Enable Directory Connector Domain Authentication

Document created by user.oxriBaJeN4 Employee on Sep 9, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 5Show Document
  • View in full screen mode

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with the Company Directory when accessing Mimecast.

 

The steps in this guide describe how to enable Domain Password Authentication using an inbound LDAP(S) connection to your Company Directory to verify a user.

 

Step 1: Preparing a Directory Connector

 

To use this feature, you must already have a LDAP Directory Connector configured and activated. To check this:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Directory Synchronization menu.
  3. Validate that there is a LDAP Directory Connection present and active.

 

You will only be able to configure LDAP Directory Connector authentication if these settings are configured.

 

Recommended Reading

Step 2: Configuring the Authentication Profile

 

An Authentication Profile is referenced by a Mimecast Application Setting which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirement.

 

To create or edit an existing Authentication Profile:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  6. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
  7. From the Domain Authentication Mechanisms drop down list, choose LDAP Directory Connector (Active Directory and Domino).
  8. Select a time period from the Authentication TTL drop down list.

    This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued after a successful authentication is valid for.

     

    When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

  9. Select Save and Exit to complete the configuration.

 

Optionally Define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Open the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Either:
    • Select an Authentication Profile from the list to change it.
    • Click on the New Authentication Profile button to create a new profile.
  6. Select the check box to enable Permitted Application Login IP Ranges.
  7. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  8. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Either:
    • Select an Authentication Profile from the list to change it.
    • Click on the New Authentication Profile button to create a new profile.
  6. Select the check box to enable Permitted Gateway Login IP Ranges.
  7. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  8. Select Save and Exit to apply the new settings.

 

Other Options

An Authentication Profile is applied to a group of users.

 

A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

 

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Application Setting that you want to use.
  5. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  6. Select Save and Exit to apply the change.

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. You should be able to select to enter a Domain password.
  4. Enter your Domain password and login.

 

You should be granted access to the application.

Attachments

    Outcomes