Connect Application: Enabling EWS Domain Authentication

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Nov 9, 2016
Version 5Show Document
  • View in full screen mode

Applies To...


This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.


UPN Considerations


For your Exchange to successfully authenticate your users, it is vital that each user's primary email address matches their UPN attribute in Active Directory. This is because your Exchange accepts the UPN as a user identifier, whilst Mimecast uses the primary email address.


If only the domain part of the user's email address is different to the UPN attribute, you can use the "Alternate Domain Suffix" option in an authentication profile. If this setting is used, Mimecast substitutes the domain part of the email address that the user enters with the alternate domain. For example:

  • The alternate domain suffix is set as internal.local.
  • A user enters an email address of into a Mimecast the application.
  • The EWS endpoint grants access to the address.


Enabling EWS Domain Authentication

You'll need administrative access to your Exchange CAS.

To enable EWS domain authentication in the Connect application:

  1. Confirm HTTPS access to your Exchange CAS by ensuring there is a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your Exchange CAS. This ensures your public Exchange CAS accepts our secure authentication requests.
    If you have multiple public Exchange Client Access servers, this step must be completed for each one.
  2. Enable basic authentication for EWS by ensuring IIS is configured to allow basic authentication against the EWS endpoint.
  3. Allow our IP ranges access to the EWS endpoint. If your EWS endpoint has any IP address restrictions, add the regional IP ranges displayed in the application to the ‘Allow’ access list.
  4. Click the Next button. The Entering Your Exchange Client Access Server (CAS) Details dialog is displayed.
  5. Enter your server hostname in the Exchange CAS Host field.
  6. Click the Next button. The Test Authentication dialog is displayed.
  7. Complete the Domain Authentication Test dialog as follows:

    Field / OptionDescription
    Domain Email AddressEnter the domain's email address.
    Domain PasswordEnter the domain's password.
  8. Click the Test Authentication button. If authentication is configured successfully, the following message is displayed:

  9. Click the Enable button to enable authentication.