Why can't I connect to my WorkSpace after I activated certificate-based authentication?
I activated certificate-based authentication for Amazon WorkSpaces, but now I can't connect to my WorkSpace.
Resolution
After you activate certificate-based authentication, you might experience the following issues:
- The WorkSpaces client or Windows sign-in screen prompts you for the password when you connect to your WorkSpace.
- The WorkSpaces client tries to connect to WorkSpace but gets disconnected, and you receive the You have been disconnected error.
- When you try to authenticate, you receive the An error occurred while launching your WorkSpace error.
To troubleshoot connection issues for certificate-based authentication, first, reboot the WorkSpace to turn on certificate-based authentication.
Note: You might need to reboot the WorkSpace twice for the changes to take effect.
If you still have connection issues after the reboot, then take the following actions.
Turn off certificate-based authentication and check whether your SAML 2.0 authentication is working. If SAML 2.0 authentication has issues, then see How do I troubleshoot SAML 2.0 authentication issues in WorkSpaces?
Verify that the AWS Private Certificate Authority certificate has a tag with the euc-private-ca key name.
Use the AWS Identity and Access Management (IAM) console to check whether the AmazonWorkSpacesPCAAccess role exists. If the role is missing, then create the AmazonWorkSpacesPCAAccess service role.
If you're using the name constraints extension, then the name constraint must be a fully qualified domain name (FQDN). Use a host name or a domain name, for example host.example.com or example.com. For more information, see Name constraints on the IETF Datatracker website.
Check the userPrincipalName field in the user's Microsoft Active Directory object. If the field contains an alternative suffix, then include the suffix as an Attribute value of the PrincipalTag:Domain attribute element. For more information, see Step 5: Create assertions for the SAML authentication response.
Verify that your Amazon Simple Storage Service (Amazon S3) bucket policy allows Amazon CloudFront to access the S3 bucket origin. Also, check that the S3 bucket policy allows AWS Private CA to access the S3 bucket. AWS Private CA puts the certificate revocation list (CRL) in the bucket and periodically updates the CRL.
Check whether the CRL is expired. Download the CRL from S3 bucket and use OpenSSL to view the CRL file and check the Next Update date.
If you still can't access your WorkSpace, then see My users cannot log in using certificate-based authentication and are prompted for the password either at the WorkSpaces client or the Windows sign-on screen when they connect to their desktop session.
Related information
How to configure certificate-based authentication for Amazon WorkSpaces
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Monat
- AWS OFFICIALAktualisiert vor 5 Monaten
- AWS OFFICIALAktualisiert vor 6 Monaten
- AWS OFFICIALAktualisiert vor 2 Jahren