Menu
Amazon WorkSpaces
Administration Guide (Version 1.0)

Managing an AD Connector Directory

When connecting Amazon WorkSpaces to your on-premises directory, you direct Amazon WorkSpaces to use your on-premises directory as a source of identities for users who will be using the WorkSpaces.

Update Connected Directory Information

You can use the Amazon WorkSpaces console to change the following settings for a connected directory:

Target Domain and Default Organizational Unit

The default organizational unit is the organizational unit that your WorkSpace machine accounts are placed in. If this is not set, your WorkSpaces machine accounts are placed in the Computers organizational unit of the directory that your AD Connector directory is connected to. You can either select an organizational unit from the connected directory, or specify an organizational unit in a separate target domain. If you require more than one organizational unit for your WorkSpaces machine accounts, you have to create a separate AD Connector directory for each organizational unit.

The target domain is the directory that your WorkSpace machine accounts are created in. This allows you to use separate user and resource directories for your WorkSpaces. If a target domain is not specified, your WorkSpace machine accounts are created in the directory that your AD Connector directory is connected to. The following are the requirements for the target domain:

  • The target domain must either be a child of the directory that your AD Connector directory is connected to, or, at a minimum, have a one-way trust with this directory.

  • The DNS servers for your AD Connector directory must be able to resolve the fully-qualified distinguished name of the target domain.

  • The same connectivity and firewall requirements that exist between your VPC and your on-premises directory must also exist between your VPC and the target domain. For more information, see Requirements.

  • The service account for your AD Connector directory must have the following privileges in the target domain:

    • Create computer objects

    • Join computers to the domain

To select an organizational unit

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and choose Actions, Update Details.

  4. Expand the Target Domain and Organizational Unit section.

  5. Enter all or part of the desired organizational unit name and choose Search OU. Alternatively, you can search for all organizational units by choosing List all OU.

  6. Select the desired organizational unit and choose Update. The machine accounts for all WorkSpaces that are created or rebuilt after this setting is changed are placed in the selected organizational unit.

To specify a target domain and organizational unit

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and choose Actions, Update Details.

  4. Expand the Target Domain and Organizational Unit section.

  5. Enter the full LDAP distinguished name for the target domain and organizational unit in the Selected OU field, for example OU=WorkSpaces_machines,DC=machines,DC=example,DC=com, and choose Update. The machine accounts for all WorkSpaces that are created or rebuilt after this setting is changed are created in the specified domain and organizational unit.

Add Security Group

Amazon WorkSpaces creates a security group that is assigned to all WorkSpaces in the directory. You have the option to have an additional security group applied to your WorkSpaces when they are created or rebuilt by performing the following steps.

To add a security group

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and choose Actions, Update Details.

  4. Expand the Security Group section.

  5. To create a new security group, choose Create New.

  6. Select the desired security group and choose Update. All WorkSpaces that are created or rebuilt after this setting is changed include the specified security group.

Internet Access

You can have Amazon WorkSpaces assign a public IP address to all WorkSpaces that are provisioned or rebuilt.

To enable public IP addresses

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory, then choose Actions and Update Details.

  4. Expand the Internet Access section.

  5. To have Amazon WorkSpaces assign a public IP address to every WorkSpace that is created or rebuilt, choose Enable. Otherwise, choose Disable. When you have completed your selection, choose Update.

This setting only applies to WorkSpaces that are provisioned or rebuilt after the setting is enabled. If you need to have a public IP address applied to an existing WorkSpace, you must either rebuild the WorkSpace, or manually assign an Elastic IP address to the WorkSpace. For more information about rebuilding a WorkSpace, see Rebuild a WorkSpace. For more information about assigning an Elastic IP address to an existing WorkSpace, see Assigning an Elastic IP Address to a WorkSpace.

Update WorkSpaces Connect Account

The WorkSpaces Connect account is the account that is used to read users and groups, and create Amazon WorkSpaces machine accounts in your directory. For more information about this account, see the Requirements section.

To update the WorkSpaces Connect account

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and choose Actions, Update Details.

  4. Expand the Update WorkSpaces Connect Account section.

  5. Enter the new service account username and password and choose Update. The new account is used to access your on-premises directory.

Multi-factor Authentication

You can enable multi-factor authentication for your AD Connector directory by performing the following procedure. For more information about using multi-factor authentication with Amazon WorkSpaces, see Multi-factor Authentication Prerequisites.

To enable multi-factor authentication

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and choose Actions, Update Details.

  4. Expand the Multi-Factor Authentication section.

  5. Enter the following values and choose Update or Update and Exit.

    Enable Multi-Factor Authentication

    Check to enable multi-factor authentication.

    RADIUS server IP address(es)

    The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g., 192.0.0.0,192.0.0.12).

    Port

    The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AD Connector servers.

    Shared secret code

    The shared secret code that was specified when your RADIUS endpoints were created.

    Confirm shared secret code

    Confirm the shared secret code for your RADIUS endpoints.

    Protocol

    Select the protocol that was specified when your RADIUS endpoints were created.

    Server timeout

    The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 60.

    Max retries

    The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.

    Multi-factor authentication is available when the RADIUS Status changes to Enabled. During the time that the multi-factor authentication is being set up, your users will not be able to log in to their WorkSpaces.

Disconnecting a Directory

Before you can disconnect from your directory, you must first remove all WorkSpaces from the directory. For more information about removing WorkSpaces, see Remove a WorkSpace.

To disconnect from your directory

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory to disconnect and choose Directory Actions, Deregister.

  4. Verify the information in the Deregister Directory dialog box, and choose Deregister.

  5. Select the directory to disconnect and choose Actions, Delete.

  6. Verify the information in the Delete Directory dialog box, and choose Delete.