Important Update for MIP SDK 1.2 and 1.3

Posted on by No Comments ↓

MIP SDK Service Discovery Cache Fix


We recently discovered a bug in the Microsoft Information Protection SDK that may cause MIP SDK clients to fail to download policy updates. The root cause has to do with how we cache service discovery information. We’ve released updates for MIP SDK versions 1.2 and 1.3. You can find those updates here:



Root Cause


When the MIP SDK fetches the label policy for a specific user, it makes a call to https://dataservice.protection.outlook.com. This endpoint looks up the service location for that specific user and returns an HTTP 301, redirecting the client to an endpoint specific to their location in the Exchange Online infrastructure. That will look something like this: https://nam01b.dataservice.protection.outlook.com. The SDK caches this 301 redirect. The next time the client needs to fetch policy, the SDK uses this cached result to skip discovery and directly connects to the endpoint.


 


Occasionally, the Office 365 team moves tenants to different segments of the Exchange Online infrastructure. In the event that a client has already cached the endpoint from the 301 redirect and then the tenant is moved elsewhere, the endpoint in Office will return another HTTP 301 redirect with the new location. The SDK will treat this as an error, as it thinks it already has the authoritative result, and tries again to fetch labels. It retries a few times, then fails.


The result is that clients that have already fetched policy will never update policy if administrators make updates to the policy.


Workaround


This issue applies only if the MIP SDK implementation is using the on disk cache. If the cache is in memory, simply restart the application to resolve. For applications using the on disk cache, you must:



  • End the process that is using MIP SDK.

  • Remove the MIP cache storage. The location of this will vary by application implementation, but the databases are called mip.policies.sqlite3 and mip.protection.sqlite3. The SDK will recreate them at next app launch.


 


The Azure Information Protection Unified Labeling client, which uses the MIP SDK, can be reset by the user navigating to Sensitivity -> Help and Feedback -> Reset Settings. The client will clear its cache and update policy. 


 


Please leave any questions or comments below!


 


 and the MIP SDK Team

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.