Enable Domain Password Authentication using AD FS

Document created by user.oxriBaJeN4 Employee on Sep 9, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 5Show Document
  • View in full screen mode

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with Active Directory when accessing Mimecast.

 

The steps in this guide describe how to enable Domain Password Authentication using an inbound HTTPS connection to Active Directory Federation Services (AD FS) to verify a user.

 

Requirements

 

  • A supported version of AD FS installed in your environment.The following versions and host operating systems are supported:

    VersionHost Operating System
    2.0Windows Server 2008 R2
    2.1Windows Server 2012
    3.0Windows Server 2012 R2
  • A Mimecast trusted SSL certificate installed on your AD FS server(s).
  • AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.
  • Administrative access to your organization's AD FS environment.

 

UPN Considerations

 

Mimecast identifies a user by their primary email address, which maps to the "mail" attribute in Active Directory.

 

This can cause a problem for Same Sign-On Domain Authentication as ADFS typically expects the UPN attribute to be provided as the user name input. In the situation where a user's UPN is not the same as their primary email address (mail attribute), authentication will fail because ADFS will not recognize the user.

 

Consequently it is critical that these values match in Active Directory to avoid authentication issues.

ADFS 3.0 AlternateLoginId

 

If your organization uses ADFS 3.0 hosted on Windows Server 2012 R2 you can work around this issue by using the AlternateLoginId feature.

 

This feature allows you to specify the "mail" Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact and how to configure it in your environment, please consult Microsoft's documentation.

In the situation where only the domain part of the user's email address is different to the UPN attribute it is possible to use the Alternate Domain Suffix setting in the Mimecast Authentication Profile.

When this setting is used Mimecast will substitute the domain part of the email address that the user enters into the Mimecast application with the alternate domain. For example:

  • Alternate Domain Suffix is set as internal.local,
  • User enters email address of user@external.com into Mimecast the application,
  • Mimecast will use user@internal.local when authenticating the user against your AD FS environment and then grant access to the user@external.com address.

 

Preparing AD FS

To use AD FS as an authentication source for Mimecast Domain Password Authentication you must first create a Relying Party Trust in your AD FS environment.

 

  1. Login to your AD FS server.
  2. Open the AD FS Management Console.
  3. Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
  4. Select Add Relying Party Trust...from the Actions pane on the right hand side of the console. This will start a wizard.
  5. To simplify the process of creating the Relying Party Trust Mimecast publishes Federation Metadata. On the Select Data Source page of the wizard, select to Import from a URL and enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.
  6. Click Next.
  7. Enter a Display Name for the Relying Party Trust, for example, “Mimecast Domain Authentication” and click Next.
  8. Complete the wizard accepting the default values to finish the configuration.

 

Configuring the Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirement.

 

To create or edit an existing Authentication Profile:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
  6. From the Domain Authentication Mechanisms drop down list, choose AD FS.
  7. Complete the AD FS settings as described in the next section.
  8. Select a time period from the Authentication TTL drop down list.

    This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued after a successful authentication is valid for.

     

    When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

  9. Select Save and Exit to complete the configuration.

 

ADFS Settings

 

By default AD FS publishes a Federation Metadata URL, for example, https://host.domain.com//FederationMetadata/2007-06/FederationMetadata.xml.

 

This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings, and then to monitor for changes once the Authentication Profile has been saved.

 

Security Information

 

By default, this URL is published using HTTPS, consequently the AD FS server will need to have a Mimecast Trusted SSL certificate installed.

 

Import

 

Mimecast issues a HTTP(S) connection to the URL provided and uses the data in the XML file to import the required settings.

The values imported are:

 

  • the AD FS token signing certificate metadata,
  • the AD FS login URL

 

Monitor

 

Once an Authentication Profile has been saved and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL entered will be monitored for changes.

 

The monitoring is triggered when a user with the relevant Authentication Profile applied attempts to login to a Mimecast application. This process will only happen once in a 24-hour period not on every login attempt.

 

Multiple Token Signing Certificates

 

As SSL certificates expire it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:

 

During an import you should be presented with a page displaying metadata values of each of the certificates found, allowing you to select the one to use. Typically this will be the certificate with the latest expiry date.

 

During monitoring the certificate with latest expiry date and a valid from date before the date that the check is made will be used.

 

Use AD Property vs Alternate Domain Suffix

 

When the Use AD Property setting is enabled, Mimecast will use the email address as entered by the user when authenticating the request against AD FS.

 

However, when this option is deselected and an Alternate Domain Suffix is entered Mimecast will substitute the domain part of the email address that the user enters into the Mimecast application with the alternate domain. For example,

 

  • alternate Domain Suffix is set as internal.local,
  • user enters email address of user@external.com into Mimecast the application,
  • Mimecast will use user@internal.local when authenticating the user against your AD FS environment and then grant access to the user@external.com address.

 

Optionally Define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users.

 

A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

 

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. You should be able to select to enter a Domain password.
  4. Enter your Domain password and login.

 

You should be granted access to the application.

Attachments

    Outcomes