AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

为 AWS Managed Microsoft AD 启用多重验证

您可以为 AWS Managed Microsoft AD 目录启用多重验证 (MFA),以提高您的用户指定其 AD 凭证来访问支持的 Amazon 企业应用程序时的安全性。启用 MFA 后,您的用户如常输入其用户名和密码 (第一安全要素),它们还必须输入通过您的虚拟或硬件 MFA 解决方案获取的身份验证代码 (第二安全要素)。除非用户提供有效的用户凭证和 MFA 代码,否则这些安全要素将通过阻止对您的 Amazon 企业应用程序的访问来提高安全性。

要启用 MFA,您必须具有属于远程身份验证拨入用户服务 (RADIUS) 服务器的 MFA 解决方案,或已在本地基础设施中实现的 RADIUS 服务器必须具有 MFA 插件。您的 MFA 解决方案应实施一次性密码 (OTP),用户可从硬件设备或在设备 (如手机) 上运行的软件来获取此密码。

RADIUS 是一种行业标准客户端/服务器协议,提供身份验证、授权和账户管理,以使用户能够连接到网络服务。AWS Managed Microsoft AD 包括一个 RADIUS 客户端,此客户端将连接到您在其上已实现 MFA 解决方案的 RADIUS 服务器。您的 RADIUS 服务器将验证用户名和 OTP 代码。如果您的 RADIUS 服务器成功验证用户,之后 AWS Managed Microsoft AD 将针对 AD 对用户进行身份验证。AD 身份验证成功后,用户之后可访问 AWS 应用程序。AWS Managed Microsoft AD RADIUS 客户端与您的 RADIUS 服务器之间的通信需要您配置 AWS 安全组,以允许通过端口 1812 通信。

您可以通过执行以下过程为 AWS Managed Microsoft AD 目录启用多重验证。有关如何配置 RADIUS 服务器以使用 AWS Directory Service 和 MFA 的更多信息,请参阅多重验证先决条件


多重验证对 Simple AD 不可用。但是,可为您的 AD Connector 目录启用 MFA。有关更多信息,请参阅为 AD Connector 启用多重验证

为 AWS Managed Microsoft AD 启用多重验证

  1. 确定您的 RADIUS MFA 服务器的 IP 地址和您的 AWS Managed Microsoft AD 目录。

  2. 编辑您的 Virtual Private Cloud (VPC) 安全组以允许 AWS Managed Microsoft AD IP 终端节点和 RADIUS MFA 服务器之间通过端口 1812 的通信。

  3. AWS Directory Service console 导航窗格中,选择 Directories (目录)

  4. 选择 AWS Managed Microsoft AD 目录的目录 ID 链接。

  5. On the Directory details page, in the Multi-factor authentication section, choose Actions, and then choose Enable.

  6. On the Enable multi-factor authentication (MFA) page, provide the following values:

    Display label

    Provide a label name.

    RADIUS server DNS name or IP addresses

    The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g.,,


    RADIUS MFA is applicable only to authenticate access to the AWS 管理控制台, or to Amazon Enterprise applications and services such as Amazon WorkSpaces, Amazon QuickSight, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance. AWS Directory Service does not support RADIUS Challenge/Response authentication.

    Users must have their MFA code at the time they enter their username and password. Alternatively, you must use a solution that performs MFA out-of-band such as SMS text verification for the user. In out-of-band MFA solutions, you must make sure you set the RADIUS time-out value appropriately for your solution. When using an out-of-band MFA solution, the sign-in page will prompt the user for an MFA code. In this case, the best practice is for users to enter their password in both the password field and the MFA field.


    The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from the AWS Directory Service servers.

    Shared secret code

    The shared secret code that was specified when your RADIUS endpoints were created.

    Confirm shared secret code

    Confirm the shared secret code for your RADIUS endpoints.


    Select the protocol that was specified when your RADIUS endpoints were created.

    Server timeout (in seconds)

    The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.

    Max RADIUS request retries

    The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.

    Multi-factor authentication is available when the RADIUS Status changes to Enabled.

  7. Choose Enable.

支持的 Amazon 企业应用程序

将 AWS Managed Microsoft AD 和 AD Connector 与 MFA 结合使用时,支持所有 Amazon 企业 IT 应用程序,包括 Amazon WorkSpaces、Amazon WorkDocs、Amazon WorkMail、Amazon QuickSight 以及访问 AWS Single Sign-On 和 AWS 管理控制台。

有关如何使用 AWS Directory Service 配置对 Amazon 企业应用程序、AWS Single Sign-On 和 AWS 管理控制台的基本用户访问权限的信息,请参阅允许对 AWS 应用程序和服务的访问允许使用 AD 凭证访问 AWS 管理控制台

相关的 AWS 安全博客文章