By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SSO with Microsoft AD as IdP

0

For our customer we want to use AWS SSO with an already existing Microsoft Active Directory on-premise infrastructure and therefore establish a trust relationship between AWS SSO and a self-managed Active Directory (on-premise). Is it possible to use an read-only domain controller (RODC) at the on-premise network or does it have to be a fully functional (writeable) domain controller on the on-premise network? I guess RODC will not work and would like to verify that. Thanks.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
AWS-User-3705162
asked 2 years ago1079 views
3 Answers
1

In this case you have two options , 1: Use On-premises domain with AWS AD Connector ->AWS SSO 2: Use AWS Managed AD two way trust with On-premises AD ->AWS SSO

**With AD Connector : ** AD Connector to RODC is not supported when used in combination with the Amazon EC2 domain-join feature only. If you are not using the AD for ec2 seamless domain joins then you can use AD connector with RODC.

Few things to consider when it comes to RODC. An RODC is designed primarily to be deployed in remote or branch office environments.

1: Read Only Domain Controllers have limitations around trust. "An RODC does not know the trust password. It will not be able to provide or decrypt referral ticket-granting tickets (TGTs). Access to writable domain controllers must always be available for cross-domain authentication to succeed."

2: Example , If the ADC and RODC lose connectivity to full DC's (WAN outage), but both still have connectivity to AWS SSO ?

  • Then as long as the RODC has been created with credential caching it may work. By default RODCs don’t cache credentials as it is sometimes considered a security flaw as the RODC is usually in an environment that is not considered fully secure and so the credentials can be stolen. But if you set it up with the caching option it should work.

With Managed AD : You can create a Managed AD and setup a trust between their on-premises. The Managed AD would serve as a resource domain in a new forest. This is a recommended solution over AD connector and other options. See the whitepaper for more guidance. Note that Managed AD can be shared across accounts and regions with few clicks. https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf & http://docs.aws.amazon.com/directoryservice/latest/admin-guide/setup_trust.html

I will suggest to extend your On-premises writable DC on AWS to avoid single point of network failure and use AWS AD connector or AWS Managed AD with AWS SSO . Refer this blog to extend your domain controllers securely on AWS. https://aws.amazon.com/blogs/security/securely-extend-and-access-on-premises-active-directory-domain-controllers-in-aws/

Hope this is helpful.

AWS
Mangesh Budkule
answered 2 years ago
0

The AD connector is not an option here. For the Managed AD with two-way-trust to on-premise AD: Is using an RODC possible or does it have to be a writeable DC?

AWS-User-3705162
answered 2 years ago
  • Ciaran Carragher
    2 years ago

    That would be a question for Microsoft, and not necessarily AWS. You would need to see if a 2-way Trust can be established between a DC and a RODC. The only way it would be a question to AWS would be if that it were possible, then would there be anything preventing the necessary configurations being made because AWS Managed AD is exactly that - managed.

0

Anyone here to answers my question? Thanks and kind regards

AWS-User-3705162
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content