Browse through the questions and answers listed below or filter and sort to narrow down your results.
In App Stream 2.0 Getting error An unknown error occurred (1355).
Hi, I am trying to setup the ADFS with App Stream 2.0 with SAML Authentication, and have done all the steps for the needful (Referred from : https://aws.amazon.com/blogs/compute/enabling-identity-federation-with-ad-fs-3-0-and-amazon-appstream-2-0/ ) , but after login to App Stream relay state URL screen, system gives an error: "An unknown error occurred (1355)." As per my research its indicating some DNS issue. When we have checked my system ip configs, its displaying something like this : > **Windows IP Configuration** ( Host Name : EC2AMAZ-NMGRP10 [this is my server system name], Primary Dns Suffix : example.local. > **Ethernet adapter Ethernet** : Connection-specific DNS Suffix : sarvajeevan.com DNS Servers : ::1 127.0.0.1 Username for App Stream is : email@example.com As per my understanding, our Active directory domain name is **sarvajeevan.com**, but internal federation domain is **example.local**. Please help us to understand, we are doing something wrong or something needs to fix manually from Route 53 or something else ? Thanks
Migrating On premise windows Domain controller to AWS EC2
Hi Team, We have a requirement to migrate windows domain controller to Aws EC2. It's kind of lift and shift and without using AWS managed MS AD or any paid AD services. Could you please shed some lights on this or share sone details about migration strategy ? Quick help is much appreciated. Thanks, Srikant
AD Connector-Unable to connect to the On-Premises Active Directory
I am trying to create a AD Connector to connect to On-prem Active Directory. I am seeing the below error Configuration issues detected: SRV record for LDAP does not exist for IP: 10.0.0.10, SRV record for Kerberos does not exist for IP: 10.0.0.10. Please verify existing configuration and retry the operation.
Multi-Factor Fails To Enable On Directory Service For DUO/VPN setup
Hey there, been having trouble trying to enable Multi-Factor for Directory service in order to integrate DUO with my VPN client. I have followed to the post here to a tee but when I go to enable MFA it keeps failing: https://aws.amazon.com/blogs/networking-and-content-delivery/using-microsoft-active-directory-mfa-with-aws-client-vpn/ So I have everything checked off. I do have an EC2 instance joined to the domain. I have rules in place that allow the radius port through. I have also tested connectivity to the EC2 instance from Directory service and it reaches it fine. I have my config for DUO setup according the post above, matching DUO keys and verified the shared radius key is good. But with that being said, its not very clear on the EC2 instance should have radius /NPS role installed and configured. It only mentions having a radius server. So just to see, I did install the NPS role and set it up for Directory service as a client. When trying to re-enable MFA, I do see DS trying to connect and creates an error in the log. Event ID:6273 Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:NULL SID Account Name:fakeusername Account Domain:MYDOMAIN Fully Qualified Account Name:MYDOMAIN\fakeusername And just to note, the "fakeusername" is actually what is appearing in the log. Now there is no area in the whole setup where you create a system account or some account for DS to connect to radius server so I am bit puzzled in this. Obviously, there is not user by that name and for fun I did create one with the radius secret just to see if that would do anything but of course it still fails. If there is anyone that help provide any insight to this, I would appreciate your time. Thanks! Chris.
Windows Ec2 instance seamless domain join
I have a AWS Managed AD directory service. I am not able to seamlessly join the Windows Ec2 instance to Domain. If i RDP into the instance and try to join the domain manually it works. I am also able to join domain by running the following command in running EC2 instance: AWS-JoinDirectoryServiceDomain and AWS-JoinDirectoryServiceDomain Here is the error message that i am getting: Execution Summary: XXXXXXXX-XXXX-XXXX-XXX-XXXXXXXX 1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. The operation aws:domainJoin failed because Domain join failed with exception: Domain Join failed exit status 1. I have already confirmed all the required ports are open. Infact i have allow everything in both SG and ACL.
Lack of "workspaces:RegisterWorkspaceDirectory" permission when registering a Workspaces Directory
Hi, I am using Terraform to provision a new Amazon Workspaces. I have an AD Connector created and linked to our internal domain. The next step is to create a Workspaces Directory. Part of creation is to link the Directory to the AD Connector using the Terraform "aws_workspaces_directory" resource. However, I've got the following error when running the Terraform code even though the user below is granted AmazonWorkSpacesAdmin & AWSDirectoryServiceFullAccess permission policies. ` Error: error registering WorkSpaces Directory (d-xxxxxxxxxx): AccessDeniedException: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: workspaces:RegisterWorkspaceDirectory on resource: arn:aws:workspaces:us-east-1:xxxxx:directory/d-xxxxxxx because no identity-based policy allows the workspaces:RegisterWorkspaceDirectory action` Is there anybody who knows what permission policy is needed to grant the "workspaces:RegisterWorkspaceDirectory" action? If I read the error correctly, the user is lack of permission to register workspace directory with the AD connector? If so, how do I check who has such permission on the AD Connector? Thank you.
AppStream sealing isssue with image joined to AD
I have built a new AppStream image that is joined to Active Directory. When I go to seal the image, I am using a standard domain user for the template and test user as part of the sealing process. Once I deploy the sealed image to the stack, it works fine if I log in with the same domain user to the pool. Any other user gets errors that the recycle bin is corrupted for each user data folder and we can see the path is pointing to the original test user data folders, which obviously another user doesn't have rights to access. It will prompt you with a serious of prompts for each folder and then prompt you for windows credentials, but won't accept them. After clicking cancel the user ends up with a blank desktop. I was not able to find any documentation specifically for sealing images joined to AD. Just what it says in the sealing wizard. I'll try to attach as screenshot.![Sample Error message](https://repost.aws/media/postImages/original/IMcQIMkBa_SkOu9so6OTqP2w)
AWS Federated Identities
Hello All, Need your help with below use case: ***Scenario 1***: I have on-prem AD which contains all the users and group membership. I am using OKTA for SSO & 2FA. I want AWS SSO to pull users from on-prem AD and I want to use OKTA for SSO. I DON'T want to enable SCIM proviosning from OKTA to AWS. ****2nd Scenario****: Is it really required to create/bring users into AWS SSO or can we use a federated identity which means no physical account in AWS? An ephemeral account will be created at run time whenever user try to login through OKTA and will be removed when session is over. I have gone through this link https://aws.amazon.com/identity/federation/ For scenario 1, it says either we can enable AD option or we can use OKTA as IDP. It doesn't tell both th eoptions together. I may be wrong. I don't have env to test this. Link doesn't talk about Scenario 2 at all.