Authentication - Enabling EWS Domain Authentication

Updated

This article contains information on enabling Domain Password Authentication in Mimecast using Exchange Web Services (EWS), including prerequisites, UPN considerations, configuring authentication profiles, defining permitted IP ranges, and testing the setup for secure user access.

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with Active Directory when accessing Mimecast.

The steps in this guide describe how to enable Domain Password Authentication using an inbound HTTPS connection to the Exchange Web Services (EWS) to verify a user.

Microsoft no longer supports Exchange 2007, meaning it is no longer supported by Mimecast. If you're considering using Exchange 2007, we strongly advise you to upgrade to a newer version for maximum productivity. See the Exchange 2007 End of Support Roadmap page in the Microsoft documentation for further details.

Requirements:

  • Exchange 2010 or later.
  • A Mimecast trusted SSL certificate is installed on your Exchange Client Access server(s). See the Secure Socket Layers (SSL) Certificates page for further details.
  • The Exchange Web Services must be accessible inbound using HTTPS on port 443 from the Mimecast IP range. See the Mimecast Data Centers and URLs page for further details.
  • Basic Authentication must be enabled on the Exchange Web Services.

UPN Considerations

In order for Exchange to successfully authenticate your users, it is critical that the user's primary email address matches their UPN attribute in Active Directory.

This is because Exchange accepts the UPN as a user identifier, but Mimecast uses the primary email address. In the situation where only the domain part of the user's email address is different from the UPN attribute, it is possible to use the Alternate Domain Suffix setting in the Mimecast Authentication Profile. When this setting is used, Mimecast will substitute the domain part of the email address that the user enters with the alternate domain. For example,

  • Alternate Domain Suffix is set as internal.local
  • A user enters the email address of user@external.com into the Mimecast application
  • EWS endpoint and then grant access to the user@external.com address.

Preparing EWS

Exchange Web Services (EWS) Domain Password Authentication uses basic authentication over HTTPS to verify a requesting user's identity.

To validate that basic authentication is enabled on your Client Access Server, follow these steps:

  1. On the Exchange Server hosting the Exchange Web Services, open the Internet Information Services (IIS) Manager administrative tool.
  2. Navigate through to Server | Sites | Default Web Site | EWS.
  3. Select the Authentication icon from the feature view.
  4. Ensure that Basic Authentication is enabled.
  5. Repeat this for all Exchange Servers in the organization.

Configuring an Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting, which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirements.

To create or edit an existing Authentication Profiles

  1. Log in to the Mimecast Administration Console.
  2. Select the Users & Groups | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Either:
      • Select an Authentication Profile from the list.
      • Click on the New Authentication Profile button.
  1. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
  2. From the Domain Authentication Mechanisms dropdown list, choose Exchange Web Services.
  3. This exposes an option to enter in the EWS URL of your Exchange Server (e.g., myserver.mydomain.com).
  4. If the domain suffix in your user's UPN and mail attributes is different, add the UPN domain suffix to the Alternate Domain Suffix (Optional) setting.
  5. Select a time period from the Authentication TTL dropdown list.

    This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued after a successful authentication is valid for. When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

  6. Click on Save and Exit to complete the configuration.

Defining Permitted IP Ranges

To add a layer of security, Mimecast provides optional Permitted IP Range settings for the Mmecast Administration Console, End User Applications, and Gateway authentication attempts.

To configure Permitted IP Ranges for the Mimecast Administration Console:

  1. Log in to the Mimecast Administration Console.
  2. Select the Account | Account Settings menu item.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for End User Applications:

  1. Log in to the Mimecast Administration Console.
  2. Select the Users & Groups | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Either:
      • Select an Authentication Profile from the list.
      • Click on the New Authentication Profile button.
  1.   Select the option to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Click on the Save and Exit button to apply the new settings.

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Log in to the Mimecast Administration Console.
  2. Select the Users & Groups | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Select the option to enable Permitted Gateway Login IP Ranges.
  5. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  6. Click on the Save and Exit button to apply the new settings.

Other Options

Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile.

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log in to the Mimecast Administration Console.
  2. Select the Users & Groups | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
  5. Select Save and Exit to apply the change.

Next Steps

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. You should be able to select to enter a Domain password.
  4. Enter your Domain password and log in.

You should be granted access to the application.

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.