Connect Application - Enabling EWS Authentication

This article applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here. To enable EWS Domain Authentication, you'll need administrative access to your Exchange CAS.

UPN Considerations

For your Exchange to successfully authenticate your users, each user's primary email address must match their UPN attribute in Active Directory because your Exchange accepts the UPN as a user identifier, whereas Mimecast uses the primary email address.

If only the domain part of the user's email address differs from the UPN attribute, you can use the Alternate Domain Suffix option in an Authentication Profile. If this setting is used, Mimecast substitutes the domain part of the user's email address with the alternate domain. For example:

• • • The alternate domain suffix is set as internal.local.
    • A user has the email address of user@external.com to log into a Mimecast application.
    • The EWS endpoint grants access to the user@external.com address.

Enabling EWS Domain Authentication

To enable EWS domain authentication in the Connect Application:

1. Click on the Start button in the Task Steps for EWS section.
2. Enable HTTPS access to your Exchange CAS by ensuring there is a valid SSL certificate installed on your Exchange CAS. This certificate must be signed by a recognized certificate authority to ensure your public Exchange CAS accepts our secure authentication requests.

   This step must be completed for each if you've got multiple public Exchange Client Access servers.

3. Enable Basic Authentication for EWS by ensuring IIS is configured to allow Basic Authentication against the EWS endpoint.

   While Basic Authentication will continue to work for On-Prem Exchange, it's been deprecated for O365. For further details on this change, see the article Domain Basic Authentication to Microsoft Exchange Online: EOL

4. Allow our IP Ranges to access the EWS endpoint. If your EWS endpoint has any IP address restrictions, add the regional IP Ranges displayed in the application to the Allow List.
5. Click on the Next button. The Enter Your Exchange CAS Details page is displayed.
6. Enter your server hostname in the Exchange CAS Host field.
7. Click on the Next button. The Domain Authentication Test dialog is displayed.
8. Enter your Domain Email Address and Domain Password in the required fields.
9. Click on the Test Authentication button. A message will display confirming if authentication is valid or not.
10. Click the Enable button to set Active Directory as your default authentication provider. If authentication is successful, the following message displays:

Next Steps

To test your configuration and verify that your Authentication Profile has been configured correctly:

1. Open or navigate to a Mimecast application.
2. Enter your primary email address.
3. Select to enter a domain password.
4. Enter your domain password and log in, and you should then be granted access to the application.