Prerequisites - Amazon AppStream 2.0


Complete the following steps before you use certificate-based authentication.

  1. Set up a domain-joined fleet and configure SAML 2.0. Ensure that you use the userPrincipalName format for the SAML_Subject NameID. For more information, see Step 5: Create Assertions for the SAML Authentication Response.


    Don't enable Smart card sign in for Active Directory in your stack if you want to use certificate-based authentication. For more information, see Smart Cards.

  2. Use AppStream 2.0 agent version 10-13-2022 or later with your image. For more information, see Keep Your AppStream 2.0 Image Up-to-Date.

  3. (Optional) Configure the ObjectSid attribute in your SAML assertion. You can use this attribute to perform strong mapping with the Active Directory user. Certificate-based authentication fails if the ObjectSid attribute doesn't match the Active Directory security identifier (SID) for the user specified in the SAML_Subject NameID. For more information, see Step 5: Create Assertions for the SAML Authentication Response.

  4. Add the sts:TagSession permission to the IAM role trust policy that you use with your SAML 2.0 configuration. For more information, see Passing session tags in AWS STS. This permission is required to use certificate-based authentication. For more information, see Step 2: Create a SAML 2.0 Federation IAM Role.

  5. Create a private certificate authority (CA) using AWS Private CA, if you don't have one configured with your Active Directory. AWS Private CA is required to use certificate-based authentication. For more information, see Planning your AWS Private CA deployment. The following AWS Private CA settings are common for many certificate-based authentication use cases:

    • CA type options

      • Short-lived certificate CA usage mode – Recommended if the CA only issues end user certificates for certificate-based authentication.

      • Single level hierarchy with a Root CA – Choose a subordinate CA to integrate it with an existing CA hierarchy.

    • Key algorithm options – RSA 2048

    • Subject distinguished name options – Use the most appropriate options to identify this CA in your Active Directory Trusted Root Certification Authorities store.

    • Certificate revocation options – CRL distribution


      Certificate-based authentication requires an online CRL distribution point accessible from both the AppStream 2.0 fleet instance and the domain controller. This requires unauthenticated access to the Amazon S3 bucket configured for AWS Private CA CRL entries, or a CloudFront distribution with access to the Amazon S3 bucket if it blocks public access. For more information about these options, see Planning a certificate revocation list (CRL).

  6. Tag your private CA with a key entitled euc-private-ca to designate the CA for use with AppStream 2.0 certificate-based authentication. This key doesn't require a value. For more information, see Managing tags for your private CA. For more information about the AWS managed policies used with AppStream 2.0 to grant permissions to resources in your AWS account, see AWS Managed Policies Required to Access AppStream 2.0 Resources.

  7. Certificate-based authentication uses virtual smart cards to log on. For more information, see Guidelines for enabling smart card logon with third-party certification authorities. Follow these steps:

    1. Configure domain controllers with a domain controller certificate to authenticate smart card users. If you have an Active Directory Certificate Services enterprise CA configured in your Active Directory, it automatically enrolls domain controllers with certificates that enable smart card logon. If you don't have Active Directory Certificate Services, see Requirements for domain controller certificates from a third-party CA. You can create a domain controller certificate with AWS Private CA. If you do this, don't use a private CA configured for short-lived certificates.


      If you use AWS Managed Microsoft AD, you can configure Certificate Services on an Amazon EC2 instance that satisfies the requirement for domain controller certificates. See Deploy Active Directory to a new Amazon Virtual Private Cloud for example deployments of AWS Managed Microsoft AD configured with Active Directory Certificate Services.

      With AWS Managed Microsoft AD and Active Directory Certificate Services, you must also create outbound rules from the controller's VPC security group to the Amazon EC2 instance running Certificate Services. You must provide the security group access to TCP port 135, and ports 49152 through 65535 to enable certificate auto-enrollment. The Amazon EC2 instance must also allow inbound access on these same ports from domain instances, including domain controllers. For more information on locating the security group for AWS Managed Microsoft AD, see Configure your VPC subnets and security groups.

    2. On the AWS Private CA console, or with the SDK or CLI, export the private CA certificate. For more information, see Exporting a private certificate.

    3. Publish the private CA to Active Directory. Log on to a domain controller or a domain-joined machine. Copy the private CA certificate to any <path>\<file> and run the following commands as a domain administrator. You can also use Group Policy and the Microsoft PKI Health Tool (PKIView) to publish the CA. For more information, see Configuration instructions.

      certutil -dspublish -f <path>\<file> RootCA
      certutil -dspublish -f <path>\<file> NTAuthCA

      Make sure that the commands complete successfully, then remove the private CA certificate file. Depending on your Active Directory replication settings, it can take several minutes for the CA to publish to your domain controllers and AppStream 2.0 fleet instances.


      Active Directory must distribute the CA to the Trusted Root Certification Authorities and Enterprise NTAuth stores automatically for AppStream 2.0 fleet instances when they join the domain.


      Active Directory domain controllers must be in Compatibility mode for certificate strong enforcement to support certificate-based authentication. For more information, see KB5014754—Certificate-based authentication changes on Windows domain controllers in the Microsoft Support documentation. If you are using AWS Managed Microsoft AD, see Configure directory security settings for more information.