Authentication Profiles - Enabling Domain Password Using AD FS

This article contains information on configuring Domain Password Authentication in Mimecast, including prerequisites, AD FS setup, authentication profiles, security settings, IP restrictions, and applying profiles to ensure secure and seamless user access. note

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with Active Directory when accessing Mimecast.

Prerequisites

• A supported version of AD FS installed in your environment. The following versions and host operating systems are supported:

• A Secure Socket Layers (SSL) Certificate is installed on your AD FS server(s).
• AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast Data Centers and URLs.
• Administrative access to your organization's AD FS environment.

Considerations

Mimecast identifies a user by their primary email address, which maps to the mail attribute in Active Directory. This can cause a problem for Same Sign-On Domain Authentication as AD FS typically expects the UPN attribute to be provided as the user name input. In the situation where a user's UPN is not the same as their primary email address (mail attribute), authentication will fail because AD FS will not recognize the user. It's critical that these values match in Active Directory to avoid authentication issues.

In the situation where only the domain part of the user's email address is different to the UPN attribute, it is possible to use the Alternate Domain Suffix setting in the Mimecast Authentication Profile.

When this setting is used Mimecast will substitute the domain part of the email address that the user enters into the Mimecast application with the alternate domain. For example:

• Alternate Domain Suffix is set as internal.local.
• User enters the email address of user@external.com into Mimecast the application.
• Mimecast will use user@internal.local when authenticating the user against your AD FS environment and then grant access to the user@external.com address.

Preparing AD FS

To use AD FS as an authentication source for Mimecast Domain Password Authentication you must first create a Relying Party Trust in your AD FS environment. You can do this by using the following steps:

1. Log on to your AD FS server.
2. Open the AD FS Management Console.
3. Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
4. Select Add Relying Party Trust...from the Actions pane on the right hand side of the console.
5. To simplify the process of creating the Relying Party Trust, Mimecast publishes Federation Metadata. On the Select Data Source page of the wizard, select to Import from a URL and enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in:

6. Click Next.
7. Enter a Display Name for the Relying Party Trust (e.g. "Mimecast Domain Authentication").
8. Click Next.
9. Complete the wizard accepting the default values to finish the configuration.

Configuring the Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting, which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirements.

You can create or edit an existing Authentication Profile, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Click on the Authentication Profiles button.
4. Either click on:

• • An Authentication Profile to change it.
  • The New Authentication Profile button to create one.

5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
6. From the Domain Authentication Mechanisms drop-down list, choose AD FS.
7. Complete the AD FS settings as described in the next section.
8. Select a time period from the Authentication TTL drop-down list.

   This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only, and defines the length of time a binding issued after a successful authentication is valid for. When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

9. Click on Save and Exit to complete the configuration.

AD FS Settings

By default, AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com//federationmetadata/2007-06/federationmetadata.xml). This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings, and then to monitor for changes once the Authentication Profile has been saved.

Security Information

By default, this URL is published using HTTPS, consequently, the AD FS server will need to have a Mimecast Trusted SSL certificate installed.

Import

Mimecast issues a HTTP(S) connection to the URL provided and uses the data in the XML file to import the required settings. The values imported are:

• The AD FS token signing certificate metadata.
• The AD FS login URL.

Monitor

Once an Authentication Profile has been saved and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL entered will be monitored for changes. The monitoring is triggered when a user with the relevant Authentication Profile applied attempts to log in to a Mimecast application. This process will only happen once in a 24-hour period, not on every login attempt.

Multiple Token Signing Certificates

As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:

• During an import, you should be presented with a page displaying metadata values of each of the certificates found, allowing you to select the one to use. Typically this will be the certificate with the latest expiry date.
• During monitoring the certificate with the latest expiry date and a valid from date before the date that the check is made will be used.

Using AD Property vs Alternate Domain Suffix

When the Use AD Property setting is enabled, Mimecast will use the email address as entered by the user when authenticating the request against AD FS. However, when this option is deselected and an Alternate Domain Suffix is entered, Mimecast will substitute the domain part of the email address that the user enters into the Mimecast application with the alternate domain. For example:

• Alternate Domain Suffix is set as internal.local.
• User enters email address of user@external.com into Mimecast the application.
• Mimecast will use user@internal.local when authenticating the user against your AD FS environment and then grant access to the user@external.com address.

Defining Permitted IP Ranges

To add an additional layer of security, Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, End User Applications, and Gateway authentication attempts.

You can configure Permitted IP ranges for the Mimecast Administration Console by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Account | Account Settings.
3. Open the User Access and Permissions section.
4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

You can configure Permitted IP Ranges for End User Applications by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Click on the Authentication Profiles button.
4. Either click on the:

• • Authentication Profile to be changed.
  • New Authentication Profile button.

5. Select the check box to enable Permitted Application Login IP Ranges.
6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Select Save and Exit to apply the new settings.

You can configure Permitted IP Ranges for Gateway authentication using SMTP or POP, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Click on the Authentication Profiles button.
4. Either click on the:

• • Authentication Profile to be changed.
  • New Authentication Profile button.

5. Select the Permitted Gateway Login IP Ranges option.
6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
7. Select Save and Exit to apply the new settings.

Other Options

An Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile.

Applying the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Applications.
3. Select the Application Setting you want to use.
4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.

5. Click on Save and Exit to apply the change.

Next Steps

You can test your configuration and verify that your Authentication Profile has been configured correctly by using the following steps:

1. Open or navigate to a Mimecast application.
2. Enter your primary email address.
3. You should be able to select to enter a Domain password.
4. Enter your Domain password and login. You should be granted access to the application.