IMAP E-Mail Accounts are not working with an email server that uses Kerberos(GSSAPI) / NTLM for authentication.


Description

When configuring an Email Inbound interface to your email servers and the email server you are using doesn't allow plain authentication, you will observe the following :

The same configuration would work fine for other email clients (Ex. Outlook) but not in the ServiceNow instance and will throw an Authentication error.

You might see a similar message: Connection Failed AUTHENTICATE failed


Release or Environment

All releases post-Orlando (Paris, Quebec, etc.)

Cause

Until the Orlando release an OOTB(Out-of-the-box) ServiceNow instance could only authenticate using Basic Authentication (Plain-text Authentication) when connecting to an External IMAP/SMTP Server.

And unfortunately, we currently do not support Kerberos or NTLM within the context of the Email Configurations.

This has been addressed in the later releases with a workaround involving OAuth 2.0 authentication. Please refer to the Resolution below.


Resolution

Since the 'Paris' release, it is possible to obtain access and refresh tokens from your email provider using OAuth 2.0, by installing the plugin: 'Email - OAUTH support for IMAP and SMTP'.

This allows the instance to authenticate to third-party Email Servers using OAuth 2.0 Token Authentication.

Please confirm with your email admin team to see if the mail server in question can support OAuth 2.0 authentication.


And if the Mail Service can provide, access and refresh tokens to the ServiceNow instance, since setting up OAuth 2.0 for email requires you to obtain access and refresh tokens from your email provider.


If the above solution/workaround is not viable and does not meet your business requirements, we would recommend that you contact your companies ServiceNow inside Sales contact to discuss this case with a Solution Consultant.

Additional Information

Please review the following ServiceNow documentation for more information: