Questions tagged with AWS Directory Service
Content language: English
Sort by most recent
AWS Federated Identities
Hello All, Need your help with below use case: ***Scenario 1***: I have on-prem AD which contains all the users and group membership. I am using OKTA for SSO & 2FA. I want AWS SSO to pull users from on-prem AD and I want to use OKTA for SSO. I DON'T want to enable SCIM proviosning from OKTA to AWS. ****2nd Scenario****: Is it really required to create/bring users into AWS SSO or can we use a federated identity which means no physical account in AWS? An ephemeral account will be created at run time whenever user try to login through OKTA and will be removed when session is over. I have gone through this link https://aws.amazon.com/identity/federation/ For scenario 1, it says either we can enable AD option or we can use OKTA as IDP. It doesn't tell both th eoptions together. I may be wrong. I don't have env to test this. Link doesn't talk about Scenario 2 at all.
Users in Workmail unable to use WorkDocs integration
Using the same AD, users were set up with WorkMail and Workdocs access. However the users are unable to save files received in WorkMail in their WorkDocs and are receiving "Looks like you are not enabled in WorkDocs" error. The same users are marked as active and have been using WorkDocs already. There are no issues in downloading attachments to their VM / laptops. Ideally would like them to have the ability to save files straight in WorkDocs.
Domain forwarding from naked domain not working
I'm using AWS Amplify to host my website. I'm not using Route 53 or any other AWS services. My website can be addressed by "https://www.heat-consulting.co.uk" but not "https://heat-consulting.co.uk". I have set up domain management as shown in the attached screenshot. How do I enable the website to be accessed by "https://heat-consulting.co.uk"? [Domain Management Settings Screenshot](https://repost.aws/media/postImages/original/IM3hyEgwryQNSnR4oCnXwAUw)
AWS Integration with On-Prem Active Directory
I am very new to AWS Cloud and my ask is: * to use federation for all types of AWS Access * No local accounts will be created in AWS * All accounts and permissions must be created and managed through on-prem Active Directory Is there any document that explains the process and best practices to achieve this? I have a landing zone with multiple accounts, what are the best practices to create permissions sets, and accounts and map them with AD Groups?
AWS Managed Active Directory - Disk error and restart capability
# Problem We are getting the following error message in our Directory Service > The server disk could be full or corrupted or the maximum permissible size for the server registry has been reached >The DNS server could not open a registry key. Reinstall the DNS server if it was not able to be started. If the DNS server started, but couldn't load a zone, reload the zone or restart the DNS server. We followed the suggestions in this [doc [ms_ad_troubleshooting_low_storage_spac] ](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_troubleshooting_low_storage_space.html) but found that our disk is not full. Currently, storage configuration is not supported. - https://aws.amazon.com/directoryservice/faqs/ # Questions - The error message suggests we restart the server, but this function seems to be out of our hands. Is there a way to do this in AWS managed AD? - Has a similar problem been brought up and was there a solution?
Enable MFA on AWS Workspaces
How do i enable MFA on AWS workspaces, i see Radius server is required , do we have any step by step process to setup Radius server and enable MFA on Workspaces. mostly users commented Radius server wont work for MFA on AWS workspace , so do we have any radius server on AWS market place that integrate with Workspaces and implement MFA. OR any working document that has covered all details , Thanks in advance and highly appreciate if some one can help with verified document for MFA on AWS workspaces
How to Deploy and Manage AWS Workspaces via AWS Systems Manager/SMM?
Is there a way to deploy and manage AWS Workspaces through the AWS SMM? We're trying to setup AWS Systems Manager to be a simplified "central hub" in managing AWS Workspaces without having to go through AWS Workspaces. So it has to be setup in a way that the admin can log in, go to AWS SMM, then deploy and manage AWS Workspaces from there in just a few clicks. We've reached out to AWS tech support (Workspaces and SMM), with the following solutions:  https://aws.amazon.com/blogs/publicsector/automating-deployment-amazon-workspaces-active-directory-group/  https://aws.amazon.com/blogs/desktop-and-application-streaming/manage-amazon-workspaces-lifecycle-automatically-with-users-in-active-directory/ But they require a lot of effort and also mastery of additional tools such as AWS Lambda, AWS SMM Maintenance Window, Directory Services, and CloudFormation.
AWS Quicksight Access - via Amazon Active Directory AND IAM Roles
We are looking to expand services via AWS Quicksight, our use case would include Amazon subsidiary users who can be both in Amazon network and not. My question is it possible to setup new AWS accounts to allow BOTH Active Directory (for in network users) and unique IAM roles (for subsidiary/off-network users)? If not what are the options to allow this type of access using SSO where possible.
DirectoryServicePortTest can't verify forest functional level
Hi, I just deployed an AD connector in AWS and it connects to my on-prem domain controllers. As part of verifying connectivity per AWS doc (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html#connect_verification), I remote into a VM on the subnet where the AD connector has ENI in and test with DirectoryServicePortTest.exe. The ports are open fine but it can't query the forest functional level. I am sure the DC/DNS I use to test is good and SRV records are there. [my-domain] is the fully qualified domain name and forest functional level is 2012R2 which meets the requirement. ``` C:\>DirectoryServicePortTest.exe -d [my-domain] -ip [my-dns] -tcp "53,88,389" -dup "53,88,389" Testing forest functional level. The domain [my-domain] could not be found. Testing TCP ports to [my-dns]: Checking TCP port 53: PASSED Checking TCP port 88: PASSED Checking TCP port 389: PASSED ``` Any suggestions on what might be the issue. Thanks.
Cannot access the workspace using workspace client or RDP
Hi I have workspace which user cannot access anymore with message 'Unable to connect ' ( with AWS workspace client ) We tried to RDP the workspace from another workspace and got following message. The Remote computer that you are trying to connect to requires Network Level Authentication NLA, but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the system Properties dialog box I can RDP other workspaces. We have tried to restore the workspace that did not work. I have checked the AD account for workspace, and it is there. Do not Require Kerberos pre-authentication is unticked on user’ ad account User has not changed the password. I wanted to migrate the workspace and did test migrate on working workspace and now cannot access it that is why migration is off the table as non-working workspace has important data. Can someone advice what to do next thanks in advance
Disabling password expiration
Hi everyone, I have different WorkSpaces set up on different locations but the ones I have in a particular one seem to have a password expiration set up for users so I need to reset it up for them every month. Does anyone know how can it be disabled? Is this tied to the directory? Thanks, Laura