本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
设置 Connector for AD
本节中的步骤是使用适用于 AD 的连接器的先决条件。它假设你已经创建了一个 AWS 账户。完成本页上的步骤后,就可以开始为 AD 创建连接器了。
步骤 1:使用创建私有 CA AWS Private CA
设置 AWS 私有 CA 用于向目录对象颁发证书。有关更多信息,请参阅 中的证书颁发机构 AWS Private CA。
AWS 私有 CA 必须处于Active状态才能为 AD 创建连接器。私有 CA 的使用者名称必须包含公用名。如果您尝试使用不带公用名的私有 CA 创建连接器,则连接器创建将失败。
步骤 2:设置活动目录
重要
您只能将 Active Directory 连接器与活动目录的根域一起使用。
除了私有 CA 之外,您还需要虚拟私有云中的活动目录 (VPC)。Connector for AD 支持由 AWS Directory Service提供的以下目录类型:
-
AWS 托管微软 Active Direct ory:有了它, AWS Directory Service 你可以将微软活动目录 (AD) 作为托管服务运行。 AWS Directory Service for Microsoft Active Directory 也称为 AWS Managed Microsoft AD,由 Windows Server 2019 提供支持。使用 AWS Managed Microsoft AD,你可以在中运行目录感知型工作负载,包括 Microsoft Sharepoint AWS Cloud、自定义.Net 和基于服务器的应用程序SQL。
-
Active Directory Connector:AD Connector 是一种目录网关,可以将目录请求重定向到本地 Microsoft Active Directory,而无需在云中缓存任何信息。AD Connector 支持连接到亚马逊上托管的域名 EC2
注意
使用适用于 AD 的连接器时,不支持注册域控制器。 AWS Managed Microsoft AD
(仅限 Active Directory 连接器)步骤 3:将权限委托给服务帐户
使用 Directory Service AD Connector 时,您需要向服务账户委派其他权限。在服务帐号上设置访问控制列表 (ACL) 以允许以下功能:
-
为自身添加和删除服务主体名称 (SPN)
-
在以下容器中创建和更新证书颁发机构:
#containers CN=Public Key Services,CN=Services,CN=Configuration CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration -
创建和更新NTAuthCertificates证书颁发机构 (CA) 对象。注意:如果 NTAuthCertificates CA 对象存在,则必须为其委托权限。如果对象不存在,则必须委派在公钥服务容器上创建子对象的权限。
#objects CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration
注意
如果您正在使用, AWS Managed Microsoft AD 则当您使用目录授权 Connector for AD 服务时,将自动委派其他权限。您可以跳过此先决条件步骤。
您可以使用此 PowerShell 脚本委派其他权限。它将创建NTAuthCertifiates证书颁发机构对象。将“myconnectoraccount”替换为服务账户名称。
$AccountName ='myconnectoraccount'$AccountName = 'myconnectoraccount' # DO NOT modify anything below this comment. # Getting Active Directory information. Import-Module -Name 'ActiveDirectory' $currentDomain= Get-ADDomain $RootDSE = Get-ADRootDSE # Check if the current domain is the root domain if ($currentDomain.DistinguishedName -eq $RootDSE.rootDomainNamingContext) { Write-Output "This is a root domain that supports PCA connector configuration." } else { Write-Warning "This is a child domain. You must set up the PCA connector with the root domain:" $RootDSE.rootDomainNamingContext } # Getting AD Connector service account information $AccountProperties = Get-ADUser -Identity $AccountName $AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value [System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID $AccountAclPath = $AccountProperties.DistinguishedName # Getting ACL settings for AD Connector service account. $AccountAcl = Get-ACL -Path "AD:\$AccountAclPath" # Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself $AccountAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGuid, 'None' $AccountAcl.AddAccessRule($AccountAccessRule) Set-ACL -AclObject $AccountAcl -Path "AD:\$AccountAclPath" # Add ACLs allowing AD Connector service account the ability to create certification authorities [System.GUID]$CertificationAuthorityGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'certificationAuthority' } -Properties 'schemaIDGUID').schemaIDGUID $CAAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty,CreateChild,DeleteChild', 'Allow', $CertificationAuthorityGuid, 'None' $PKSDN = "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $PKSACL = Get-ACL -Path "AD:\$PKSDN" $PKSACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $PKSACL -Path "AD:\$PKSDN" $AIADN = "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $AIAACL = Get-ACL -Path "AD:\$AIADN" $AIAACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $AIAACL -Path "AD:\$AIADN" $CertificationAuthoritiesDN = "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $CertificationAuthoritiesACL = Get-ACL -Path "AD:\$CertificationAuthoritiesDN" $CertificationAuthoritiesACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $CertificationAuthoritiesACL -Path "AD:\$CertificationAuthoritiesDN" $NTAuthCertificatesDN = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" If (-Not (Test-Path -Path "AD:\$NTAuthCertificatesDN")) { New-ADObject -Name 'NTAuthCertificates' -Type 'certificationAuthority' -OtherAttributes @{certificateRevocationList=[byte[]]'00';authorityRevocationList=[byte[]]'00';cACertificate=[byte[]]'00'} -Path "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" } $NTAuthCertificatesACL = Get-ACL -Path "AD:\$NTAuthCertificatesDN" $NullGuid = [System.GUID]'00000000-0000-0000-0000-000000000000' $NTAuthAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty', 'Allow', $NullGuid, 'None' $NTAuthCertificatesACL.AddAccessRule($NTAuthAccessRule) Set-ACL -AclObject $NTAuthCertificatesACL -Path "AD:\$NTAuthCertificatesDN"
步骤 4:创建IAM策略
要为 AD 创建连接器,您需要一个IAM策略,该策略允许您创建连接器资源,与适用于 AD 的连接器服务共享您的私有 CA,以及向您的目录授权 AD 连接器服务。
以下是用户托管策略的示例:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "pca-connector-ad:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm-pca:PutPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": "acm-pca:IssueCertificate", "Resource": "*", "Condition": { "StringLike": { "acm-pca:TemplateArn": "arn:aws:acm-pca:::template/BlankEndEntityCertificate_ApiPassthrough/V*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "pca-connector-ad.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:DescribeDirectories", "ds:ListTagsForResource", "ds:UnauthorizeApplication", "ds:UpdateAuthorizedApplication" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DeleteVpcEndpoints" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": "arn:*:ec2:*:*:vpc-endpoint/*" } ] }
AD 连接器需要额外的 AWS RAM 权限,才能使用控制台和命令行。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ram:CreateResourceShare", "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:Principal": "pca-connector-ad.amazonaws.com", "ram:RequestedResourceType": "acm-pca:CertificateAuthority" } } }, { "Effect": "Allow", "Action": [ "ram:GetResourcePolicies", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListPrincipals", "ram:ListResources", "ram:ListResourceSharePermissions", "ram:ListResourceTypes" ], "Resource": "*" } ] }
第 5 步:与 Connector for AD 共享您的私有 CA
您需要使用 AWS Resource Access Manager 服务主体共享与连接器服务共享您的私有 CA。
在 AWS 控制台中创建连接器时,系统会自动为您创建资源共享。
使用创建资源共享时 AWS CLI,将使用 AWS RAM create-resource-share命令。
以下命令创建资源共享:
$aws ram create-resource-share \ --regionus-east-1\ --nameMyPcaConnectorAdResourceShare\ --permission-arns arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority \ --resource-arns arn:aws:acm-pca:region:account:certificate-authority/CA_ID\ --principals pca-connector-ad.amazonaws.com \ --sourcesaccount
调用的服务主体在上 CreateConnector 拥有证书颁发权限PCA。要防止使用 Connector for AD 的服务主体拥有对您的 AWS 私有 CA
资源的常规访问权限,请使用 CalledVia 限制其权限。
步骤 6:创建目录注册
您授权 Connector for AD 服务使用您的目录,以便连接器可以与您的目录通信。要授权 Connector for AD 服务,您需要创建目录注册。有关创建目录注册的更多信息,请参阅 管理目录注册
步骤 7:配置安全组
您VPC与适用于 AD 连接器的连接器之间的通信是通过的 AWS PrivateLink,这需要一个或多个安全组,其入站规则允许您在TCPVPC上打开端口 443。当您创建连接器时,系统会要求您输入此安全组。你可以将来源指定为自定义,然后选择你的VPC方CIDR块。您可以选择进一步限制此限制(CIDR即 IP 和安全组 ID)。
