Launch a WorkSpace using a trusted domain - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Launch a WorkSpace using a trusted domain

WorkSpaces enables you to provision virtual, cloud-based Microsoft Windows, Amazon Linux, or Ubuntu Linux desktops for your users, known as WorkSpaces.

WorkSpaces uses directories to store and manage information for your WorkSpaces and users. For your directory, you can choose from Simple AD, AD Connector, or Amazon Directory Service for Microsoft Active Directory, also known as Amazon Managed Microsoft AD. In addition, you can establish a trust relationship between your Amazon Managed Microsoft AD directory and your on-premises domain.

In this tutorial, we launch a WorkSpace that uses a trust relationship. For tutorials that use the other options, see Launch a virtual desktop using WorkSpaces.

Before you begin

  • Launching WorkSpaces with Amazon Web Services accounts in a separate trusted domain works with Amazon Managed Microsoft AD when it is configured with a trust relationship to your on-premises directory. However, WorkSpaces using Simple AD or AD Connector cannot launch WorkSpaces for users from a trusted domain.

  • WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see WorkSpaces Pricing by Amazon Region.

  • When you launch a WorkSpace, you must select a WorkSpace bundle. A bundle is a combination of storage, compute, and software resources. For more information, see Amazon WorkSpaces Bundles.

  • When you create a directory using Amazon Directory Service or launch a WorkSpace, you must create or select a virtual private cloud configured with a public subnet and two private subnets. For more information, see Configure a VPC for WorkSpaces.

Step 1: Establish a trust relationship

To set up the trust relationship
  1. Set up Amazon Managed Microsoft AD in your virtual private cloud (VPC). For more information, see Create Your Amazon Managed Microsoft AD directory in the Amazon Directory Service Administration Guide.

    Note
    • Shared directories are not currently supported for use with Amazon WorkSpaces.

    • If your Amazon Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with Amazon Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

  2. Create a trust relationship between your Amazon Managed Microsoft AD and your on-premises domain. Ensure that the trust is configured as a two-way trust. For more information, see Tutorial: Create a Trust Relationship Between Your Amazon Managed Microsoft AD and Your On-Premises Domain in the Amazon Directory Service Administration Guide.

A one-way or two-way trust can be used to manage and authenticate with WorkSpaces, and so that WorkSpaces can be provisioned to on-premises users and groups. For more information, see Deploy Amazon WorkSpaces using a One-Way Trust Resource Domain with Amazon Directory Service.

Note

Ubuntu WorkSpaces use System Security Services Daemon (SSSD) for Active Directory integration, and SSSD does not support forest trust. Configure external trust instead. Two-way trust is recommended for Amazon Linux and Ubuntu WorkSpaces.

Step 2: Create a WorkSpace

After you establish a trust relationship between your Amazon Managed Microsoft AD and your on-premises Microsoft Active Directory domain, you can provision WorkSpaces for users in the on-premises domain.

Note that you must ensure that GPO settings are replicated across domains before you can apply them to WorkSpaces.

To launch workspaces for users in a trusted on-premises domain
  1. Open the WorkSpaces console at https://console.amazonaws.cn/workspaces/.

  2. In the navigation pane, choose WorkSpaces.

  3. Choose Launch WorkSpaces.

  4. On the Select a Directory page, choose the directory that you just registered and then choose Next Step.

  5. On the Identify Users page, do the following:

    1. For Select trust from forest, select the trust relationship that you created.

    2. Select the users from the on-premises domain and then choose Add Selected.

    3. Choose Next Step.

  6. Select the bundle to be used for the WorkSpaces and then choose Next Step.

    Note

    Review the recommended uses and specifications of each bundle to help ensure you select the bundle that works best for your users. For more information about each use case, see Amazon WorkSpaces Bundles. For more information about bundle specifications, recommended uses, and pricing, see Amazon WorkSpaces pricing.

  7. Choose the running mode, choose the encryption settings, and configure any tags. When you are finished, choose Next Step.

  8. Choose Launch WorkSpaces. Note that it can take up to 20 minutes for the WorkSpaces to become available, and up to 40 minutes if encryption is enabled. The initial status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE.

  9. Send invitations to the email address for each user. (These invitations aren't sent automatically if you're using a trust relationship.) For more information, see Send an invitation email.

Step 3: Connect to the WorkSpace

After you receive the invitation email, you can connect to your WorkSpace. Users can enter their user names as username, corp\username, or corp.example.com\username).

To connect to the WorkSpace
  1. Open the link in the invitation email. When prompted, enter a password and activate the user. Remember this password as you will need it to sign in to your WorkSpace.

    Note

    Passwords are case-sensitive and must be between 8 and 64 characters in length, inclusive. Passwords must contain at least one character from each of the following categories: lowercase letters (a-z), uppercase letters (A-Z), numbers (0-9), and ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/.

  2. Review WorkSpaces Clients in the Amazon WorkSpaces User Guide for more information about the requirements for each client, and then do one of the following:

    • When prompted, download one of the client applications or launch Web Access.

    • If you aren't prompted and you haven't installed a client application already, open https://clients.amazonworkspaces.awsapps.cn/ and download one of the client applications or launch Web Access.

    Note

    You cannot use a web browser (Web Access) to connect to Amazon Linux WorkSpaces.

  3. Start the client, enter the registration code from the invitation email, and choose Register.

  4. When prompted to sign in, enter the user's sign-in credentials, and then choose Sign In.

  5. (Optional) When prompted to save your credentials, choose Yes.

Next steps

You can continue to customize the WorkSpace that you just created. For example, you can install software and then create a custom bundle from your WorkSpace. You can also perform various administrative tasks for your WorkSpaces and your WorkSpaces directory. If you are finished with your WorkSpace, you can delete it. For more information, see the following documentation.

For more information about using the WorkSpaces client applications, such as setting up multiple monitors or using peripheral devices, see WorkSpaces Clients and Peripheral Device Support in the Amazon WorkSpaces User Guide.