Enable smart card authentication

To use smart card authentication with AD Connector, you must enable Kerberos Constrained Delegation (KCD) for the AD Connector Service account to the LDAP service in the self-managed AD directory.

Kerberos Constrained Delegation is a feature in Windows Server. This feature enables administrators to specify and enforce application trust boundaries by limiting the scope where application services can act on a user’s behalf. For more information, see Kerberos constrained delegation.

1. Use the SetSpn command to set a Service Principal Name (SPN) for the AD Connector service account in the self-managed AD. This enables the service account for delegation configuration.

   The SPN can be any service or name combination but not a duplicate of an existing SPN. The -s checks for duplicates.

   setspn -s my/spn service_account

2. In AD Users and Computers, open the context (right-click) menu and choose the AD Connector service account and choose Properties.

3. Choose the Delegation tab.

4. Choose the Trust this user for delegation to specified service only and Use any authentication protocol options.

5. Choose Add and then Users or Computers to locate the domain controller.

6. Choose OK to display a list of available services used for delegation.

7. Choose the ldap service type and choose OK.

8. Choose OK again to save the configuration.

9. Repeat this process for other domain controllers in the Active Directory. Alternatively you can automate the process using PowerShell.

Method 1: To register your CA certificate in AD Connector (Amazon Web Services Management Console)

1. In the Amazon Directory Service console navigation pane, select Directories.

2. Choose the directory ID link for your directory.

3. On the Directory details page, choose the Networking & security tab.

4. In the Smart card authentication section, choose Actions, and then choose Register certificate.

5. In the Register a certificate dialog box, select Choose file, and then choose a certificate and choose Open. You can optionally choose to perform revocation checking for this certificate by providing an Online Certificate Status Protocol (OCSP) responder URL. For more information about OCSP, see Certificate revocation checking process.

6. Choose Register certificate. When you see the certificate status change to Registered, the registration process has completed successfully.

Method 2: To register your CA certificate in AD Connector (Amazon CLI)

• Run the following command. For the certificate data, point to the location of your CA certificate file. To provide a secondary OCSP responder address, use the optional ClientCertAuthSettings object.

  aws ds register-certificate --directory-id your_directory_id --certificate-data file://your_file_path --type ClientCertAuth --client-cert-auth-settings OCSPUrl=http://your_OCSP_address

  If successful, the response provides a certificate ID. You can also verify your CA certificate registered successfully by running the following CLI command:

  aws ds list-certificates --directory-id your_directory_id

  If the status value returns Registered, you have successfully registered your certificate.

Method 1: To enable smart card authentication in AD Connector (Amazon Web Services Management Console)

1. Navigate to the Smart card authentication section on the Directory details page, and choose Enable. If this option is not available, verify that a valid certificate has been successfully registered, and then try again.

2. In the Enable smart card authentication dialog box, select Enable.

Method 2: To enable smart card authentication in AD Connector (Amazon CLI)

• Run the following command.

  aws ds enable-client-authentication --directory-id your_directory_id --type SmartCard

  If successful, AD Connector returns an HTTP 200 response with an empty HTTP body.