Configuring Integrated Windows Authentication

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 8Show Document
  • View in full screen mode

Integrated Windows Authentication (IWA) verifies the identity of a user by their email address, and a Windows security token, using the Exchange Web Services as the authentication provider.

Requirements

 

 

Network Considerations

 

Proxy Server Considerations

 

If you use a reverse proxy server (e.g. Microsoft's Threat Management Gateway) to publish your Exchange Client Access Server(s) to the internet, a direct connection from the Mimecast IP Range is required to the Exchange Web Services (EWS) URL, bypassing the standard forms based authentication page that is typically presented.

 

If a forms based authentication page is presented when a client connects to the EWS URL, Integrated Windows Authentication will fail as this configuration is not supported.

 

Load Balancing Considerations

 

If you use load balancing, all connections to the Exchange Web Services (EWS) from the Mimecast IP range must be routed to the same Client Access Server. This is due to the challenge response nature of the authentication process. For example, if the first request from the client is directed to one Client Access Server, and the second is directed to another, the second server receiving the challenge response token will not be aware of the first connection, resulting in the authentication attempt failing.

 

Exchange Configuration

 

Begin by ensuring that the Exchange Client Access Server is directly accessible from the Mimecast IP range, and that the Negotiate authentication method is enabled on the Client Access Server(s).

To view the Mimecast IP range for the region where your account is hosted, see the Global Data Centers article.

 

To check that the Negotiate authentication method is enabled on the Client Access Server(s):

  1. On the Exchange Client Access Server open the Internet Information Services (IIS) Manager administrative tool.
  2. Navigate through to Server | Sites | Default Web Site | EWS
  3. Ensure that Windows Authentication is enabled. If it is not, enable it here.

    iis_admin.png

  4. Repeat this for all Client Access Servers in the organization.
  5. Select the Authentication icon from the feature view.

 

Creating / Amending an Authentication Profile

 

To create an authentication profile:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
    Authentication_Profiles_Button.png
  5. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile
  6. Enter a Description for the profile.

 

Integrated Windows Authentication Settings

 

Open the Authentication Profile where you wish to enable Integrated Windows Authentication.

  1. Select to Allow Integrated Windows Authentication (Mimecast for Outlook Only).
  2. This will expose two new fields where the Client Access Server URL(s) are entered.
    Application_Settings_-_Authentication_Settings.png
  3. Enter the URL of the primary Client Access Server that the Mimecast for Outlook application should use for authentication. For example, https://myserver.mydomain.com/EWS/Exchange.asmx.
  4. If available, enter a secondary URL for redundancy. This will be used if the primary URL is offline or not accessible for any reason.
  5. Click the Save button.

 

Defining Permitted IP Ranges

 

To optionally add an additional layer of security, Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Account | Account Settings menu item
  4. Open the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile
  6. Select the Permitted Application Login IP Ranges option. This displays an additional Application Login IP Ranges field.
  7. In the Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  8. Click the Save and Exit button to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile
  6. Select the Permitted Gateway Login IP Ranges option. This displays an additional Application Login IP Ranges field.
  7. In the Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  8. Click the Save and Exit button to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Applying an Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Applications menu item.
  4. Select the Application Setting that you want to use.
  5. Click on the Lookup button to find the Authentication Profile you want to reference, and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  6. Select Save and Exit to apply the change.

 

Validating Your Configuration

 

To validate the success of the configuration:

  1. On a machine with Mimecast for Outlook installed, log in to Windows as a user who should have Integrated Windows Authentication applied and start Outlook.
  2. The Mimecast for Outlook status panel should indicate that the client is communicating with Mimecast.
  3. The person icon in the status panel should change to having an orange tick indicating that authentication has been successful.
    Status_Panel.png
  4. Selecting the Status Panel will open the Account Options dialog box where the status of Integrated Authentication should read Validated.
    Authentication_Options.png
2 people found this helpful

Attachments

    Outcomes