Connect Application: Enabling EWS Domain Authentication

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.Yo2IBgvWqr on Dec 5, 2017
Version 10Show Document
  • View in full screen mode

Applies To...


This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here. To enable EWS Domain Authentication, you'll need administrative access to your Exchange CAS.


UPN Considerations


For your Exchange to successfully authenticate your users, it is vital that each user's primary email address matches their UPN attribute in Active Directory. This is because your Exchange accepts the UPN as a user identifier, whilst we use the primary email address.


If only the domain part of the user's email address is different to the UPN attribute, you can use the "Alternate Domain Suffix" option in an authentication profile. If this setting is used, Mimecast substitutes the domain part of the email address that the user enters with the alternate domain. For example:

  • The alternate domain suffix is set as internal.local.
  • A user enters an email address of into a Mimecast application.
  • The EWS endpoint grants access to the address.


Enabling EWS Domain Authentication


To enable EWS domain authentication in the Connect application:

  1. Click on the Start button in the Task Steps for EWS section.
  2. Enable HTTPS access to your Exchange CAS by ensuring there is a valid SSL certificate installed on your Exchange CAS. This certificate must be signed by a recognized certificate authority and ensures your public Exchange CAS accepts our secure authentication requests.
    If you've multiple public Exchange Client Access servers, this step must be completed for each one.
  3. Enable basic authentication for EWS by ensuring IIS is configured to allow Basic Authentication against the EWS endpoint.
  4. Allow our IP ranges access to the EWS endpoint. If your EWS endpoint has any IP address restrictions, add the regional IP ranges displayed in the application to the Allow List.
  5. Click on the Next button. The Enter Your Exchange CAS Details page is displayed.
  6. Enter your server hostname in the Exchange CAS Host field.
  7. Click on the Next button. The Domain Authentication Test dialog is displayed.
  8. Enter your Domain Email Address and Domain Password in the required fields.
  9. Click on the Test Authentication button. A message will display confirming if authentication is valid or not.
  10. Click on the Enable button to set Active Directory as your default authentication provider. If authentication is successful, the following message displays:
    Authentication Successful


Next Steps


To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. Select to enter a domain password.
  4. Enter your domain password and login. You should be granted access to the application.