Enabling Domain Password Authentication Using AD FS
Domain Password Authentication is available for all Mimecast customers. It is typically used if you want to manage and use your Active Directory password when accessing Mimecast. This guide describes how to enable domain password authentication, using an inbound HTTPS connection to Active Directory Federation Services (AD FS) to verify a user.
To do this you must have:
- Administrative access to your organization's AD FS environment.
- A supported version of AD FS installed in your environment (see below):
Version Host Operating System 2.0 Windows Server 2008 R2 2.1 Windows Server 2012 3.0 Windows Server 2012 R2
- A Mimecast Trusted SSL Certificate installed on your AD FS server(s).
- AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.
Mimecast identifies a user by their primary email address. This maps to the "mail" attribute your Active Directory. This can cause problems for Same Sign On Domain Authentication, as AD FS typically expects the UPN attribute to be provided as the user name input. Therefore a user's UPN, must match their primary email address. In the situation where this is not the case, authentication fails because AD FS does not recognize the user.
If your organization uses ADFS 3.0 hosted on Windows Server 2012 R2, you can work around this issue by using the AlternateLoginId feature. This allows you to specify the "mail" Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact, and how to configure it in your environment, please consult the Configure Alternate Login ID page of Microsoft's documentation.
If only the domain part of the user's email address is different to the UPN attribute, you can use the Alternate Domain Suffix setting in the Mimecast authentication profile. This substitutes the domain part of the email address with the alternate domain. For example,
- The alternate domain suffix is set as internal.local.
- The user enters an email address of firstname.lastname@example.org.
- Mimecast uses email@example.com when authenticating the user against your AD FS environment, and grants access to the firstname.lastname@example.org address.
Creating a Relying Party Trust in AD FS
To use AD FS as an authentication source for Mimecast Domain Password Authentication, you must create a Relying Party Trust in your environment. To simplify the process, Mimecast publishes Federation Metadata.
To create a Relying Party Trust in your environment:
- Login to your AD FS server.
- Open the AD FS Management Console.
- Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
- Select Add Relying Party Trust... from the Actions pane on the right hand side of the console. This starts a wizard.
- Select the Import from a URL option in the Select Data Source wizard page.
- Enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.
- Click Next to proceed to the next wizard page.
- Enter a Display Name for the Relying Party Trust (e.g. “Mimecast Domain Authentication”).
- Click Next to proceed to the next wizard page.
- Complete the wizard accepting the default values to finish the configuration.
AD FS Settings
By default AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com//FederationMetadata/2007-06/FederationMetadata.xml). This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings, and to monitor for changes once the Authentication Profile has been saved.
|Security Information||By default, this URL is published using HTTPS, consequently the AD FS server will need to have a Mimecast Trusted SSL certificate installed.|
Mimecast issues a HTTP(S) connection to the URL provided, and uses the data in the XML file to import the required settings. The values imported are:
Once an authentication profile has been saved, and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL is monitored for changes. The monitoring is triggered when a user with the authentication profile attempts to login to a Mimecast application. This process will only happen once in a 24 hour period, not on every log in attempt.
|Multiple Token Signing Certificates|
As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:
|Use AD Property vs Alternate Domain Suffix|
If the Use AD Property option is enabled, Mimecast uses the email address as entered by the user when authenticating the request against AD FS. If the option is disabled and an Alternate Domain Suffix is entered, Mimecast substitutes the domain part of the email address with the alternate domain. For example:
To test your configuration and verify that your Authentication Profile has been configured correctly:
- Open or navigate to a Mimecast application.
- Enter your primary email address.
- Select to enter a domain password.
- Enter your domain password and login.
You should be granted access to the application.
Use AD Property vs Alternate Domain Suffix