Active Directory

You can deploy Microsoft Active Directory on SOCA via the following options:

(Recommended) AWS Directory Service Managed Active Directory
AWS Directory Simple AD
Existing Active Directory

Default Organizational Units (OU)¶

Here are the default Organizational Units (OU) deployed if you are using AWS Directory Service Managed or Simple AD:

DN	AWS Directory Service Managed AD	AWS Directory Service Simple AD
`admins_search_base`	cn=AWS Delegated Server Administrators,ou=AWS Delegated Groups,DOMAIN_BASE	cn=Administrators,CN=Builtin,DOMAIN_BASE
`people_search_base`	ou=Users,ou=NETBIOS,DOMAIN_BASE	cn=Users,DOMAIN_BASE
`group_search_base`	cn=Users,ou=NETBIOS,DOMAIN_BASE	cn=Users,DOMAIN_BASE

Info

You cannot change the defaults OU. Also note AWS Directory Services stores user/group in a nested OU using your Netbios (short name) name.

Example: Assuming netbios is SOCA-TEST and domain_base is soca-test.local

ou=Users,ou=SOCA-TEST,dc=soca-test,dc=local

SOCA AD Service Account¶

Independently of the Active Directory provider, SOCA will automatically create an AD user with sufficient permissions for all LDAP bind/CRUD operations. You can retrieve the username/password on Secrets Manager (/soca/<CLUSTER_ID>/UserDirectoryServiceAccount).

Existing Active Directory

You can configure your own OU and AD Service Account when using an existing Active Directory via default_config.yml

UserDirectory SocaConfig tree¶

You can query all your User Identity configuration using socactl CLI via /configuration/UserDirectory/ tree

/bin/bash /apps/soca/soca-demo29/cluster_manager/socactl config get \
   --key "/configuration/UserDirectory/" \
   --output json

{
    "/configuration/UserDirectory/ad_aws_directory_service_id": "d-REDACTED",
    "/configuration/UserDirectory/ad_aws_lambda_reset_password": "False",
    "/configuration/UserDirectory/admins_search_base": "cn=AWS Delegated Server Administrators,ou=AWS Delegated Groups,dc=soca-demo29,dc=local",
    "/configuration/UserDirectory/domain_base": "dc=soca-demo29,dc=local",
    "/configuration/UserDirectory/domain_controller_ips": "['59.0.173.45', '59.0.89.133']",
    "/configuration/UserDirectory/domain_name": "soca-demo29.local",
    "/configuration/UserDirectory/people_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
    "/configuration/UserDirectory/provider": "aws_ds_managed_activedirectory",
    "/configuration/UserDirectory/service_account_secret_arn": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:/soca/soca-demo29/UserDirectoryServiceAccount-RV4qc6",
    "/configuration/UserDirectory/use_existing_directory": "False",
    "/configuration/UserDirectory/endpoint": "ldap://soca-demo29.local",
    "/configuration/UserDirectory/group_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
    "/configuration/UserDirectory/short_name": "SOCA-DEMO29"
}

Troubleshooting¶

42 days Maximum Password Age¶

By default, AWS Directory Service enforces 42 days maximum password age, meaning all SOCA users/service accounts will require a password update (at least) every 42 days to avoid being locked out. We recommend you to update this setting unless you already have a way to manage password expiration.

Warning

If the SOCA AD Service Account (UserDirectoryServiceAccount) is locked, no new computers will be able to join the AD domain, resulting in virtual desktops, login nodes or HPC nodes provisioning failure.

Step1: Launch a Windows virtual desktop on SOCA¶

To update your Active Directory password age policy, the recommended approach is to log in to SOCA and launch a Windows Virtual Desktop

Step2: Install ADDS Server Role¶

Connect to your Windows virtual desktop once it is available then click Windows Start button then Server Manager.

Click Add Roles and Features

Click Next > Role-base or feature-based installation then leave the current server selection as is. On the Roles list, check Active Directory Domain Services (this will add multiple sub-feature including Active Directory Admin Center).

Leave everything else as default, and proceed to the installation of the Active Directory modules. Click Close when the installation is complete.

Step3: Update GPO¶

First, retrieve your SOCA UserDirectoryServiceAccount on AWS Secrets Manager. The secret name is /soca/<cluster_id>/UserDirectoryServiceAccount. Once you have located your secret, click Retrieve Secret Value to reveal your username/password.

Info

Your username is the first part before @ (e.g: Admin in this example)

Go back to your Windows virtual desktop, open a terminal and run the following command to start Active Directory Admin Center (ADAC). Replace ADMIN_USER and ADMIN_USER_PASSWORD with your own values.

runas /user:<DOMAIN>\<ADMIN_USER> "cmd /c Start /B dsac.exe"

Example:

C:\Users\mcrozes>runas /user:SOCA-DEMO29\Admin "cmd /c Start /B dsac.exe"
Enter the password for SOCA-DEMO29\Admin: <ADMIN_USER_PASSWORD>
Attempting to start cmd /c Start /B dsac.exe as user "SOCA-DEMO29\Admin" ...

This will open ADAC interface with an privileged user. Choose your SOCA Active Directory Domain on the left sidebar, then select System and Password Settings Container

Open the first policy CustomerPSO-01

Uncheck all settings under Password Age Options

Finally, click OK and repeat the same operations for all other policy.