Enable Certificate-based Authentication

Complete the following steps to enable certificate-based authentication.

To enable certificate-based authentication

Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
Choose Directories in the navigation pane.
Choose the Pools directories tab.
Choose the directory you want to configure.
Choose Edit in the Authentication section of the page.
Choose Edit Certificate-Based Authentication in the Certificate-Based Authentication section of the page.
Choose Enable Certificate-Based Authentication.
Choose the certificate in the AWS Certificate Manager (ACM) Private Certificate Authority (CA) drop-down.

To appear in the drop-down, you should store the private CA in the same AWS account and AWS Region. You must also tag the private CA with a key named euc-private-ca.
Configure directory log in fallback. With Fallback, users can log in with their AD domain password if certificate-based authentication is unsuccessful. This is recommended only in cases where users know their domain passwords. When fallback is turned off, a session can disconnect the user if a lock screen or Windows log off occurs. If fallback is turned on, the session prompts the user for their AD domain password.
Choose Save.

Certificate-based authentication is now enabled. When users authenticate with SAML 2.0 to an WorkSpaces Pools directory using the domain-joined WorkSpaces, they will no longer receive a prompt for the domain password. Users will see a Connecting with certificate-based authentication message when connecting to a session enabled for certificate-based authentication.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prerequisites

Manage Certificate-based Authentication