Set up Connector for AD
The steps in this section are prerequisites to using Connector for AD. It assumes that you've already created an Amazon account. After you complete the steps on this page, you can get started with creating a connector for AD.
Step 1: Create a private CA using Amazon Private CA
Set up a Amazon Private CA for issuing certificates to your directory objects. For more information, see Certificate authorities in Amazon Private CA.
The Amazon Private CA must be in the Active
state to create a
Connector for AD. The private CA's subject name must include a common name.
Connector creation will fail if you try to create a connector using a private CA without a common name.
Step 2: Set up an Active Directory
Important
You can only use Connector for Active Directory with an Active Directory's root domain.
In addition to a private CA, you need an active directory in a virtual private cloud (VPC). Connector for AD supports the following directory types offered by Amazon Directory Service:
-
Amazon Managed Microsoft Active Directory: With Amazon Directory Service you can run Microsoft Active Directory (AD) as a managed service. Amazon Directory Service for Microsoft Active Directory also referred to as Amazon Managed Microsoft AD, is powered by Windows Server 2019. With Amazon Managed Microsoft AD, you can run directory-aware workloads in the Amazon Web Services Cloud, including Microsoft Sharepoint and custom .Net and SQL Server-based applications.
-
Active Directory Connector: AD Connector is a directory gateway that can redirect directory requests to your on-premises Microsoft Active Directory, without caching any information in the cloud. AD Connector supports connecting to a domain hosted on Amazon EC2
Note
Enrolling domain controllers is not supported when using the Connector for AD with Amazon Managed Microsoft AD.
(Active Directory Connector only) Step 3: Delegate permissions to service account
When using the Directory Service AD Connector, you need to delegate additional permissions to the service account. Set access-control list (ACL) on the service account to allow the ability:
-
Add and remove a Service Principal Name (SPN) to itself
-
Create and update certification authorities in the following containers:
#containers CN=Public Key Services,CN=Services,CN=Configuration CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration
-
Create and update a NTAuthCertificates Certification Authority (CA) object. Note: if the NTAuthCertificates CA object exists then you must delegate permissions for it. If the object does not exist then you must delegate the ability to create child objects on the Public Key Services container.
#objects CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration
Note
If you are using Amazon Managed Microsoft AD then the additional permissions will be delegated automatically when you authorize the Connector for AD service with your directory. You can skip this prerequisite step.
You can use this PowerShell script to delegate the additional permissions. It will create the NTAuthCertifiates certification authority object. Replace "myconnectoraccount" with the service account name.
$AccountName =
'myconnectoraccount'
$AccountName = 'myconnectoraccount' # DO NOT modify anything below this comment. # Getting Active Directory information. Import-Module -Name 'ActiveDirectory' $currentDomain= Get-ADDomain $RootDSE = Get-ADRootDSE # Check if the current domain is the root domain if ($currentDomain.DistinguishedName -eq $RootDSE.rootDomainNamingContext) { Write-Output "This is a root domain that supports PCA connector configuration." } else { Write-Warning "This is a child domain. You must set up the PCA connector with the root domain:" $RootDSE.rootDomainNamingContext } # Getting AD Connector service account information $AccountProperties = Get-ADUser -Identity $AccountName $AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value [System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID $AccountAclPath = $AccountProperties.DistinguishedName # Getting ACL settings for AD Connector service account. $AccountAcl = Get-ACL -Path "AD:\$AccountAclPath" # Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself $AccountAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGuid, 'None' $AccountAcl.AddAccessRule($AccountAccessRule) Set-ACL -AclObject $AccountAcl -Path "AD:\$AccountAclPath" # Add ACLs allowing AD Connector service account the ability to create certification authorities [System.GUID]$CertificationAuthorityGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'certificationAuthority' } -Properties 'schemaIDGUID').schemaIDGUID $CAAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty,CreateChild,DeleteChild', 'Allow', $CertificationAuthorityGuid, 'None' $PKSDN = "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $PKSACL = Get-ACL -Path "AD:\$PKSDN" $PKSACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $PKSACL -Path "AD:\$PKSDN" $AIADN = "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $AIAACL = Get-ACL -Path "AD:\$AIADN" $AIAACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $AIAACL -Path "AD:\$AIADN" $CertificationAuthoritiesDN = "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $CertificationAuthoritiesACL = Get-ACL -Path "AD:\$CertificationAuthoritiesDN" $CertificationAuthoritiesACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $CertificationAuthoritiesACL -Path "AD:\$CertificationAuthoritiesDN" $NTAuthCertificatesDN = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" If (-Not (Test-Path -Path "AD:\$NTAuthCertificatesDN")) { New-ADObject -Name 'NTAuthCertificates' -Type 'certificationAuthority' -OtherAttributes @{certificateRevocationList=[byte[]]'00';authorityRevocationList=[byte[]]'00';cACertificate=[byte[]]'00'} -Path "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" } $NTAuthCertificatesACL = Get-ACL -Path "AD:\$NTAuthCertificatesDN" $NullGuid = [System.GUID]'00000000-0000-0000-0000-000000000000' $NTAuthAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty', 'Allow', $NullGuid, 'None' $NTAuthCertificatesACL.AddAccessRule($NTAuthAccessRule) Set-ACL -AclObject $NTAuthCertificatesACL -Path "AD:\$NTAuthCertificatesDN"
Step 4: Create IAM Policy
To create a connector for AD, you need an IAM policy that allows you to create connector resources, share your private CA with the Connector for AD service, and authorize the Connector for AD service with your directory.
This is an example a user managed policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "pca-connector-ad:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm-pca:PutPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": "acm-pca:IssueCertificate", "Resource": "*", "Condition": { "StringLike": { "acm-pca:TemplateArn": "arn:aws:acm-pca:::template/BlankEndEntityCertificate_ApiPassthrough/V*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "pca-connector-ad.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:DescribeDirectories", "ds:ListTagsForResource", "ds:UnauthorizeApplication", "ds:UpdateAuthorizedApplication" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DeleteVpcEndpoints" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": "arn:*:ec2:*:*:vpc-endpoint/*" } ] }
Connector for AD requires additional Amazon RAM permissions, for both console and command line use.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ram:CreateResourceShare", "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:Principal": "pca-connector-ad.amazonaws.com", "ram:RequestedResourceType": "acm-pca:CertificateAuthority" } } }, { "Effect": "Allow", "Action": [ "ram:GetResourcePolicies", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListPrincipals", "ram:ListResources", "ram:ListResourceSharePermissions", "ram:ListResourceTypes" ], "Resource": "*" } ] }
Step 5: Share your private CA with Connector for AD
You will need to share your private CA with the connectors service by using Amazon Resource Access Manager service principal sharing.
When you create a connector in the Amazon console, the resource share is automatically created for you.
When you create a resource share using the Amazon CLI, you will use the Amazon RAM create-resource-share command.
The following command creates a resource share:
$
aws ram create-resource-share \ --region
us-east-1
\ --nameMyPcaConnectorAdResourceShare
\ --permission-arns arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority \ --resource-arns arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
\ --principals pca-connector-ad.amazonaws.com \ --sourcesaccount
The service principal that calls CreateConnector has certificate issuance
permissions on the PCA. To prevent service principals that use
Connector for AD from having general access to your Amazon Private CA
resources, restrict their permissions using CalledVia
.
Step 6: Create directory registration
You authorize the Connector for AD service with your directory so the connector can communicate with your directory. To authorize the Connector for AD service, you create a directory registration. For more information on creating a directory registration, see Manage directory registrations
Step 7: Configure security groups
Communication between your VPC and the Connector for AD connector is through Amazon PrivateLink, which requires a security group(s) with inbound rules that open port 443 TCP on your VPC. You will be asked for this security group when you create a connector. You can specify the source as custom and select your VPC's CIDR block. You can choose to restrict this further (i.e. IP, CIDR, and security group ID).