Posted On: Dec 22, 2016

Now it is possible to use on-premises Active Directory (AD) user accounts with AWS applications such as Amazon QuickSight Enterprise Edition by using AD interforest trusts in AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also called Microsoft AD. New Microsoft AD interforest trust features simplify directory service configuration to use on-premises AD user accounts, simplify the end-user login experience, and enable simultaneous use of AWS applications and Windows workloads with Microsoft AD. 

In the past, AWS applications required AD Connector in order to authenticate on-premises AD user accounts. Administrators had to configure an AD Connector directory for each on-premises AD domain that contained user accounts, and in large deployments, administrators might have to configure dozens of AD Connector directories. The AD Connector model also required administrators to distribute links to end users so that the login process goes through the right AD Connector. If a user received the wrong login link, they could not log in, even if they provided the right user name and password. In addition, AD Connector does not support authentication for Amazon RDS SQL Server or other Windows workloads in the AWS Cloud. These constraints made it difficult to configure and administer the use of on-premises AD with AWS applications and Windows workloads in the AWS Cloud. 

With the new interforest trust features, administrators can configure a single trust between Microsoft AD and an on-premises directory to authenticate users for access to AWS applications, and use the same Microsoft AD directory with Amazon RDS SQL Server and Windows workloads. Logging in to AWS applications is easier and less error prone because all users share a single link to each application. For AWS applications such as Amazon QuickSight that integrate with interforest trust authentication, Microsoft AD automatically discovers and routes authentication to the correct domain controller so that end users do not have to remember their domain name. Interforest trust login reduces the number of endpoints to configure, reduces the number of links to distribute, simplifies the login process for end users, and allows you to use the same directory to support AWS applications and Windows workloads in the AWS Cloud. 

To take advantage of interforest trust login, AWS applications require an update to provision on-premises users through the Microsoft AD interforest trust. This support is available now in Amazon QuickSight Enterprise Edition, with more supported applications to follow. To learn more about Microsoft AD, visit the AWS Directory Service home page.