Before You Begin Using Active Directory with AppStream 2.0 - Amazon AppStream 2.0

Before You Begin Using Active Directory with AppStream 2.0

Before you use Microsoft Active Directory domains with AppStream 2.0, be aware of the following requirements and considerations.

Active Directory Domain Environment

Domain-Joined AppStream 2.0 Streaming Instances

SAML 2.0-based user federation is required for application streaming from domain-joined fleets. You cannot launch sessions to domain-joined instances by using CreateStreamingURL or the AppStream 2.0 user pool.

Also, you must use an image that supports joining image builders and fleets to an Active Directory domain. All public images published on or after July 24, 2017 support joining an Active Directory domain. For more information, see AppStream 2.0 Base Image and Managed Image Update Release Notes and Tutorial: Setting Up Active Directory.

Group Policy Settings

Verify your configuration for the following Group Policy settings. If required, update the settings as described in this section so that they don't block AppStream 2.0 from authenticating and logging in your domain users. Otherwise, when your users try to log in to AppStream 2.0 the login may not succeed. Instead, a message displays, notifying users that "An unknown error occurred."

  • Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Disable or Enable software Secure Attention Sequence — Set this to Enabled for Services.

  • Computer Configuration > Administrative Templates > System > Logon > Exclude credential providers — Ensure that the following CLSID is not listed: e7c1bab5-4b49-4e64-a966-8d99686f8c7c

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message text for users attempting to log on — Set this to Not defined.

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message title for users attempting to log on — Set this to Not defined.

Smart Card Authentication

AppStream 2.0 supports the use of Active Directory domain passwords or smart cards such as Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards for Windows sign in to AppStream 2.0 streaming instances. For information about how to configure your Active Directory environment to enable smart card sign in by using third-party certification authorities (CAs), see Guidelines for enabling smart card logon with third-party certification authorities in the Microsoft documentation.

Note

AppStream 2.0 also supports the use of smart cards for in-session authentication, after a user signs in to a streaming instance. This feature is supported only for users who have AppStream 2.0 client for Windows version [TBD] or later installed. For information about additional requirements, see Smart Cards.