# Using Amazon Directory Service for Microsoft Active Directory
You can use Amazon Transfer Family to authenticate your file transfer end users using Amazon Directory Service for Microsoft Active Directory. It enables seamless migration of file transfer workflows that rely on Active Directory authentication without changing end users’ credentials or needing a custom authorizer.
With Amazon Managed Microsoft AD, you can securely provide Amazon Directory Service users and groups access over SFTP, FTPS, and FTP for data stored in Amazon Simple Storage Service (Amazon S3) or Amazon Elastic File System (Amazon EFS). If you use Active Directory to store your users’ credentials, you now have an easier way to enable file transfers for these users.
You can provide access to Active Directory groups in Amazon Managed Microsoft AD in your on-premises environment or in the Amazon Cloud using Active Directory connectors. You can give users that are already configured in your Microsoft Windows environment, either in the Amazon Cloud or in their on-premises network, access to an Amazon Transfer Family server that uses Amazon Managed Microsoft AD for identity. The Amazon storage blog contains a post that details a solution for using Active Directory with Transfer Family: [Simplify Active Directory authentication with a custom identity provider for Amazon Transfer Family](https://amazonaws-china.com/blogs/storage/simplify-active-directory-authentication-with-a-custom-identity-provider-for-aws-transfer-family/).
**Note**
Amazon Transfer Family does not support Simple AD.
Transfer Family does not support cross-region Active Directory configurations: we only support Active Directory integrations that are in the same region as that of the Transfer Family server.
Transfer Family does not support using either Amazon Managed Microsoft AD or AD Connector to enable multi-factor authentication (MFA) for your existing RADIUS-based MFA infrastructure.
Amazon Transfer Family does not support replicated regions of Managed Active Directory.
To use Amazon Managed Microsoft AD, you must perform the following steps:
1. Create one or more Amazon Managed Microsoft AD directories using the Amazon Directory Service console.
1. Use the Transfer Family console to create a server that uses Amazon Managed Microsoft AD as its identity provider.
1. Set up Amazon Directory using an Active Directory Connector.
1. Add access from one or more of your Amazon Directory Service groups.
1. Although not required, we recommend that you test and verify user access.
**Topics**
+ [Before you start using Amazon Directory Service for Microsoft Active Directory](#managed-ad-prereq)
+ [Working with Active Directory realms](#managed-ad-realms)
+ [Choosing Amazon Managed Microsoft AD as your identity provider](#managed-ad-identity-provider)
+ [Connecting to on-prem Microsoft Active Directory](#on-prem-ad)
+ [Granting access to groups](#directory-services-grant-access)
+ [Testing users](#directory-services-test-user)
+ [Deleting server access for a group](#directory-services-misc)
+ [Connecting to the server using SSH (Secure Shell)](#directory-services-ssh-procedure)
+ [Connecting Amazon Transfer Family to a self-managed Active Directory using forests and trusts](#directory-services-ad-trust)
## Before you start using Amazon Directory Service for Microsoft Active Directory
**Note**
Amazon Transfer Family has a default limit of 100 Active Directory groups per server. If your use case requires more than 100 groups, consider using a custom identity provider solution as described in [Simplify Active Directory authentication with a custom identity provider for Amazon Transfer Family](https://amazonaws-china.com/blogs/storage/simplify-active-directory-authentication-with-a-custom-identity-provider-for-aws-transfer-family/).
### Provide a unique identifier for your AD groups
Before you can use Amazon Managed Microsoft AD, you must provide a unique identifier for each group in your Microsoft AD directory. You can use the security identifier (SID) for each group to do this. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Transfer Family.
Use the following Windows PowerShell command to retrieve the SID for a group, replacing *YourGroupName* with the name of the group.
```
Get-ADGroup -Filter {samAccountName -like "YourGroupName*"} -Properties * | Select SamAccountName,ObjectSid
```
**Note**
If you are using Amazon Directory Service as your identity provider, and if `userPrincipalName` and `SamAccountName` have different values, Amazon Transfer Family accepts the value in `SamAccountName`. Transfer Family does not accept the value specified in `userPrincipalName`.
### Add Amazon Directory Service permissions to your role
You also need Amazon Directory Service API permissions to use Amazon Directory Service as your identity provider. The following permissions are required or suggested:
+ `ds:DescribeDirectories` is required for Transfer Family to look up the directory
+ `ds:AuthorizeApplication` is required to add authorization for Transfer Family
+ `ds:UnauthorizeApplication` is suggested to remove any resources that are provisionally created, in case something goes wrong during the server creation process
Add these permissions to the role you are using for creating your Transfer Family servers. For more details on these permissions, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](https://docs.amazonaws.cn//directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html).
## Working with Active Directory realms
When you are considering how to have your Active Directory users access Amazon Transfer Family servers, keep in mind the user's realm, and their group's realm. Ideally, the user's realm and their group's realm should match. That is, both the user and the group are in the default realm, or both are in the trusted realm. If this is not the case, the user cannot be authenticated by Transfer Family.
You can test the user to ensure the configuration is correct. For details, see [Testing users](#directory-services-test-user). If there is a problem with the user/group realm, you receive the error, No associated access found for user's groups.
## Choosing Amazon Managed Microsoft AD as your identity provider
This section describes how to use Amazon Directory Service for Microsoft Active Directory with a server.
**To use Amazon Managed Microsoft AD with Transfer Family**
1. Sign in to the Amazon Web Services Management Console and open the Amazon Directory Service console at [https://console.amazonaws.cn/directoryservicev2/](https://console.amazonaws.cn/directoryservicev2/).
Use the Amazon Directory Service console to configure one or more managed directories. For more information, see [Amazon Managed Microsoft AD](https://docs.amazonaws.cn/directoryservice/latest/admin-guide/directory_microsoft_ad.html) in the * Amazon Directory Service Admin Guide*.
![\[The Directory Service console showing a list of directories and their details.\]](http://docs.amazonaws.cn/en_us/transfer/latest/userguide/images/directory-services-AD-list.png)
1. Open the Amazon Transfer Family console at [https://console.amazonaws.cn/transfer/](https://console.amazonaws.cn/transfer/), and choose **Create server**.
1. On the **Choose protocols** page, choose one or more protocols from the list.
**Note**
If you select **FTPS**, you must provide the Amazon Certificate Manager certificate.
1. For **Choose an identity provider**, choose **Amazon Directory Service**.
![\[Console screenshot showing Choose identity provider section with Directory Service selected.\]](http://docs.amazonaws.cn/en_us/transfer/latest/userguide/images/create-server-choose-idp-directory-services.png)
1. The **Directory** list contains all the managed directories that you have configured. Choose a directory from the list, and choose **Next**.
**Note**
Cross-Account and Shared directories are not supported for Amazon Managed Microsoft AD.
To set up a server with Directory Service as your identity provider, you need to add some Amazon Directory Service permissions. For details, see [Before you start using Amazon Directory Service for Microsoft Active Directory](#managed-ad-prereq).
1. To finish creating the server, use one of the following procedures:
+ [Create an SFTP-enabled server](create-server-sftp.md)
+ [Create an FTPS-enabled server](create-server-ftps.md)
+ [Create an FTP-enabled server](create-server-ftp.md)
In those procedures, continue with the step that follows choosing an identity provider.
**Important**
You can't delete a Microsoft AD directory in Amazon Directory Service if you used it in a Transfer Family server. You must delete the server first, and then you can delete the directory.
## Connecting to on-prem Microsoft Active Directory
This section describes how to set up an Amazon Directory using an AD Connector
**To set up your Amazon Directory using AD Connector**
1. Open the [Directory Service](https://console.amazonaws.cn/directoryservicev2/) console and select **Directories**.
1. Select **Set up directory**.
1. For directory type, choose **AD Connector**.
1. Select a directory size, select **Next**, then select your VPC and Subnets.
1. Select **Next**, then fill in the fields as follows:
+ **Directory DNS name**: enter the domain name you are using for your Microsoft Active Directory.
+ **DNS IP addresses**: enter you Microsoft Active Directory IP addresses.
+ **Server account username** and **password**: enter the details for the service account to use.
1. Complete the screens to create the directory service.
The next step is to create a Transfer Family server with the SFTP protocol, and the identity provider type of **Amazon Directory Service**. From **Directory** drop down list, select the directory you added in the previous procedure.
## Granting access to groups
After you create the server, you must choose which groups in the directory should have access to upload and download files over the enabled protocols using Amazon Transfer Family. You do this by creating an *access*.
**Note**
Amazon Transfer Family has a default limit of 100 Active Directory groups per server. If your use case requires more than 100 groups, consider using a custom identity provider solution as described in [Simplify Active Directory authentication with a custom identity provider for Amazon Transfer Family](https://amazonaws-china.com/blogs/storage/simplify-active-directory-authentication-with-a-custom-identity-provider-for-aws-transfer-family/).
**Note**
Users must belong *directly* to the group to which you are granting access. For example, assume that Bob is a user and belongs to groupA, and groupA itself is included in groupB.
If you grant access to groupA, Bob is granted access.
If you grant access to groupB (and not to groupA), Bob does not have access.
**To grant access to a group**
1. Open the Amazon Transfer Family console at [https://console.amazonaws.cn/transfer/](https://console.amazonaws.cn/transfer/).
1. Navigate to your server details page.
1. In the **Accesses** section, choose **Add access**.
1. Enter the SID for the Amazon Managed Microsoft AD directory that you want to have access to this server.
**Note**
For information about how to find the SID for your group, see [Before you start using Amazon Directory Service for Microsoft Active Directory](#managed-ad-prereq).
1. For **Access**, choose an Amazon Identity and Access Management (IAM) role for the group.
1. In the **Policy** section, choose a policy. The default setting is **None**.
1. For **Home directory**, choose an Amazon S3 bucket that corresponds to the group's home directory.
**Note**
You can limit the portions of the bucket that users see by creating a session policy. For example, to limit users to their own folder under the `/filetest` directory, enter the following text in the box.
```
/filetest/${transfer:UserName}
```
To learn more about creating a session policy, see [Creating a session policy for an Amazon S3 bucket](users-policies-session.md).
1. Choose **Add** to create the association.
1. Choose your server.
1. Choose **Add access**.
1. Enter the SID for the group.
**Note**
For information about how to find the SID, see [Before you start using Amazon Directory Service for Microsoft Active Directory](#managed-ad-prereq).
1. Choose **Add access**.
In the **Accesses** section, the accesses for the server are listed.
![\[Console showing the Accesses section with the server accesses listed.\]](http://docs.amazonaws.cn/en_us/transfer/latest/userguide/images/accesses-list.png)
## Testing users
You can test whether a user has access to the Amazon Managed Microsoft AD directory for your server.
**Note**
A user must be in exactly one group (an external ID) that is listed in the **Access** section of the **Endpoint configuration** page. If the user is in no groups, or is in more than a single group, that user is not granted access.
**To test whether a specific user has access**
1. On the server details page, choose **Actions**, and then choose **Test**.
1. For **Identity provider testing**, enter the sign-in credentials for a user that is in one of the groups that has access.
1. Choose **Test**.
You see a successful identity provider test, showing that the selected user has been granted access to the server.
![\[Console screenshot of the successful identity provider testing response.\]](http://docs.amazonaws.cn/en_us/transfer/latest/userguide/images/identity-provider-test-success.png)
If the user belongs to more than one group that has access, you receive the following response.
```
"Response":"",
"StatusCode":200,
"Message":"More than one associated access found for user's groups."
```
## Deleting server access for a group
**To delete server access for a group**
1. On the server details page, choose **Actions**, and then choose **Delete Access**.
1. In the dialog box, confirm that you want to remove access for this group.
When you return to the server details page, you see that the access for this group is no longer listed.
## Connecting to the server using SSH (Secure Shell)
After you configure your server and users, you can connect to the server using SSH and use the fully qualified username for a user that has access.
```
sftp user@active-directory-domain@vpc-endpoint
```
For example: `transferuserexample@mycompany.com@vpce-0123456abcdef-789xyz.vpc-svc-987654zyxabc.us-east-1.vpce.amazonaws.com`.
This format targets the search of the federation, limiting the search of a potentially large Active Directory.
**Note**
You can specify the simple username. However, in this case, the Active Directory code has to search all the directories in the federation. This might limit the search, and authentication might fail even if the user should have access.
After authenticating, the user is located in the home directory that you specified when you configured the user.
## Connecting Amazon Transfer Family to a self-managed Active Directory using forests and trusts
Amazon Directory Service has the following options available to connect to a self-managed Active Directory:
+ One-way forest trust (outgoing from Amazon Managed Microsoft AD and incoming for on-premises Active Directory) works only for the root domain.
+ For child domains, you can use either of the following:
+ Use two-way trust between Amazon Managed Microsoft AD and on-premises Active Directory
+ Use one-way external trust to each child domain.
When connecting to the server using a trusted domain, the user needs to specify the trusted domain, for example `transferuserexample@mycompany.com`.