Connect Application: Enabling Domain Password Authentication Using AD FS

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Jul 25, 2017
Version 8Show Document
  • View in full screen mode

Applies To

 

This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here

 

Enabling Domain Password Authentication Using AD FS

 

Domain Password Authentication is available for all Mimecast customers. It is typically used if you want to manage and use your Active Directory password when accessing Mimecast. This guide describes how to enable domain password authentication, using an inbound HTTPS connection to Active Directory Federation Services (AD FS) to verify a user.

 

To do this you must have:

  • Administrative access to your organization's AD FS environment.
  • A supported version of AD FS installed in your environment (see below):

    VersionHost Operating System
    2.0Windows Server 2008 R2
    2.1Windows Server 2012
    3.0Windows Server 2012 R2
  • A Mimecast Trusted SSL Certificate installed on your AD FS server(s).
  • AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.

 

UPN Considerations

 

Mimecast identifies a user by their primary email address. This maps to the "mail" attribute your Active Directory. This can cause problems for Same Sign On Domain Authentication, as AD FS typically expects the UPN attribute to be provided as the user name input. Therefore a user's UPN, must match their primary email address. In the situation where this is not the case, authentication fails because AD FS does not recognize the user.

If your organization uses ADFS 3.0 hosted on Windows Server 2012 R2, you can work around this issue by using the AlternateLoginId feature. This allows you to specify the "mail" Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact, and how to configure it in your environment, please consult the Configure Alternate Login ID page of Microsoft's documentation.

If only the domain part of the user's email address is different to the UPN attribute, you can use the Alternate Domain Suffix setting in the Mimecast authentication profile. This substitutes the domain part of the email address with the alternate domain. For example,

  • The alternate domain suffix is set as internal.local.
  • The user enters an email address of user@external.com.
  • Mimecast uses user@internal.local when authenticating the user against your AD FS environment, and grants access to the user@external.com address.

 

Creating a Relying Party Trust in AD FS

 

To use AD FS as an authentication source for Mimecast Domain Password Authentication, you must create a Relying Party Trust in your environment. To simplify the process, Mimecast publishes Federation Metadata.

 

To create a Relying Party Trust in your environment:

  1. Login to your AD FS server.
  2. Open the AD FS Management Console.
  3. Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
  4. Select Add Relying Party Trust... from the Actions pane on the right hand side of the console. This starts a wizard.
  5. Select the Import from a URL option in the Select Data Source wizard page.
  6. Enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.

  7. Click Next to proceed to the next wizard page.
  8. Enter a Display Name for the Relying Party Trust (e.g. “Mimecast Domain Authentication”).
  9. Click Next to proceed to the next wizard page.
  10. Complete the wizard accepting the default values to finish the configuration.

 

AD FS Settings

 

By default AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com//FederationMetadata/2007-06/FederationMetadata.xml). This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings, and to monitor for changes once the Authentication Profile has been saved.

 

SettingDescription
Security InformationBy default, this URL is published using HTTPS, consequently the AD FS server will need to have a Mimecast Trusted SSL certificate installed.
Import

Mimecast issues a HTTP(S) connection to the URL provided, and uses the data in the XML file to import the required settings. The values imported are:

  • the AD FS token signing certificate metadata,
  • the AD FS login URL
Monitor

Once an authentication profile has been saved, and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL is monitored for changes. The monitoring is triggered when a user with the authentication profile attempts to login to a Mimecast application. This process will only happen once in a 24 hour period, not on every log in attempt.

Multiple Token Signing Certificates

As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:

  • During an import, you should be presented with a page displaying metadata values of each of the certificates found. This allows you to select the one to use. Typically this will be the certificate with the latest expiry date.
  • During monitoring, the certificate with latest expiry date, and a valid from date before when the check is made, is used.
Use AD Property vs Alternate Domain Suffix

If the Use AD Property option is enabled, Mimecast uses the email address as entered by the user when authenticating the request against AD FS. If the option is disabled and an Alternate Domain Suffix is entered, Mimecast substitutes the domain part of the email address with the alternate domain. For example:

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open or navigate to a Mimecast application.
  2. Enter your primary email address.
  3. Select to enter a domain password.
  4. Enter your domain password and login.

 

You should be granted access to the application.

Use AD Property vs Alternate Domain Suffix

Attachments

    Outcomes