Active Directory
You can deploy Microsoft Active Directory on SOCA via the following options:
- (Recommended) AWS Directory Service Managed Active Directory
- AWS Directory Simple AD
- Existing Active Directory
Default Organizational Units (OU)¶
Here are the default Organizational Units (OU) deployed if you are using AWS Directory Service Managed or Simple AD:
| DN | AWS Directory Service Managed AD | AWS Directory Service Simple AD |
|---|---|---|
admins_search_base |
cn=socasudoadminsgroup,ou=Users,DOMAIN_BASE cn=socasudoadminsgroup,ou=Users,DOMAIN_BASE | |
people_search_base |
ou=Users,ou=NETBIOS,DOMAIN_BASE | cn=Users,DOMAIN_BASE |
group_search_base |
cn=Users,ou=NETBIOS,DOMAIN_BASE | cn=Users,DOMAIN_BASE |
Info
Group Name for admins_search_base can be customized via default_config.yml
Info
You cannot change the defaults OU. Also note AWS Directory Services stores user/group in a nested OU using your Netbios (short name) name.
Example: Assuming netbios is SOCA-TEST and domain_base is soca-test.local
ou=Users,ou=SOCA-TEST,dc=soca-test,dc=local
SOCA AD Service Account¶
Independently of the Active Directory provider, SOCA will automatically create an AD user with sufficient permissions for all LDAP bind/CRUD operations. You can retrieve the username/password on Secrets Manager (/soca/<CLUSTER_ID>/UserDirectoryServiceAccount).
Existing Active Directory
You can configure your own OU and AD Service Account when using an existing Active Directory via default_config.yml
UserDirectory SocaConfig tree¶
You can query all your User Identity configuration using socactl CLI via /configuration/UserDirectory/ tree
/bin/bash /opt/soca/soca-demo29/cluster_manager/socactl config get \
--key "/configuration/UserDirectory/" \
--output json
{
"/configuration/UserDirectory/ad_aws_directory_service_id": "d-REDACTED",
"/configuration/UserDirectory/ad_aws_lambda_reset_password": "False",
"/configuration/UserDirectory/admins_search_base": "cn=AWS Delegated Server Administrators,ou=AWS Delegated Groups,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/domain_base": "dc=soca-demo29,dc=local",
"/configuration/UserDirectory/domain_controller_ips": "['59.0.173.45', '59.0.89.133']",
"/configuration/UserDirectory/domain_name": "soca-demo29.local",
"/configuration/UserDirectory/people_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/provider": "aws_ds_managed_activedirectory",
"/configuration/UserDirectory/service_account_secret_arn": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:/soca/soca-demo29/UserDirectoryServiceAccount-RV4qc6",
"/configuration/UserDirectory/use_existing_directory": "False",
"/configuration/UserDirectory/endpoint": "ldap://soca-demo29.local",
"/configuration/UserDirectory/group_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/short_name": "SOCA-DEMO29"
}
Troubleshooting¶
Unable to login - Service Account has expired¶
If you cannot log in to SOCA (and you know the password is correct) or if you are encountering errors containing In order to perform this operation a successful bind must be completed on the connection, this most likely means the Active Directory Admin Service Account has been locked due to the 42-day maximum password age policy.
Example error from the logs:
Unable to list software stack for this user because of Unable to retrieve information for user john due to Unable to find user because of Unable to search ou=Users,ou=SOCA-xx,dc=soca-xxx,dc=local with scope 2, filter (&(objectClass=user)(sAMAccountName=john)), attr_list ['sAMAccountName'],
due to {'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090D5A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'}
(Request ID: 45df348b-afa8-4a42-8410-e1c800daeed7)
The easiest way to unlock your AWS Directory Service Managed AD service account is to re-enable the Admin account via the AWS Console.
First, go to AWS Secrets Manager and retrieve the password of the UserDirectoryServiceAccount associated with your environment:
{ "password":"PaSSwOrD123@",
"username":"Admin@edh-demo.local"
}
Then, go to AWS Directory Service and select the AD associated with your environment. Make sure you have enabled User and Group Manage (red section) to see the list of your AD users (blue section).
Select the Admin (not Administrator) account and click Actions > Reset password and enable account, then specify the same password you retrieved from Secrets Manager.
Note
To identify your service account user, refer to the username entry. For example, if the username is Admin@edh-demo.local, then your AD service account user is Admin.
This action will re-enable the Admin account automatically. No SOCA reboot is needed, and everything should start working again immediately.
To avoid this issue in the future, it is recommended to disable the 42-day password expiration for the Admin account (see section below).
Warning
If you change the Admin password, make sure you update the entry on Secrets Manager as well as the local cache value on /apps/soca/<CLUSTER_ID>/shared/custom_automation/ad_automation/join_domain.cache
42 days Maximum Password Age¶
By default, AWS Directory Service enforces 42 days maximum password age, meaning all SOCA users/service accounts will require a password update (at least) every 42 days to avoid being locked out. We recommend you to update this setting unless you already have a way to manage password expiration.
Warning
If the SOCA AD Service Account (UserDirectoryServiceAccount) is locked, no new computers will be able to join the AD domain, resulting in virtual desktops, login nodes or HPC nodes provisioning failure.
Step1: Launch a Windows virtual desktop on SOCA¶
To update your Active Directory password age policy, the recommended approach is to log in to SOCA and launch a Windows Virtual Desktop
Step2: Install ADDS Server Role¶
Connect to your Windows virtual desktop once it is available then click Windows Start button then Server Manager.
Click Add Roles and Features
Click Next > Role-base or feature-based installation then leave the current server selection as is. On the Roles list, check Active Directory Domain Services (this will add multiple sub-feature including Active Directory Admin Center).
Leave everything else as default, and proceed to the installation of the Active Directory modules. Click Close when the installation is complete.
Step3: Update GPO¶
First, retrieve your SOCA UserDirectoryServiceAccount on AWS Secrets Manager. The secret name is /soca/<cluster_id>/UserDirectoryServiceAccount.
Once you have located your secret, click Retrieve Secret Value to reveal your username/password.
Info
Your username is the first part before @ (e.g: Admin in this example)
Go back to your Windows virtual desktop, open a terminal and run the following command to start Active Directory Admin Center (ADAC). Replace ADMIN_USER and ADMIN_USER_PASSWORD with your own values.
runas /user:<DOMAIN>\<ADMIN_USER> "cmd /c Start /B dsac.exe"
Example:
C:\Users\mcrozes>runas /user:SOCA-DEMO29\Admin "cmd /c Start /B dsac.exe"
Enter the password for SOCA-DEMO29\Admin: <ADMIN_USER_PASSWORD>
Attempting to start cmd /c Start /B dsac.exe as user "SOCA-DEMO29\Admin" ...
This will open ADAC interface with an privileged user. Choose your SOCA Active Directory Domain on the left sidebar, then select System and Password Settings Container
Open the first policy CustomerPSO-01
Uncheck all settings under Password Age Options
Finally, click OK and repeat the same operations for all other policy.
Alternatively, you can change the password policy for specific users without having to update the policy by checking Password Never Expires for a given user:
