By using AWS re:Post, you agree to the Terms of Use
/AWS Directory Service/

Questions tagged with AWS Directory Service

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx). ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server. The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server. Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them. We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing? Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.
1
answers
0
votes
7
views
asked 2 months ago

aws_ssm_document addomainjoin error

I am struggling to get EC2 instances deployed via an ASG joined to the domain. I get the following error each time *New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id* I have tried various schema versions detailed [Here](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) however all fail with the same error **SSMdoc.tf** ``` resource "aws_ssm_document" "ad-join-domain" { name = "ad-join-domain" document_type = "Command" content = jsonencode( { "schemaVersion" = "2.2" "description" = "aws:domainJoin" "parameters" : { "directoryId" : { "description" : "(Required) The ID of the directory.", "type" : "String" }, "directoryName" : { "description" : "(Required) The name of the domain.", "type" : "String" }, "dnsIpAddresses" : { "description" : "(Required) The IP addresses of the DNS servers for your directory.", "type" : "StringList" }, }, "mainSteps" = [ { "action" = "aws:domainJoin", "name" = "domainJoin", "inputs" = { "directoryId" : data.aws_directory_service_directory.adgems.id, "directoryName" : data.aws_directory_service_directory.adgems.name, "dnsIpAddresses" : [data.aws_directory_service_directory.adgems.dns_ip_addresses] } } ] } ) } ``` template.tf ``` data "template_file" "ad-join-template" { template = <<EOF <powershell> Set-DefaultAWSRegion -Region eu-west-2 Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id) New-SSMAssociation -InstanceId $instance_id -Name "${aws_ssm_document.ad-join-domain.name}" </powershell> EOF } ``` The template is then referenced in the ASG Launch Template user_data section. Getting onto the instance I can see the script/logs and have confirmed the variables set (instance id for example). Full error message from the PS running below ``` New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id At C:\Windows\system32\config\systemprofile\AppData\Local\Temp\EC2Launch228430162\UserScript.ps1:3 char:5 + New-SSMAssociation -InstanceId $instance_id -Name "ad-join-domain ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Amazon.PowerShe...sociationCmdlet:NewSSMAssociationCmdlet) [New-SSMAs sociation], InvalidOperationException + FullyQualifiedErrorId : Amazon.SimpleSystemsManagement.Model.InvalidDocumentException,Amazon.PowerShell.Cmdlets. SSM.NewSSMAssociationCmdlet ```
1
answers
0
votes
28
views
asked 5 months ago

FSx for NetApp ONTAP - Windows permission issues

Hi there, I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance. (It works fine on Linux). I see the following issues: - When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \\<IO of my smb>\share -Credential $creds -LocalPath G:` I get the following error: `New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials - When I am running this command `net use Z: \\<dns address of the smb>\share` I got the following error: `System error 5 has occurred. Access is denied.` - Also with domain admin creds - I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin. I am using Directory Service Standard Edition. Did you guys experience issues with this? What am I doing wrong? **Update:** I managed to attach the disk, but I can not write or read any file on the disk. It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see. **Update #2** Based on CloudWreck's comment I found the following: I am using mixed style. I use the following code: ``` net use P: \\WINDOWS\vol1 $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $acl.SetAccessRule($AccessRule) $acl | Set-Acl $CurTgt ``` Get-Acl returns ``` Path Owner Access ---- ----- ------ P:\ Everyone Everyone Allow -1 ``` Also using this one: ``` $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr) $acl.PurgeAccessRules($usersid) $acl | Set-Acl $CurTgt ``` Also tried this: ``` takeown /F * /R takeown : ERROR: File ownership cannot be applied on insecure file systems; ``` But I am still unable to write/read files or create folders. **Update#3** I ran the following commands and changed the permission from the ONTAP side ``` vserver security file-directory show -vserver windows -path /vol1 vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory policy create -policy-name policy1 vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1 vserver security file-directory apply -policy-name policy1 vserver security file-directory show -path /vol1 -expand-mask true ``` It changed the file permissions (mode), however I am still unable to read/write files. These are the current settings: ``` File Path: /vol1 File Inode Number: 64 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor ``` ``` ALLOW-Everyone-0x1f01ff-OI|CI 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 1... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...1 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ```
1
answers
0
votes
86
views
asked 6 months ago
2
answers
0
votes
53
views
asked 6 months ago

BatchWrite limits

Related a bit to forum https://forums.aws.amazon.com/post!reply.jspa?messageID=821050, but I don't think I should completely hijack that topic. I'm performing the following batch_write operation using Python: ``` { 'DirectoryArn': '<snip>', 'Operations': [ {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Organization'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Organization', 'Name': 'display_name'}, 'Value': {'StringValue': 'Object #1'}}], 'ParentReference': {'Selector': '/'}, 'LinkName': 'object', 'BatchReferenceName': '5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Meta'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Meta', 'Name': 'display_name'}, 'Value': {'StringValue': 'Child #1'}}], 'ParentReference': {'Selector': '#5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}, 'LinkName': 'organization', 'BatchReferenceName': '01e66be7-d47f-40ed-b7d0-faa638db9ced'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Meta'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Meta', 'Name': 'display_name'}, 'Value': {'StringValue': 'Child #2'}}], 'ParentReference': {'Selector': '#5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}, 'LinkName': 'index', 'BatchReferenceName': 'f8b672b9-fef5-40c8-8c55-94152d4db745'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index1', 'BatchReferenceName': '71b75012-516b-4cb6-8354-976ad1cc4589'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index2', 'BatchReferenceName': 'c6824a61-1338-4cd5-8d3a-553b67e50a18'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index3', 'BatchReferenceName': 'c72c0bab-25f1-4a83-a9c5-569d34d1a90d'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index4', 'BatchReferenceName': '8b4368e2-2d29-4666-8eb0-4e93105f1efb'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index5', 'BatchReferenceName': 'e5ba15a8-4cdd-43a7-873e-0afd8c0e6870'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index6', 'BatchReferenceName': 'afba33be-d2a2-461f-8742-ec0cb805b0dc'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index7', 'BatchReferenceName': 'c4b70cd5-1a39-45ba-a5ee-efb0fbc424e7'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index8', 'BatchReferenceName': '1ac0290c-339f-4b50-9080-d1c5c8d4159a'}} ] } ``` which fails with the error: ``` An error occurred (LimitExceededException) when calling the BatchWrite operation: Limits exceeded on the request. Write objects, max: 20, actual: 22. Read objects, max: 200, actual: 10. Write attributes, max: 1000, actual: 4. Read attributes, max: 1000, actual: 0. ``` I'm creating 11 objects. The selector paths would look like: ``` /object /object/organization /object/index /object/index/index1 /object/index/index2 /object/index/index3 /object/index/index4 /object/index/index5 /object/index/index6 /object/index/index7 /object/index/index8 ``` Although I can understand where the 22 Writes come from, I wonder if this is a fair assumption as the object with "/object/index" is for example counted 9 times (1 create, 8 updates). I'm using the BatchReference so during the counting it can be taken into account that I intend to write the same object multiple times, and as it is documented that the batch_write is going to be a single transaction, I would expect my "Write object count" to be 12 (11 objects created + root node update. This comment can also be extended a bit to the Read Objects count of 10, but I'll that one out of the discussion. :)
2
answers
0
votes
0
views
asked 3 years ago

[Announcement] Run Your Microsoft SharePoint and SQL Server Always On Availability Groups in the AWS Cloud More Easily by Using AWS Directory Service for Microsoft Active Directory

Today, we made it easier for you to run Microsoft SharePoint and SQL Server Always On availability groups in the AWS Cloud. With [AWS Directory Service for Microsoft Active Directory (Enterprise Edition)](https://aws.amazon.com/directoryservice/), also known as AWS Microsoft AD, you can now migrate additional Windows workloads such as SharePoint and SQL Server Always On availability groups without the complexity of building and maintaining your own Active Directory (AD) infrastructure. Using the [AD security features announced recently](https://aws.amazon.com/about-aws/whats-new/2017/05/simplify-migration-and-improve-security-of-active-directory-integrated-net-applications-by-using-aws-microsoft-ad/), you can provide single sign-on (SSO) to Microsoft SharePoint by using AWS Microsoft AD, and improve the security of SQL Server Always On availability groups. With AWS Microsoft AD, you can use a single directory to support Microsoft SharePoint and SQL Server Always On availability groups, as well as AWS services such as [Amazon WorkSpaces](https://aws.amazon.com/workspaces/) and [Amazon QuickSight](https://quicksight.aws/). You also have the flexibility to use identities from your on-premises directory or managed directory in the AWS Cloud. AWS Microsoft AD uses actual AD running on Windows Server 2012 R2 and does not require you to synchronize or replicate data from your existing AD to the cloud. With just a few clicks, you can create a highly available, managed AD. AWS handles all of the security patching and software updates. Currently, AWS Microsoft AD is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), EU (London), Canada (Central), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) Regions. This feature is now available to all AWS Microsoft AD customers at no additional charge. For existing AWS Microsoft AD customers there is no additional setup in the Directory Service console required. To get started with AWS Microsoft AD, visit the [Directory Service console](https://console.aws.amazon.com/directoryservice/home) and create your directory.
0
answers
1
votes
8
views
asked 5 years ago
  • 1
  • 90 / page