Active Directory
You can deploy Microsoft Active Directory on SOCA via the following options:
- (Recommended) AWS Directory Service Managed Active Directory
- AWS Directory Simple AD
- Existing Active Directory
Default Organizational Units (OU)¶
Here are the default Organizational Units (OU) deployed if you are using AWS Directory Service Managed or Simple AD:
DN | AWS Directory Service Managed AD | AWS Directory Service Simple AD |
---|---|---|
admins_search_base |
cn=AWS Delegated Server Administrators,ou=AWS Delegated Groups,DOMAIN_BASE | cn=Administrators,CN=Builtin,DOMAIN_BASE |
people_search_base |
ou=Users,ou=NETBIOS,DOMAIN_BASE | cn=Users,DOMAIN_BASE |
group_search_base |
cn=Users,ou=NETBIOS,DOMAIN_BASE | cn=Users,DOMAIN_BASE |
Info
You cannot change the defaults OU. Also note AWS Directory Services stores user/group in a nested OU using your Netbios (short name) name.
Example: Assuming netbios
is SOCA-TEST
and domain_base
is soca-test.local
ou=Users,ou=SOCA-TEST,dc=soca-test,dc=local
SOCA AD Service Account¶
Independently of the Active Directory provider, SOCA will automatically create an AD user with sufficient permissions for all LDAP bind/CRUD operations. You can retrieve the username/password on Secrets Manager (/soca/<CLUSTER_ID>/UserDirectoryServiceAccount
).
Existing Active Directory
You can configure your own OU and AD Service Account when using an existing Active Directory via default_config.yml
UserDirectory SocaConfig tree¶
You can query all your User Identity configuration using socactl
CLI via /configuration/UserDirectory/
tree
/bin/bash /apps/soca/soca-demo29/cluster_manager/socactl config get \
--key "/configuration/UserDirectory/" \
--output json
{
"/configuration/UserDirectory/ad_aws_directory_service_id": "d-REDACTED",
"/configuration/UserDirectory/ad_aws_lambda_reset_password": "False",
"/configuration/UserDirectory/admins_search_base": "cn=AWS Delegated Server Administrators,ou=AWS Delegated Groups,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/domain_base": "dc=soca-demo29,dc=local",
"/configuration/UserDirectory/domain_controller_ips": "['59.0.173.45', '59.0.89.133']",
"/configuration/UserDirectory/domain_name": "soca-demo29.local",
"/configuration/UserDirectory/people_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/provider": "aws_ds_managed_activedirectory",
"/configuration/UserDirectory/service_account_secret_arn": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:/soca/soca-demo29/UserDirectoryServiceAccount-RV4qc6",
"/configuration/UserDirectory/use_existing_directory": "False",
"/configuration/UserDirectory/endpoint": "ldap://soca-demo29.local",
"/configuration/UserDirectory/group_search_base": "ou=Users,ou=SOCA-DEMO29,dc=soca-demo29,dc=local",
"/configuration/UserDirectory/short_name": "SOCA-DEMO29"
}
Troubleshooting¶
42 days Maximum Password Age¶
By default, AWS Directory Service enforces 42 days maximum password age, meaning all SOCA users/service accounts will require a password update (at least) every 42 days to avoid being locked out. We recommend you to update this setting unless you already have a way to manage password expiration.
Warning
If the SOCA AD Service Account (UserDirectoryServiceAccount
) is locked, no new computers will be able to join the AD domain, resulting in virtual desktops, login nodes or HPC nodes provisioning failure.
Step1: Launch a Windows virtual desktop on SOCA¶
To update your Active Directory password age policy, the recommended approach is to log in to SOCA and launch a Windows Virtual Desktop
Step2: Install ADDS Server Role¶
Connect to your Windows virtual desktop once it is available then click Windows Start button then Server Manager.
Click Add Roles and Features
Click Next > Role-base or feature-based installation then leave the current server selection as is. On the Roles list, check Active Directory Domain Services (this will add multiple sub-feature including Active Directory Admin Center).
Leave everything else as default, and proceed to the installation of the Active Directory modules. Click Close when the installation is complete.
Step3: Update GPO¶
First, retrieve your SOCA UserDirectoryServiceAccount
on AWS Secrets Manager. The secret name is /soca/<cluster_id>/UserDirectoryServiceAccount
.
Once you have located your secret, click Retrieve Secret Value to reveal your username/password.
Info
Your username is the first part before @
(e.g: Admin
in this example)
Go back to your Windows virtual desktop, open a terminal and run the following command to start Active Directory Admin Center (ADAC). Replace ADMIN_USER
and ADMIN_USER_PASSWORD
with your own values.
runas /user:<DOMAIN>\<ADMIN_USER> "cmd /c Start /B dsac.exe"
Example:
C:\Users\mcrozes>runas /user:SOCA-DEMO29\Admin "cmd /c Start /B dsac.exe"
Enter the password for SOCA-DEMO29\Admin: <ADMIN_USER_PASSWORD>
Attempting to start cmd /c Start /B dsac.exe as user "SOCA-DEMO29\Admin" ...
This will open ADAC interface with an privileged user. Choose your SOCA Active Directory Domain on the left sidebar, then select System and Password Settings Container
Open the first policy CustomerPSO-01
Uncheck all settings under Password Age Options
Finally, click OK and repeat the same operations for all other policy.