Use Case 1: Sign in to AWS applications and services with AD credentials

You can enable multiple AWS applications and services such as AWS Client VPN, AWS Management Console, AWS IAM Identity Center (successor to AWS Single Sign-On), Amazon Chime, Amazon Connect, Amazon FSx, Amazon QuickSight, Amazon RDS for SQL Server, Amazon WorkDocs, Amazon WorkMail, and WorkSpaces to use your AWS Managed Microsoft AD directory. When you enable an AWS application or service in your directory, your users can access the application or service with their AD credentials.

For example, you can enable your users to sign in to the AWS Management Console with their AD credentials. To do this, you enable the AWS Management Console as an application in your directory, and then assign your AD users and groups to IAM roles. When your users sign in to the AWS Management Console, they assume an IAM role to manage AWS resources. This makes it easy for you to grant your users access to the AWS Management Console without needing to configure and manage a separate SAML infrastructure.

To further enhance the end user experience you can enable Single sign-on capabilities for Amazon WorkDocs, which provides your users the ability to access Amazon WorkDocs from a computer joined to the directory without having to enter their credentials separately.

You can grant access to user accounts in your directory or in your on-premises AD, so they can sign in to the AWS Management Console or through the AWS CLI using their existing credentials and permissions to manage AWS resources by assigning IAM roles directly to the existing user accounts.

FSx for Windows File Server integration with AWS Managed Microsoft AD

Integrating FSx for Windows File Server with AWS Managed Microsoft AD provides a fully managed native Microsoft Windows based Server Message Block (SMB) protocol file system that allows you to easily move your Windows-based applications and clients (that utilize shared file storage) to AWS. Although FSx for Windows File Server can be integrated with a self-managed Microsoft Active Directory, we do not discuss that scenario here.

Common Amazon FSx use cases and resources

This section provides a reference to resources on common FSx for Windows File Server integrations with AWS Managed Microsoft AD use cases. Each of the use cases in this section start with a basic AWS Managed Microsoft AD and FSx for Windows File Server configuration. For more information about how to create these configurations, see:

• Getting started with AWS Managed Microsoft AD

• Getting started with Amazon FSx

FSx for Windows File Server as persistent storage on Windows containers

Amazon Elastic Container Service (ECS) supports Windows containers on container instances that are launched with the Amazon ECS-optimized Windows AMI. Windows container instances use their own version of the Amazon ECS container agent. On the Amazon ECS-optimized Windows AMI, the Amazon ECS container agent runs as a service on the host.

Amazon ECS supports Active Directory authentication for Windows containers through a special kind of service account called a group Managed Service Account (gMSA). Because Windows containers cannot be domain-joined, you must configure a Windows container to run with gMSA.

Related Items

• Using FSx for Windows File Server as persistent storage on Windows Containers

• Group Managed Service Accounts

Amazon AppStream 2.0 support

Amazon AppStream 2.0 is a fully managed application streaming service. It provides a range of solutions for users to save and access data through their applications. Amazon FSx with AppStream 2.0 provides a personal persistent storage drive using Amazon FSx and can be configured to provide a shared folder to access common files.

Related Items

• Walkthrough 4: Using Amazon FSx with Amazon AppStream 2.0

• Using Amazon FSx with Amazon AppStream 2.0

• Using Active Directory with AppStream 2.0

Microsoft SQL Server support

FSx for Windows File Server can be used as a storage option for Microsoft SQL Server 2012 (starting with 2012 version 11.x) and newer system databases (including Master, Model, MSDB, and TempDB), and for Database Engine user databases.

Related Items

• Install SQL Server with SMB fileshare storage

• Simplify your Microsoft SQL Server high availability deployments using FSx for Windows File Server

• Group Managed Service Accounts

Home folders and roaming user profile support

FSx for Windows File Server can be used to store data from Active Directory user home folders and My Documents in a central location. FSx for Windows File Server can also be used to store data from Roaming User Profiles.

Related items

• Windows home directories made easy with Amazon FSx

• Deploying roaming user profiles

• Using FSx for Windows File Server with WorkSpaces

Networked file share support

Networked file shares on an FSx for Windows File Server provide a managed and scalable file sharing solution. One use case is mapped drives for clients that can be created manually or via Group Policy.

Related items

• Walkthrough 6: Scaling out performance with Shards

• Drive mapping

• Using FSx for Windows File Server with WorkSpaces

Group policy software installation support

Because the size and performance of the SYSVOL folder is limited, you should as a best practice, avoid storing data such as software installation files in that folder. As a possible solution to this, FSx for Windows File Server can be configured to store all software files that are installed using Group Policy.

Related items

• How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003

Windows Server Backup target support

FSx for Windows File Server can be configured as a target drive in Windows Server Backup using the UNC file share. In this case, you would specify the UNC path to your FSx for Windows File Server instead of to the attached EBS volume.

Related Items

• Perform a system state recovery of your server

Amazon FSx also supports AWS Managed Microsoft AD Directory Sharing. For more information, see:

• Share your directory

• Using Amazon FSx with AWS Managed Microsoft AD in a different VPC or account

Amazon RDS integration with AWS Managed Microsoft AD

Amazon RDS supports external authentication of database users using Kerberos with Microsoft Active Directory. Kerberos is a network authentication protocol that uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network. Amazon RDS support for Kerberos and Active Directory provides the benefits of single sign-on and centralized authentication of database users so you can keep your user credentials in Active Directory.

To get started with this use case you'll first need to set up a basic AWS Managed Microsoft AD and Amazon RDS configuration.

• Getting started with AWS Managed Microsoft AD

• Getting started with Amazon RDS

All of the use cases referenced below will start with a base AWS Managed Microsoft AD and Amazon RDS and cover how to integrate Amazon RDS with AWS Managed Microsoft AD .

• Using Windows authentication with an Amazon RDS for SQL Server DB instance

• Using Kerberos authentication for MySQL

• Using Kerberos authentication with Amazon RDS for Oracle

• Using Kerberos authentication with Amazon RDS for PostgreSQL

Amazon RDS also supports AWS Managed Microsoft AD Directory Sharing. For more information, see:

• Share your directory

• Joining your Amazon RDS DB instances across accounts to a single shared domain

.NET application using Amazon RDS for SQL Server with group Managed Service Accounts

You can integrate Amazon RDS for SQL Server with a basic .NET application and group Managed Service Accounts (gMSAs). For more information, see How AWS Managed Microsoft AD Helps to Simplify the Deployment and Improve the Security of Active Directory–Integrated .NET Applications