Mimecast for Outlook - IWA Connectivity

Updated

This article contains information on troubleshooting Mimecast for Outlook authentication issues, including verifying application settings, testing the EWS URL, resolving authorization failures, and steps to delete the database file if needed.

Mimecast does not support Windows Extended Protection for Outlook. If you have enabled or intend to enable Windows Extended Protection on your Microsoft Exchange environment, we recommend using a different authentication method, such as SAML.

Checking the Application Settings Configuration

Ensure that the Application Settings definition is configured correctly, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Select an Authentication Profile.
  5. Ensure the Primary Client Access Server (CAS) URL field is in the format shown below:

Client Access Server settings

  1. If it isn't, remove all text to the right of the Domain Name.
  2. Click on Save and Exit. EWS/Exchange.asmx will be appended to the URL.
  3. Test the URL in a web browser as described below.

Testing the EWS URL of the Client Access Server

If Integrated Windows Authentication (IWA) fails, test to see if you can log into the Client Access Server via a web browser. For example, if Mimecast for Outlook is trying https://hostname.domainname.com:443, it is essential that you can log in to this site manually.

You can test this by using the following steps:

  1. Open a Browser.
  2. Navigate to the EWS URL by:
    • Taking the hostname found in the Mimecast for Outlook logs.
    • Adding https://
    • Appending /EWS/exchange.asmx (e.g. https://hostname.com/EWS/exchange.asmx)

This URL is specific to your environment. The ASMX file is typically in the EWS folder, but you may have customized this.

  1. If the CAS server has been published to the internet correctly, a login dialog is displayed where you should enter your Windows Credentials (DOMAIN\username and Active Directory password).
  2. If login is successful, an XML document is displayed that resembles the example below:

Deleting the Mimecast for Outlook Database File

Deleting the Mimecast for Outlook database should only be attempted if another authentication method is already used. For example, if the Active Directory password has been configured as an option and successfully authenticated. Mimecast for Outlook will then continue to use this password, but by deleting the database file, Mimecast for Outlook is forced to try IWA authentication again.

You can delete the Mimecast for Outlook database file by using the following steps:

  1. Close Mimecast for Outlook.
  2. Open the Windows Task Manager.
  3. Stop the Mimecast.Services.Windows.Personal process.
  4. Delete the msw.s3db file from the C:\Users\<username>\AppData\Roaming\Mimecast directory on your machine.
  5. Start the Mimecast.Services.Windows.Personal process.
  6. Open Mimecast for Outlook.

    If IWA is not communicating successfully, contact Mimecast Support to review your logs and troubleshoot further. See the Raising a Mimecast Support Case for further details.

Authorization Failures

If, when testing IWA, a response is received with the status code 401 Authorization Failed, it may be necessary to remove "/ews/exchange.asmx" from the string for testing. Once authorization has been successful, it is important to ensure that the entire string, including "/ews/exchange.asmx" is restored.

Related to

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.