AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

为 AD Connector 启用多重验证

您可以为 AD Connector 启用多重验证, AD Connector 当您的 Active Directory 运行在本地或 EC2 实例中时。有关多重验证与 AWS Directory Service 结合使用的更多信息,请参阅 AD Connector 先决条件


多重验证对 Simple AD 不可用。但是,可为您的 AWS Managed Microsoft AD 目录启用 MFA。有关更多信息,请参阅为 AWS Managed Microsoft AD 启用多重验证

为 AD Connector 启用多重验证

  1. AWS Directory Service console 导航窗格中,选择 Directories (目录)

  2. 选择 AD Connector 目录的目录 ID 链接。

  3. On the Directory details page, in the Multi-factor authentication section, choose Actions, and then choose Enable.

  4. On the Enable multi-factor authentication (MFA) page, provide the following values:

    Display label

    Provide a label name.

    RADIUS server DNS name or IP addresses

    The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g.,,


    RADIUS MFA is applicable only to authenticate access to the AWS 管理控制台, or to Amazon Enterprise applications and services such as Amazon WorkSpaces, Amazon QuickSight, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance. AWS Directory Service does not support RADIUS Challenge/Response authentication.

    Users must have their MFA code at the time they enter their username and password. Alternatively, you must use a solution that performs MFA out-of-band such as SMS text verification for the user. In out-of-band MFA solutions, you must make sure you set the RADIUS time-out value appropriately for your solution. When using an out-of-band MFA solution, the sign-in page will prompt the user for an MFA code. In this case, the best practice is for users to enter their password in both the password field and the MFA field.


    The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from the AWS Directory Service servers.

    Shared secret code

    The shared secret code that was specified when your RADIUS endpoints were created.

    Confirm shared secret code

    Confirm the shared secret code for your RADIUS endpoints.


    Select the protocol that was specified when your RADIUS endpoints were created.

    Server timeout (in seconds)

    The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.

    Max RADIUS request retries

    The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.

    Multi-factor authentication is available when the RADIUS Status changes to Enabled.

  5. Choose Enable.