AD Connector

AD connector allows users to sign into AWS applications such as Amazon WorkSpaces, WorkDocs, and WorkMail. Join Windows instances through the EC2 Launch wizard or through EC2 Simple System Manager API. Also allowing for federated sign-in by mapping AD identities to AWS IAM roles.

Prerequisites

VPC needs at least two subnets. Each Subnet must be in a different Availability Zone.
There must be a VPN or Direct Connect circuit between the VPC and the on-prem environment.
Running Windows 2003 or newer.
VPC must have default hardware tenancy

Users: All users must have permission to read their own attributes:

• GivenName
• Surname
• Mail
• SamAccountName
• UserPrincipalName
• UserAccountControl
• Member of

Users Must also have Kerberos pre-authentication enabled

• How to enable Kerberos pre-authentication

DNS Servers Need the IP address of the two DNS servers and they must contain SRV Resource Records
SRV Resource Records are used to map the name of a service (I.E. LDAP, Kerberos) to a DNS server that offers the service

Minimum Ports:

TCP/UDP 53 - DNS
TCP/UDP 88 - Kerberos Authentication
TCP/UDP 389 - LDAP
Additional AD port requirements

VPC must not be configured with the following endpoints:

Route53
CloudWatch VPC endpoint
System Manager VPC
Security Token Service VPC

To enable MFA

• A Remote Authentication Dial-In User Service (Radius) server must be in the existing network that has two client endpoints. Each endpoint will require the following

  • To create the endpoints, you need the IP addresses of the AWS Directory Service servers. These IP addresses can be obtained from the Directory IP Address field of your directory details.

  • Both RADIUS endpoints must use the same shared secret code.

• Allow inbound traffic on port 1812

• The username between the RADIUS server and the existing directory must be identical

AWS Direct Connect