Domain Password Authentication is available for all Mimecast customers. It is typically used to manage and use your Active Directory password when accessing Mimecast. This guide describes how to enable domain password authentication in the Connect Application, using an inbound HTTPS connection to Active Directory Federation Services (AD FS) to verify a user.
Enabling Domain Password Authentication Using AD FS
Enabling domain password authentication using AD FS involves the following task steps:
- Prepare your AD FS server, adding us as a trusted relaying party. This is an external task.
- Import your identity federation service details in the Connect Application.
- Verify your authentication by entering your domain credentials in Connect.
- Set AD FS as your default authentication provider in Connect.
- Test your configuration by logging on to a Mimecast application.
To accomplish this you'll need:
- Administrative access to your organization's AD FS environment.
- A supported version of AD FS installed in your environment (see below):
Version Host Operating System 3.0 Windows Server 2012 R2 2.1 Windows Server 2012 2.0 Windows Server 2008 R2
- A Mimecast Trusted SSL Certificate installed on your AD FS server(s).
- AD FS must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.
Mimecast identifies a user by their primary email address. This maps to the "mail" attribute your Active Directory. This can cause problems for Same Sign On Domain Authentication, as AD FS typically expects the UPN attribute to be provided as the username input. Therefore a user's UPN, must match their primary email address. In the situation where this is not the case, authentication fails because AD FS doesn't recognize the user.
If your organization uses ADFS 3.0 hosted on Windows Server 2012 R2, you can work around this issue by using the AlternateLoginId feature. This allows you to specify the "mail" Active Directory attribute as a recognized user name. For more details on this feature, it's associated impact, and how to configure it in your environment, please consult the Configure Alternate Login ID page of Microsoft's documentation.
If only the domain part of the user's email address is different to the UPN attribute, you can use the Alternate Domain Suffix setting in the Mimecast authentication profile. This substitutes the domain part of the email address with the alternate domain. For example,
- The alternate domain suffix is set as internal.local.
- The user enters an email address of firstname.lastname@example.org.
- Mimecast uses email@example.com when authenticating the user against your AD FS environment, and grants access to the firstname.lastname@example.org address.
Creating a Relying Party Trust in AD FS
To use AD FS as an authentication source for Mimecast Domain Password Authentication, you must create a Relying Party Trust in your environment. To simplify the process, Mimecast publishes Federation Metadata.
To create a Relying Party Trust in your environment:
- Log on to your AD FS server.
- Open the AD FS Management Console.
- Navigate to the Trust Relationships | Relying Party Trusts node in the navigation pane.
- Select Add Relying Party Trust... from the Actions pane on the right-hand side of the console. This starts a wizard.
- Select the Import from a URL option in the Select Data Source wizard page.
- Enter the URL from the list below that corresponds to the region that your Mimecast account is hosted in.
- Click Next to proceed to the next wizard page.
- Enter a Display Name for the Relying Party Trust (e.g. “Mimecast Domain Authentication”).
- Click Next to proceed to the next wizard page.
- Complete the wizard, accepting the default values to finish configuration.
AD FS Settings
By default AD FS publishes a Federation Metadata URL (e.g. https://host.domain.com//FederationMetadata/2007-06/FederationMetadata.xml). This allows Mimecast to obtain the required details to create a trust with your AD FS environment. Mimecast uses this URL to initially import the minimum required settings and to monitor for changes once the Authentication Profile has been saved.
|Security Information||By default, this URL is published using HTTPS, consequently, the AD FS server will need to have a Mimecast Trusted SSL certificate installed.|
Mimecast issues a HTTP(S) connection to the URL provided and uses the data in the XML file to import the required settings. The values imported are:
Once an authentication profile has been saved, and the Monitor Metadata URL setting has been enabled, the Federation Metadata URL is monitored for changes. The monitoring is triggered when a user with the authentication profile attempts to log on to a Mimecast application. This process will only happen once in a 24 hour period, not on every login attempt.
|Multiple Token Signing Certificates|
As SSL certificates expire, it is common practice to have more than one token signing certificate installed on your AD FS server(s). In this situation the following behavior is expected:
|Use AD Property vs Alternate Domain Suffix|
If the Use AD Property option is enabled, Mimecast uses the email address as entered by the user when authenticating the request against AD FS. If the option is disabled and an Alternate Domain Suffix is entered, Mimecast substitutes the domain part of the email address with the alternate domain. For example:
Setting Up AD FS in Connect
To finish setting up AD FS in the Connect Application:
- Click the Start button in the Task Steps for AD FS section.
- Enter your federation metadata URL as provided by AD FS, and click Import. Your Identify Federation Service Metadata displays.
- Click the Next button. The Domain Authentication Test dialog displays.
- Enter your Domain Email Address and Domain Password in the required fields, and click Test Authentication. A message will display confirming if authentication is valid or not.
- To set AD FS as your default authentication provider, click Enable. If authentication is configured successfully, the following message displays:
To test your configuration and verify that your Authentication Profile has been configured correctly:
- Open a Mimecast application.
- Enter your primary email address.
- Select to enter a domain password.
- Enter your domain password and log on. You should be granted access to the application.