Set up AWS Private CA Connector for AD for AD Connector
You can integrate your self-managed Active Directory (AD) with AWS Private Certificate Authority (CA) with AD Connector to issue and manage certificates for your AD domain joined users, groups and machines. AWS Private CA Connector for AD allows you to use a fully managed AWS Private CA drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers.
You can set up AWS Private CA integration with your directory through the Directory Service
console, the AWS Private CA Connector for AD console, or by calling the CreateTemplate API. To set up the Private CA integration
through the AWS Private CA Connector for Active Directory console, see AWS Private CA Connector
for Active Directory. See below for steps on how to set up this integration from
the AWS Directory Service console.
Prerequisites
When you use AD Connector, you need to delegate additional permissions to the service account. Set the access-control list (ACL) on your service account to give yourself the ability to do the following.
-
Add and remove a Service Principal Name (SPN) to itself.
-
Create and update certification authorities in the following containers:
#containers CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration, CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration, CN=Public Key Services,CN=Services,CN=Configuration -
Create and update a NTAuthCertificates Certification Authority object like the following example. If the NTAuthCertificates Certification Authority object exists, you must delegate permissions for it. If the object does not exist, you must delegate the ability to create child objects on the Public Key Services container.
#objects CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration
Note
If you’re using AWS Managed Microsoft AD, the additional permissions will be delegated automatically when you authorize the AWS Private CA Connector for AD service with your directory.
You can use the following PowerShell script to delegate the additional permissions and
create the NTAuthCertifiates certification authority object. Replace
myconnectoraccount with the service account name.
$AccountName = 'myconnectoraccount' # DO NOT modify anything below this comment. # Getting Active Directory information. Import-Module -Name 'ActiveDirectory' $RootDSE = Get-ADRootDSE # Getting AD Connector service account Information $AccountProperties = Get-ADUser -Identity $AccountName $AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value [System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID $AccountAclPath = $AccountProperties.DistinguishedName # Getting ACL settings for AD Connector service account. $AccountAcl = Get-ACL -Path "AD:\$AccountAclPath" # Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself $AccountAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGuid, 'None' $AccountAcl.AddAccessRule($AccountAccessRule) Set-ACL -AclObject $AccountAcl -Path "AD:\$AccountAclPath" # Add ACLs allowing AD Connector service account the ability to create certification authorities [System.GUID]$CertificationAuthorityGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'certificationAuthority' } -Properties 'schemaIDGUID').schemaIDGUID $CAAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty,CreateChild,DeleteChild', 'Allow', $CertificationAuthorityGuid, 'None' $PKSDN = "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $PKSACL = Get-ACL -Path "AD:\$PKSDN" $PKSACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $PKSACL -Path "AD:\$PKSDN" $AIADN = "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $AIAACL = Get-ACL -Path "AD:\$AIADN" $AIAACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $AIAACL -Path "AD:\$AIADN" $CertificationAuthoritiesDN = "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $CertificationAuthoritiesACL = Get-ACL -Path "AD:\$CertificationAuthoritiesDN" $CertificationAuthoritiesACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $CertificationAuthoritiesACL -Path "AD:\$CertificationAuthoritiesDN" $NTAuthCertificatesDN = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" If (-Not (Test-Path -Path "AD:\$NTAuthCertificatesDN")) { New-ADObject -Name 'NTAuthCertificates' -Type 'certificationAuthority' -OtherAttributes @{certificateRevocationList=[byte[]]'00';authorityRevocationList=[byte[]]'00';cACertificate=[byte[]]'00'} -Path "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" } $NTAuthCertificatesACL = Get-ACL -Path "AD:\$NTAuthCertificatesDN" $NullGuid = [System.GUID]'00000000-0000-0000-0000-000000000000' $NTAuthAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty', 'Allow', $NullGuid, 'None' $NTAuthCertificatesACL.AddAccessRule($NTAuthAccessRule) Set-ACL -AclObject $NTAuthCertificatesACL -Path "AD:\$NTAuthCertificatesDN"
Setting up AWS Private CA Connector for AD
Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/
. On the Directories page, choose your directory ID.
Under the Network & Security tab, under AWS Private CA Connector for AD, choose Set up AWS Private CA Connector for AD. The page Create Private CA certificate for Active Directory appears. Follow the steps on the console to create your Private CA for Active Directory connector to enroll with your Private CA. For more information, see Creating a connector.
After you create your connector, the following steps walks you through how to view details the AWS Private CA Connector for AD including the connector’s status and the associated Private CA’s status.
Viewing AWS Private CA Connector for AD
Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/
. On the Directories page, choose your directory ID.
Under Network & Security, under AWS Private CA Connector for AD, you can view your Private CA connectors and associated Private CA. By default, you see the following fields:
AWS Private CA Connector ID — The unique identifier for an AWS Private CA connector. Clicking on it leads to the details page of that AWS Private CA connector.
AWS Private CA subject — Information about the distinguished name for the CA. Clicking on it leads to the details page of that AWS Private CA.
Status — Based on a status check for the AWS Private CA Connector and the AWS Private CA. If both checks pass, Active displays. If one of the checks fails, 1/2 checks failed displays. If both checks fail, Failed displays. For more information about a failed status, hover over the hyperlink to learn which check failed. Follow the instructions in the console to remediate.
Date created — The day the AWS Private CA Connector was created.
For more information, see View connector details.
Confirming AWS Private CA issued a certificate
You can complete the following steps to confirm that AWS Private CA is issuing certificates to your self-managed Active Directory.
Restart your on-premise domain controllers.
-
View your certificates with Microsoft Management Console. For more information, see Microsoft documentation
.
