Can a Network Discover detection server reauthenticate with Exchange using Kerberos?
search cancel

Can a Network Discover detection server reauthenticate with Exchange using Kerberos?

book

Article ID: 385819

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite

Issue/Introduction

You are running Network Discover scans on Exchange mailboxes and are using Kerberos as the authentication mechanism, as described in the documentation:

Setting up Exchange scans to use Kerberos authentication

The Kerberos KDC is configured to issue Kerberos authentication tokens which will be valid for a limited amount of time. 

What you may see is that if the Discover scans of mailboxes are running for a time that is longer than the Kerberos token expiration period, around the time of the token expiration they will fail due to authorization expiry. As a result, the scan is unable to complete. 

In the Discover scan logs, you will see a pattern similar to the below:

"<timestamp>","INFO","<Scan name and date>","STARTED_SEGMENT","<scan path>","0","","","",""

...

"<timestamp>","WARNING","<Scan name and date>,"FAILED_ITEM","<scan item path>","0","Failed to scan item, Unauthorized","","",""

Cause

The Network Discover does not currently have a built-in reauthentication mechanism where it would request a new Kerberos token upon the expiration of the original one. As a result, the detection server is no longer authenticated to Exchange and fails on the next item due to not being authorized to access it. It will only request one Kerberos token, at the start of the scan. 

Resolution

At the moment this is not part of the DLP functionality. There is an Enhancement Request created to add this in a future version of DLP - ISFR-3535. 

Temporary workaround is to increase the Kerberos token expiration period to a time long enough to allow the Discover scan of Exchange mailboxes to complete, or to reduce the scope of the scan by using the target definitions and scan filters (include/exclude, dates of items). See below documentation link for more details:

Configuring Exchange Server scans

Another option is to configure the Network Discover server to authenticate directly with Exchange, not using Kerberos.