Mimecast for Outlook: Integrated Windows Authentication (IWA) Connectivity

Document created by user.oxriBaJeN4 Employee on Sep 4, 2015Last modified by user.oxriBaJeN4 Employee on Jun 9, 2017
Version 6Show Document
  • View in full screen mode

With Mimecast for Outlook you can authenticate users with cloud, domain, or Integrated Windows Authentication (IWA) credentials. This article explains how this can be done if IWA has been configured, but is not being used as the authentication method.


Checking the Application Settings Configuration


Ensure that the Application Settings definition is configured correctly:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Ensure the Primary Client Access Server (CAS) URL field is in the format below:
  6. If it isn't, remove all text to the right of the domain name.
  7. Click on the Save and Exit button. EWS/Exchange.asmx will be appended to the URL.
  8. Test the URL in a web browser as described below.


Test the EWS URL of the Client Access Server


If IWA authentication fails, test to see if you can log into the Client Access Server via a web browser. For example, if Mimecast for Outlook is trying https://hostname.domainname.com:443, it is essential that you can log in to this site manually.


To test this:

  1. Open a web browser.
  2. Navigate to the EWS URL by:
    1. Taking the hostname found in the Mimecast for Outlook logs.
    2. Adding https://
    3. Appending /EWS/exchange.asmx (e.g. https://hostname.com/EWS/exchange.asmx)

      This URL is specific to your environment. The asmx file is typically located in the EWS folder, but you may have customized this.

  3. If the CAS server has been published to the internet correctly, a log in dialog is displayed where you should enter your Windows Credentials (DOMAIN\username and Active Directory password).
  4. If log in is successful, an XML document is displayed that resembles the example below:
  5. <wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/
    " xmlns:tns="http://schemas.microsoft.com/exchang.../2006/messages
    " xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/
    " xmlns:t="http://schemas.microsoft.com/exchang...ces/2006/types

Deleting the Mimecast for Outlook Database File


Deleting the Mimecast for Outlook database should only be attempted if another authentication method is already in use. For example, if the Active Directory password has been configured as an option, and successfully authenticated. Mimecast for Outlook will then continue to use this password, but by deleting the database file, Mimecast for Outlook is forced to try IWA authentication again.


To delete the Mimecast for Outlook database file:

  1. Close Mimecast for Outlook.
  2. Open the Windows Task Manager.
  3. Stop the Mimecast.Services.Windows.Personal process.
  4. Delete the msw.s3db file from the C:\Users\<username>\AppData\Roaming\Mimecast directory on your machine.
  5. Start the Mimecast.Services.Windows.Personal process.
  6. Open Mimecast for Outlook.


If IWA is still not communicating successfully, contact Mimecast Support to review your logs and troubleshoot further.


Authorization Failures


If when testing IWA a response is received with status code "401 Authorization Failed", it may be necessary to remove "/ews/exchange.asmx" from the string for testing. Once authorization has been successful, it is important to ensure that the entire string including "/ews/exchange.asmx" is restored.

5 people found this helpful