Enable EWS Domain Authentication

Document created by user.oxriBaJeN4 Employee on Sep 9, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 3Show Document
  • View in full screen mode

Domain Password Authentication is available for all Mimecast customers and is typically used when your organization wants to manage and use the same password used with Active Directory when accessing Mimecast.

 

The steps in this guide describe how to enable Domain Password Authentication using an inbound HTTPS connection to the Exchange Web Services (EWS) to verify a user.

 

Requirements

  • Exchange 2007 SP 1 or later.
  • A Mimecast trusted SSL certificate installed on your Exchange Client Access server(s).
  • The Exchange Web Services must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.
  • Basic Authentication must be enabled on the Exchange Web Services.

 

UPN considerations

In order for Exchange to successfully authenticate your users it is critical that the user's primary email address matches their UPN attribute in Active Directory.

 

This is because Exchange accepts the UPN as a user identifier but Mimecast uses the primary email address.

 

In the situation where only the domain part of the user's email address is different to the UPN attribute it is possible to use the Alternate Domain Suffix setting in the Mimecast Authentication Profile.

When this setting is used Mimecast will substitute the domain part of the email address that the user enters with the alternate domain. For example,

 

  • alternate Domain Suffix is set as internal.local,
  • user enters email address of user@external.com into Mimecast the application,
  • EWS endpoint and then grant access to the user@external.com address.

 

Preparing EWS

Exchange Web Services (EWS) Domain Password Authentication uses Basic Authentication over HTTPS to verify a requesting user's identity.

 

To validate that Basic authentication is enabled on your Client Access Server follow these steps:

 

  1. On the Exchange Server hosting the Exchange Web Services open the Internet Information Services (IIS) Manager administrative tool.
  2. Navigate through to Server > Sites > Default Web Site > EWS.
  3. Select the Authentication icon from the feature view.
  4. Ensure that Basic Authentication is enabled. If not, enable it here.
  5. Repeat this for all Exchange Servers in the organization.

 

Configuring the Authentication Profile

An Authentication Profile is referenced by a Mimecast Application Setting which is in turn applied to a group of users. It is possible to edit existing Authentication Profiles or create new ones depending on your requirement.

 

To create or edit an existing Authentication Profile:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Add a Description. This will be used to reference the profile when it is later selected in an Application Setting.
  6. From the Domain Authentication Mechanisms drop down list, choose Exchange Web Services.
  7. This will expose an option to enter in the EWS URL of your Exchange Server, for example, https://myserver.mydomain.com/EWS/exchange.asmx.
  8. If domain suffix in your user's UPN and mail attributes is different, then add the UPN domain suffix to the Alternate Domain Suffix (Optional) setting.
  9. Select a time period from the Authentication TTL drop down list.

    This is applicable to Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile only and defines the length of time a binding issued after a successful authentication is valid for.

     

    When the time elapses and the binding expires, the application uses the credentials originally entered by the user to automatically request a new binding. The user is only prompted to re-enter a password if the password has changed.

  10. Select Save and Exit to complete the configuration.

 

Optionally define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other options

An Authentication Profile is applied to a group of users.

 

A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

To test your configuration and verify that your Authentication Profile has been configured correctly:

 

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. You should be able to select to enter a Domain password.
  4. Enter your Domain password and login.

 

You should be granted access to the application.

Attachments

    Outcomes