Connect Application: Enabling Domain Password Authentication Using AD FS

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.Yo2IBgvWqr on Dec 5, 2017
Version 9Show Document
  • View in full screen mode

Domain Password Authentication is available for all Mimecast customers. It is typically used to manage and use your Active Directory password when accessing Mimecast. This guide describes how to enable domain password authentication in the Connect Application, using an inbound HTTPS connection to Active Directory Federation Services (AD FS) to verify a user.

 

Applies To

 

This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.

 

Enabling Domain Password Authentication Using AD FS

 

Enabling domain password authentication using AD FS involves the following task steps:

  1. Prepare your AD FS server, adding us as a trusted relaying party. This is an external task.
  2. Import your identity federation service details in the Connect Application.
  3. Verify your authentication by entering your domain credentials in Connect.
  4. Set AD FS as your default authentication provider in Connect.
  5. Test your configuration by logging on to a Mimecast application.

 

To accomplish this you'll need:

  • Administrative access to your organization's AD FS environment.
  • A supported version of AD FS installed in your environment (see below):
    VersionHost Operating System
    3.0Windows Server 2012 R2
    2.1Windows Server 2012
    2.0Windows Server 2008 R2
  • A Mimecast Trusted SSL Certificate installed on your AD FS server(s).
  • AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.

 

UPN Considerations

 

Mimecast identifies a user by their primary email address. This maps to the "mail" attribute your Active Directory. This can cause problems for Same Sign On Domain Authentication, as AD FS typically expects the UPN attribute to be provided as the username input. Therefore a user's UPN, must match their primary email address. In the situation where this is not the case, authentication fails because AD FS doesn't recognize the user.

If your organization uses ADFS 3.0 hosted on Windows Server 2012 R2, you can work around this issue by using the AlternateLoginId feature. This allows you to specify the "mail" Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact, and how to configure it in your environment, please consult the Configure Alternate Login ID page of Microsoft's documentation.

 

If only the domain part of the user's email address is different to the UPN attribute, you can use the Alternate Domain Suffix setting in the Mimecast authentication profile. This substitutes the domain part of the email address with the alternate domain. For example,

  • The alternate domain suffix is set as internal.local.
  • The user enters an email address of user@external.com.
  • Mimecast uses user@internal.local when authenticating the user against your AD FS environment, and grants access to the user@external.com address.

 

Creating a Relying Party Trust in AD FS

 

To use AD FS as an authentication source for Mimecast Domain Password Authentication, you must create a Relying Party Trust in your environment. To simplify the process, Mimecast publishes Federation Metadata.

 

To create a Relying Party Trust in your environment:

  1. Log on to your AD FS server.
  2. Open the AD FS Management Console.
  3. Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
  4. Select Add Relying Party Trust... from the Actions pane on the right-hand side of the console. This starts a wizard.
  5. Select the Import from a URL option in the Select Data Source wizard page.
  6. Enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.

  7. Click Next to proceed to the next wizard page.
  8. Enter a Display Name for the Relying Party Trust (e.g. “Mimecast Domain Authentication”).
  9. Click Next to proceed to the next wizard page.
  10. Complete the wizard, accepting the default values to finish configuration.

 

AD FS Settings

 

By default AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com//FederationMetadata/2007-06/FederationMetadata.xml). This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings and to monitor for changes once the Authentication Profile has been saved.

 

SettingDescription
Security InformationBy default, this URL is published using HTTPS, consequently, the AD FS server will need to have a Mimecast Trusted SSL certificate installed.
Import

Mimecast issues a HTTP(S) connection to the URL provided and uses the data in the XML file to import the required settings. The values imported are:

  • the AD FS token signing certificate metadata,
  • the AD FS login URL
Monitor

Once an authentication profile has been saved, and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL is monitored for changes. The monitoring is triggered when a user with the authentication profile attempts to log on to a Mimecast application. This process will only happen once in a 24 hour period, not on every login attempt.

Multiple Token Signing Certificates

As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:

  • During an import, you should be presented with a page displaying metadata values of each of the certificates found. This allows you to select the one to use. Typically this will be the certificate with the latest expiry date.
  • During monitoring, the certificate with the latest expiry date, and a valid from date (before when the check is made) is used.
Use AD Property vs Alternate Domain Suffix

If the Use AD Property option is enabled, Mimecast uses the email address as entered by the user when authenticating the request against AD FS. If the option is disabled and an Alternate Domain Suffix is entered, Mimecast substitutes the domain part of the email address with the alternate domain. For example:

 

Setting Up AD FS in Connect

 

To finish setting up AD FS in the Connect Application:

  1. Click the Start button in the Task Steps for AD FS section.
  2. Enter your federation metadata URL as provided by AD FS, and click Import. Your Identify Federation Service Metadata displays. 
  3. Click the Next button. The Domain Authentication Test dialog displays.
  4. Enter your Domain Email Address and Domain Password in the required fields, and click Test Authentication. A message will display confirming if authentication is valid or not.
  5. To set AD FS as your default authentication provider, click Enable. If authentication is configured successfully, the following message displays:

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open a Mimecast application.
  2. Enter your primary email address.
  3. Select to enter a domain password.
  4. Enter your domain password and log on. You should be granted access to the application.

Attachments

    Outcomes