile is defined in the Azure portal
  • 脱机/联机配置是否存在并可获取Whether offline/online configuration exists and can be acquired
  • 配置的规则是否有效Whether the rules configured are valid

提示

如果以非扫描程序用户的身份运行该命令,请务必添加 -OnBehalf 参数。If you are running the command under a user that is not the scanner user, be sure to add the -OnBehalf parameter.

备注

Start-AIPScannerDiagnostics 命令不会运行完整的先决条件检查。The Start-AIPScannerDiagnostics command does not run a full prerequisites check. 如果扫描程序出现问题,另请确保系统符合扫描程序要求,并且已完成扫描程序的配置和安装If you're having issues with the scanner, also ensure that your system complies with scanner requirements, and that your scanner configuration and installation is complete.

超时扫描故障排除Troubleshooting a scan that timed out

如果扫描程序在中途意外停止,并且未扫描完存储库中的大量文件,那么你可能需要修改以下设置之一:If the scanner stops in the middle unexpectedly and doesn't complete scanning a large number of files in a repository, you may need to modify one of the following settings:

  • 动态端口数。Number of dynamic ports. 可能需要增加这些文件所在的操作系统的动态端口数。You may need to increase the number of dynamic ports for the operating system hosting the files. SharePoint 的服务器强化可能是导致扫描程序超出允许的网络连接数并因此停止的一个原因。Server hardening for SharePoint can be one reason why the scanner exceeds the number of allowed network connections, and therefore stops.

    有关如何查看当前端口范围以及增加该范围的详细信息,请参阅可通过修改设置来提高网络性能For more information about how to view the current port range and increase the range, see Settings that can be Modified to Improve Network Performance.

  • 列表视图阈值。List view threshold. 对于大型 SharePoint 场,可能需要增大列表视图阈值。For large SharePoint farms, you may need to increase the list view threshold. 列表视图阈值默认设置为 5,000。By default, the list view threshold is set to 5,000.

    有关详细信息,请参阅在 SharePoint 中管理大型列表和库For more information, see Manage large lists and libraries in SharePoint.

扫描程序错误参考Scanner error reference

使用以下部分来了解扫描程序生成的特定错误消息,以及用于解决此问题的故障排除或解决方案操作:Use the following sections to understand specific error messages generated by the scanner, and troubleshooting or solution actions to fix the issue:

错误类型Error type 故障排除Troubleshooting
身份验证错误Authentication errors - 身份验证令牌不被接受- Authentication token not accepted
- 缺少身份验证令牌- Authentication token missing
策略错误数Policy errors - 缺少策略- Policy missing
- 策略不包括任何自动标记条件- Policy doesn't include any automatic labeling condition
DB/架构错误DB / Schema errors - 数据库错误- Database errors
- 架构不匹配或已过时- Mismatched or outdated schema
其他错误Other errors - 基础连接已关闭- Underlying connection was closed
- 扫描程序进程停滞- Stuck scanner processes
- 无法连接到远程服务器- Unable to connect to remote server
- 发送请求时出错- Error occurred while sending the request
- 缺少内容扫描作业或配置文件- Missing content scan job or profile
- 未配置存储库- No repositories configured
- 未找到群集- No cluster found

身份验证令牌不被接受Authentication token not accepted

错误消息Error message

Microsoft.InformationProtection.Exceptions.AccessDeniedException: The service didn't accept the auth token.

解决方案Solution

如果 Set-AIPAuthentication 命令失败,请确保在 Azure 门户中正确定义权限。If the Set-AIPAuthentication command failed, make sure to define the permissions correctly in the Azure portal.

有关详细信息,请参阅为 Set-AIPAuthentication 创建和配置 Azure AD 应用程序For more information, see Create and configure Azure AD applications for Set-AIPAuthentication.

缺少身份验证令牌Authentication token missing

错误消息Error message

下列类型作之一:One of the following:

  • NoAuthTokenException: Client application failed to provide authentication token for HTTP request

  • Microsoft.InformationProtection.Exceptions.NoAuthTokenException: Client application failed to provide authentication token for HTTP request. Failed with: System.AggregateException: One or more errors occurred. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: user_interaction_required: One of two conditions was encountered: 1. The PromptBehavior.Never flag was passed, but the constraint could not be honored, because user interaction was required. 2. An error occurred during a silent web authentication that prevented the http authentication flow from completing in a short enough time frame

  • Failed to acquire a token using windows integrated authentication (No SSO)

  • 在 Azure 门户的“节点”页面上:Policy does not include any automatic labeling conditionFrom the Azure portal, on the Nodes page: Policy does not include any automatic labeling condition

解决方案Solution

若要使扫描程序以非交互方式运行,必须使用令牌进行身份验证。In order to have the scanner run non-interactively, you must authenticate using a token.

运行 Set-AIPAuthentication 命令时,请确保代表扫描程序用户使用令牌参数。When you run the Set-AIPAuthentication command, make sure you use the token parameter on behalf of the scanner user.

例如:For example:

$pscreds = Get-Credential CONTOSO\scanner
Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -DelegatedUser scanner@contoso.com -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -OnBehalfOf $pscreds
Acquired application access token on behalf of CONTOSO\scanner.

有关详细信息,请参阅获取扫描程序的 Azure AD 令牌For more information, see Get an Azure AD token for the scanner.

缺少策略Policy missing

错误消息Error message

Policy is missing

说明Description

扫描程序无法找到 Microsoft 信息保护 (MIP) 策略文件。The scanner is unable to find your Microsoft Information Protection (MIP) policy file.

解决方案Solution

若要验证策略文件是否按预期存在,请在以下位置检查:%localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite3To verify that your policy file exists as expected, check in the following location: %localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite3

有关 MIP 标签和标签策略的详细信息,请参阅 Microsoft 365 文档中的创建和配置敏感度标签及其策略For more information about MIP labels and label policies, see Create and configure sensitivity labels and their policies in the Microsoft 365 documentation.

策略不包括任何自动标记条件Policy doesn't include any automatic labeling condition

错误Error

错误显示标记策略缺少自动标记条件Errors show that your labeling policy is missing automatic labeling conditions

解决方案Solution

验证以下任何或所有问题:Verify any or all of following issues:

解决方案Solution 详细信息Details
检查内容扫描作业设置Check your content scan job settings 在 Azure 门户中执行以下操作:In the Azure portal, do the following:

- 将“要发现的信息类型”设置为“所有” - Set the Info types to be discovered to All
- 定义要在扫描时应用的默认标签- Define a default label to be applied when scanning
检查标记策略设置Check your labeling policy settings 在标记管理中心(如 Microsoft 365 安全与合规中心)中,执行以下操作:In your labeling admin center, such as the Microsoft 365 Security & Compliance Center, do the following:

- 定义默认敏感度标签- Define a default sensitivity label
- 定义自动/建议标记规则- Define automatic / recommended labeling rules
验证策略是否可访问Verify that your policy is accessible 如果设置按预期方式定义,则策略文件本身可能缺失或无法访问,如 Microsoft 365 安全与合规中心出现超时的情况。If your settings are defined as expected, the policy file itself may be missing or inaccessible, such as when there's a timeout from the Microsoft 365 Security & Compliance Center.

若要验证策略文件,请检查以下文件是否存在:%localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite3To verify your policy file, check that the following file exists: %localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite3

有关详细信息,请参阅什么是 Azure 信息保护统一标记扫描器?了解敏感度标签For more information, see What is the Azure Information Protection unified labeling scanner? and Learn about sensitivity labels.

数据库错误Database errors

错误消息Error message

DB error

说明Description

扫描程序可能无法连接到数据库。The scanner may not be able to connect to the database.

解决方案Solution

检查扫描程序计算机与数据库之间的网络连接。Check your network connectivity between the scanner computer and the database.

此外,请确保用于运行扫描程序进程的服务帐户具有访问数据库所需的所有权限。Additionally, make sure that the service account being used to run scanner processes has any permissions required to access the database.

架构不匹配或已过时Mismatched or outdated schema

错误消息Error message

下列类型作之一:One of the following:

  • SchemaMismatchException

  • 在 Azure 门户的“节点”页面上:DB schema is not up to date. Run Update-AIPScanner command to update the DB schemaError: DB schema is not up to dateIn the Azure portal, on the Nodes page: DB schema is not up to date. Run Update-AIPScanner command to update the DB schema or Error: DB schema is not up to date

解决方案Solution

运行 Update-AIPScanner 命令以重新同步架构,并确保它是最新版本,具有所有最新更改。Run the Update-AIPScanner command to resynchronize your schema and ensure that it's up to date with any recent changes.

基础连接已关闭Underlying connection was closed

错误消息Error message

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

解决方案Solution

此错误通常表示未启用 TLS 1.2。This error usually means that TLS 1.2 is not enabled.

有关详情,请参阅:For more information, see:

扫描程序进程停滞Stuck scanner processes

错误消息Error message

扫描程序处理单个文件的时间比预期要长。Scanner is processing a single file longer than expected. 进程可能已停滞。The process might be stuck.

解决方案Solution

检查详细报告以查看文件是否仍在增长。Check the detailed report to see whether the file is still growing or not.

如果文件继续增长,这意味着扫描程序仍在处理数据,必须等待它完成。If the file continues to grow, this means that the scanner is still processing data, and you must wait until it's done.

但是,如果文件不再增长,请执行以下操作:However, if the file is no longer growing, do the following:

  1. 执行下列一种或两种操作:Do one or both of the following:

    • 运行 Start-AIPScannerDiagnostics cmdlet 以对扫描程序运行诊断检查,并导出和压缩日志文件以了解发现的任何错误。Run the Start-AIPScannerDiagnostics cmdlet to run diagnostic checks on your scanner, and export and zip log files for any errors that are found.
    • 运行 Export-AIPLogs cmdlet 以从 %localappdata%\Microsoft\MSIP\Logs 目录中导出和压缩日志文件。Run the Export-AIPLogs cmdlet to export and zip log files from the %localappdata%\Microsoft\MSIP\Logs directory.
  2. 为 MSIP 扫描程序服务创建转储文件。Create a dump file for the MSIP Scanner service. 在 Windows 任务管理器中,右键单击“MSIP 扫描程序服务”,然后选择“创建转储文件” 。In the Windows Task Manager, right-click the MSIP Scanner service, and select Create dump file.

  3. 在 Azure 门户中,停止扫描。In the Azure portal, stop the scan.

  4. 在扫描程序计算机上,重新启动该服务。On the scanner machine, restart the service.

  5. 打开支持票证,并从扫描程序进程附加转储文件。Open a support ticket and attach the dump files from the scanner process.

有关详细信息,请参阅超时扫描故障排除For more information, see Troubleshooting a scan that timed out.

无法连接到远程服务器Unable to connect to remote server

错误Error

在 %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog 文件中,Unable to connect to the remote server ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted IP:portIn the %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog file, Unable to connect to the remote server ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted IP:port

备注

如果有多个日志,此文件将被压缩。This file will be zipped if there are multiple logs.

说明Description

扫描程序超出了允许的网络连接数。The scanner has exceeded the number of allowed network connections.

解决方案Solution

增加承载这些文件的操作系统的动态端口数。Increase the number of dynamic ports for the operating system hosting the files.

有关如何查看当前端口范围以及增加该范围的详细信息,请参阅可通过修改设置来提高网络性能For more information about how to view the current port range and increase the range, see Settings that can be Modified to Improve Network Performance.

另请参阅:超时扫描故障排除See also: Troubleshooting a scan that timed out.

发送请求时出错Error occurred while sending the request

错误消息Error message

[System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

解决方案Solution

此错误通常表示未启用 TLS 1.2。This error usually means that TLS 1.2 is not enabled.

有关详情,请参阅:For more information, see:

缺少内容扫描作业或配置文件Missing content scan job or profile

错误Error

错误显示无法找到内容扫描作业或配置文件。Errors show that your content scan job or profile cannot be found.

例如,Azure 门户“节点”页面上的以下错误:No content scan job foundFor example, the following error in the Azure portal on the Nodes page: No content scan job found

解决方案Solution

在 Azure 门户中检查扫描程序配置。Check your scanner configuration in the Azure portal.

有关详细信息,请参阅配置和安装 Azure 信息保护统一标记扫描程序For more information, see Configuring and installing the Azure Information Protection unified labeling scanner.

备注

配置文件是旧的扫描程序术语,在较新版本的扫描程序中已被扫描程序群集和内容扫描作业所替换。A profile is a legacy scanner term that has been replaced by the scanner cluster and content scan job in newer versions of the scanner.

未配置存储库No repositories configured

错误消息Error message

在 Azure 门户的“节点”页面上:No repositories are configuredIn the Azure portal, on the Nodes page: No repositories are configured

说明Description

可能具有未配置存储库的内容扫描作业。You may have a content scan job with no repositories configured.

解决方案Solution

请检查内容扫描作业设置,并添加至少一个存储库。Check your content scan job settings and add at least one repository.

有关详细信息,请参阅创建内容扫描作业For more information, see Create a content scan job.

未找到群集No cluster found

错误消息Error message

在 Azure 门户的“节点”页面上:No cluster foundIn the Azure portal, on the Nodes page: No cluster found

说明Description

对于已定义的一个扫描程序群集,找不到实际匹配项。No actual match found for one of the scanner clusters you've defined.

解决方案Solution

验证群集配置,并根据自己的系统详细信息检查是否存在拼写问题和错误。Verify your cluster configuration and check it against your own system details for typos and errors.

有关详细信息,请参阅创建扫描程序群集For more information, see Create a scanner cluster.

后续步骤Next steps

有关详细信息,请参阅我们有关以下内容的博客:有关部署和使用 AIP UL 扫描程序的最佳做法For more information, see our blog on Best practices for deploying and using the AIP UL scanner.