This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here. To enable EWS Domain Authentication, you'll need administrative access to your Exchange CAS.
For your Exchange to successfully authenticate your users, it is vital that each user's primary email address matches their UPN attribute in Active Directory. This is because your Exchange accepts the UPN as a user identifier, whilst we use the primary email address.
If only the domain part of the user's email address is different to the UPN attribute, you can use the "Alternate Domain Suffix" option in an authentication profile. If this setting is used, Mimecast substitutes the domain part of the email address that the user enters with the alternate domain. For example:
- The alternate domain suffix is set as internal.local.
- A user enters an email address of email@example.com into a Mimecast application.
- The EWS endpoint grants access to the firstname.lastname@example.org address.
Enabling EWS Domain Authentication
To enable EWS domain authentication in the Connect application:
- Click on the Start button in the Task Steps for EWS section.
- Enable HTTPS access to your Exchange CAS by ensuring there is a valid SSL certificate installed on your Exchange CAS. This certificate must be signed by a recognized certificate authority and ensures your public Exchange CAS accepts our secure authentication requests.If you've multiple public Exchange Client Access servers, this step must be completed for each one.
- Enable basic authentication for EWS by ensuring IIS is configured to allow Basic Authentication against the EWS endpoint.
- Allow our IP ranges access to the EWS endpoint. If your EWS endpoint has any IP address restrictions, add the regional IP ranges displayed in the application to the Allow List.
- Click on the Next button. The Enter Your Exchange CAS Details page is displayed.
- Enter your server hostname in the Exchange CAS Host field.
- Click on the Next button. The Domain Authentication Test dialog is displayed.
- Enter your Domain Email Address and Domain Password in the required fields.
- Click on the Test Authentication button. A message will display confirming if authentication is valid or not.
- Click on the Enable button to set Active Directory as your default authentication provider. If authentication is successful, the following message displays: