Customers currently using the Connect Application are advised to complete their onboarding setup as soon as possible, as the Connect Application is scheduled to be discontinued on the 31st of January, 2024.
This article describes how new clients connecting with Mimecast using the Connect Application can enable domain password authentication, using an inbound HTTPS connection to Active Directory Federation Services AD FS to verify a user, including setup step, UPN considerations, creating a Relying Party Trust, and verifying authentication for secure user access.
Domain Password Authentication is available for all Mimecast customers. It is typically used to manage and use your Active Directory password when accessing Mimecast.
If you are not using the Connect Application, see the Connect Process - Steps page.
Enabling Domain Password Authentication Using AD FS
We recommend configuring AD FS Single Sign-on. See Authentication Profiles - Configuring SSO Using ADFS for more information.
Enabling domain password authentication using AD FS involves the following task steps:
- Prepare your AD FS server, adding us as a trusted relaying party. This is an external task.
- Import your identity federation service details in the Connect Application.
- Verify your authentication by entering your domain credentials in Connect.
- Set AD FS as your default authentication provider in Connect.
- Test your configuration by logging on to a Mimecast application.
To accomplish this you'll need:
-
- Administrative access to your organization's AD FS environment.
- A supported version of AD FS installed in your environment (see below):
| Version | Host Operating System |
|---|---|
| 3.0 | Windows Server 2012 R2 |
| 2.1 | Windows Server 2012 |
| 2.0 | Windows Server 2008 R2 |
-
- A Secure Socket Layers (SSL) Certificates installed on your AD FS server(s).
- AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.
UPN Considerations
Mimecast identifies a user by their primary email address. This maps to the mail attribute your Active Directory. This can cause problems for Same Sign On Domain Authentication, as AD FS typically expects the UPN attribute to be provided as the username input. Therefore a user's UPN, must match their primary email address. In the situation where this is not the case, authentication fails because AD FS doesn't recognize the user.
If your organization uses AD FS 3.0 hosted on Windows Server 2012 R2, you can work around this issue by using the AlternateLoginId feature. This allows you to specify the mail Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact, and how to configure it in your environment, please consult Microsoft's article Configure Alternate Login ID.
If only the domain part of the user's email address is different to the UPN attribute, you can use the Alternate Domain Suffix setting in the Mimecast authentication profile. This substitutes the domain part of the email address with the alternate domain. For example,
- The alternate domain suffix is set as internal.local.
- The user enters an email address of user@external.com.
- Mimecast uses user@internal.local when authenticating the user against your AD FS environment, and grants access to the user@external.com address.
Creating a Relying Party Trust in AD FS
To use AD FS as an authentication source for Mimecast Domain Password Authentication, you must create a Relying Party Trust in your environment. To simplify the process, Mimecast publishes Federation Metadata.
You can create a Relying Party Trust in your environment, by using the following steps:
- Log in to your AD FS server.
- Open the AD FS Management Console.
- Navigate to Trust Relationships | Relying Party Trusts node in the navigation pane.
- Select Add Relying Party Trust... from the Actions pane on the right-hand side of the console. This starts a wizard.
- Select the Import from a URL option in the Select Data Source wizard page.
- Enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.
| Region | URL |
|---|---|
| Europe (Excluding Germany) | https://eu-api.mimecast.com/config/adfs/federation |
| Germany | https://de-api.mimecast.com/config/adfs/federation |
| United States of America | https://us-api.mimecast.com/config/adfs/federation |
| Canada | https://ca-api.mimecast.com/config/adfs/federation |
| South Africa | https://za-api.mimecast.com/config/adfs/federation |
| Australia | https://au-api.mimecast.com/config/adfs/federation |
| Offshore | https://jer-api.mimecast.com/config/adfs/federation |
- Click Next to proceed to the next wizard page.
- Enter a Display Name for the Relying Party Trust (e.g. "Mimecast Domain Authentication").
- Click Next to proceed to the next wizard page.
- Complete the wizard, accepting the default values to finish the configuration.
AD FS Settings
By default, AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com// FederationMetadata/2007-06/FederationMetadata.xml).
This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings and to monitor for changes once the Authentication Profile has been saved.
| Setting | Description |
|---|---|
| Security Information | By default, this URL is published using HTTPS, consequently, the AD FS server will need to have a Mimecast Trusted SSL certificate installed. |
| Import | Mimecast issues a HTTP(S) connection to the URL provided and uses the data in the XML file to import the required settings. The values imported are the:
|
| Monitor | Once an authentication profile has been saved, and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL is monitored for changes. The monitoring is triggered when a user with the authentication profile attempts to log on to a Mimecast application. This process will only happen once in a 24 hour period, not on every login attempt. |
| Multiple Token Signing Certificates | As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:
|
| Use AD Property vs Alternate Domain Suffix | If the Use AD Property option is enabled, Mimecast uses the email address as entered by the user when authenticating the request against AD FS. If the option is disabled and an Alternate Domain Suffix is entered, Mimecast substitutes the domain part of the email address with the alternate domain. For example:
|
Setting Up AD FS in Connect
You can finish setting up AD FS in the Connect Application, by using the following steps:
- Click the Start button in the Task Steps for AD FS section.
- Enter your federation metadata URL as provided by AD FS, and click Import. Your Identify Federation Service Metadata displays.
- Click the Next button. The Domain Authentication Test dialog displays.
- Enter your Domain Email Address and Domain Password in the required fields, and click Test Authentication. A message will display confirming if authentication is valid or not.
- To set AD FS as your default authentication provider, click Enable. If authentication is configured successfully, the following message displays:
Next Steps
You can test your configuration and verify that your Authentication Profile has been configured correctly, by using the following steps:
- Open a Mimecast application.
- Enter your primary email address.
- Select to enter a domain password.
- Enter your domain password and log on. You should be granted access to the application.
Comments
Please sign in to leave a comment.