Authentication - Enabling Domain Authentication

This article contains information on configuring Domain Password Authentication in Mimecast, including preparing an LDAP Directory Connector, creating authentication profiles, defining permitted IP ranges, applying profiles to applications, and testing configurations for secure access.

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with the Company Directory when accessing Mimecast.

Preparing a Directory Connector

To use this feature, you must already have an LDAP Directory Connector configured and activated. You can check this by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Directory Synchronization.
3. Validate that there is an LDAP Directory Connection present and active.

   You will only be able to configure LDAP Directory Connector authentication if these settings are configured.

See LDAP Sync for Active Directory.

Configuring the Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting, which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones, depending on your requirements.

You can create or edit an existing Authentication Profile by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Click on Authentication Profiles.
4. Either click on:

• • • Select an Authentication Profile from the list to change it.
    • New Authentication Profile to create an authentication profile.

5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
6. From the Domain Authentication Mechanisms drop-down list, choose LDAP Directory Connector (Active Directory and Domino).
7. Select a time period from the Authentication TTL drop-down list. This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued is valid for, after a successful authentication.

   When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

8. Click on Save and Exit.

Defining Permitted IP Ranges

To add a layer of security, Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway Authentication attempts.

You can configure Permitted IP ranges for the Mimecast Administration Console by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Account | Account Settings.
3. Open the User Access and Permissions section.
4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

You can configure Permitted IP Ranges for End User Applications by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select Authentication Profiles.
4. Either:

• • • Select an Authentication Profile from the list to change it.
    • Click on New Authentication Profile to create a new profile.

5. Select the check box to enable Permitted Application Login IP Ranges.
6. In the Permitted Application Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Click on Save and Exit to apply the new settings.

You can configure Permitted IP Ranges for Gateway Authentication using SMTP or POP, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select Authentication Profiles.
4. Either:

• • Select an Authentication Profile from the list to change it.
  • Click on New Authentication Profile to create a new profile.

5. Select the check box to enable Permitted Gateway Login IP Ranges.
6. In the Permitted Gateway Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Click Save and Exit  apply the new settings.

Other Options

An Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile.

Applying the Authentication Profile to Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this, use the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select the Application Setting that you want to use.
4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.

5. Click on Save and Exit to apply the change.

Next Steps

You can test your configuration and verify that your Authentication Profile has been configured correctly by using the following steps:

1. Open or navigate to a Mimecast application.
2. Enter your primary email address.
3. You should be able to select and enter a domain password.
4. Enter your domain password and login. You should be granted access to the application.

See Also...

• • • Configuring Two-Step Authentication Profiles