Desktop and Application Streaming

Integrating Dropbox for persistent user data storage in Amazon AppStream 2.0

Amazon AppStream 2.0 is a fully managed, non-persistent application and desktop streaming service. Each time you launch an AppStream 2.0 session, a freshly built, pre-provisioned instance is provided, using a prebuilt image. As soon as you close your session and the disconnect timeout period is reached, the instance is terminated.

Amazon AppStream 2.0 users can store and retrieve files between their application streaming sessions. AppStream 2.0 supports home folder backed by Amazon S3, Google Drive for G Suite, and Microsoft OneDrive for Business.

In this post, we show you how to allow seamless access to Dropbox storage from your AppStream 2.0 sessions.

This solution uses Active Directory Federation Services (AD FS). You sign into Dropbox once, by entering the link code generated by Dropbox App. For subsequent sessions, Dropbox automatically authenticates you without requiring a link code.

Prerequisites

  • AppStream fleet joined to an Active Directory domain
  • A current Advanced, or Enterprise, Dropbox subscription
  • An AppStream stack with application persistence enabled
  • Active Directory users must have an email address that is used in Dropbox
  • Active Directory Federation Services (AD FS) installed and configured to provide single sign-on (SSO) federation (AD FS version 3.0 or later)
  • Dropbox is connected to AD FS 3.0 for single sign-on
  • The AD FS certificate for Dropbox configuration has been exported
  • An Active directory test accounts to help validate the configuration.

Solution overview

This solution uses Windows Integrated Authentication (WIA). WIA uses the Kerberos token issued when a domain user logs in to a streaming instance to authenticate to AD FS.

This solution uses Windows Integrated Authentication (WIA). WIA uses the Kerberos token issued when a domain user logs in to a streaming instance to authenticate to AD FS.

Authentication workflow

1.    You access the Dropbox client App within the streaming session using your email address
2.   The email address is verified against the Dropbox Teams account.
3.   Dropbox recognizes SSO is enabled on your account, and makes a SAML request to AD FS.
4.   Your session token is validated to Active Directory.
5.   AD FS issues a SAML assertion to Dropbox SAML endpoint for authorization.
6.   You are granted access to Dropbox and the link code is issued to complete the sign-in process.

For subsequent logins, the link code will not be generated, and you are automatically authenticated to Dropbox.

 Step 1: Install Dropbox client on AppStream image builder

1.      Launch an image builder
2.      Connect to the Image Builder using as administrator
3.      Download Dropbox installer for Windows. For additional information review, install Dropbox for all team members.
4.      To install the Dropbox App, Run the following command in PowerShell
PS C:\> & '.\Dropbox <version> offline Installer.exe' /NOLAUNCH
5.      Disable Internet Explorer Enhanced Security Configuration
6.      Open the Image Assistant, add the Dropbox client  as an application
7.      Follow the default options to test Image Assistant and create image.
Note: During the optimization process, do not login to Dropbox
8.      Create a fleet using the image and create a stack using the fleet.

Step 2:   Configure AD FS for Window Integrated Authentication

1.      For AD FS 4.0:

a.      Open AD FS console, then navigate to Authentication methods
b.      On Primary Authentication methods, choose Edit
c.      In the Primary authentication tab, extranet section, select only Forms Authentication
d.      In the Primary authentication tab, intranet section, select only Windows Authentication
e.      Choose Apply, and Ok
f.      Restart the AD FS service

2.      For AD FS 3.0:

a.      Open the AD FS console, then navigate to Authentication Policies
b.      Choose Edit Global Primary Authentication.
c.      In Primary Authentication->Global Settings->Authentication Methods, choose Edit.
d.      In the extranet section, select only Forms Authentication.
e.      In the intranet section, select only Windows Authentication.
f.      Choose Apply, and then Ok
g.      Restart the AD FS service

3.      Create AD FS service principal names

For Windows Integrated Authentication to work on AD FS, create service principal names (SPNs). SPNs associate AD FS federation service names with a login account. SPNs allow clients to request authentication without having login account names.

a.      As a domain administrator run the following commands to create two SPNs, a fully qualified name and a short name. Replace federation, with the short name of federation service hostname and federation.mydomain.com with fully qualified hostname of the federation service name. Replace adfssvc with the service account running the AD FS service.

setspn -s HTTP/federation adfssvc
setspn -s HTTP/federation.mydomain.com adfssvc

b.      To verify the registered SPNs, run the following command.

setspn -L adfssvc

           Output example:

Registered ServicePrincipalNames for CN=AD FS,OU=users,DC=federation,DC=mydomain,DC=com:
host/federation.mydomain.com
http/federation
http/federation.mydomain.com

Step 3:  Configure browsers for Windows Integrated Authentication using Group Policies

a.      As an administrator, open a Group Policy Management Console. Create either a new Group Policy Object (GPO) or edit an existing GPO.
Note: Make sure that this group policy is applied to the OU where your AppStream fleet instances reside.
b.      Select Computer configuration -> Administrative templates -> Windows components -> Internet Explorer -> Internet Control Panel. Choose “Security page.
c.      In the details pane, choose Site to Zone Assignment List.
d.      In the Site to Zone Assignment List Properties dialog box, choose Enabled.
e.      In Enter the Zone Assignments here, choose Show.
f.      In Show Contents:

– Enter the AD FS URL of SAML SSO service in Value Name (for example, https://federation.mydomain.com) and map it to value 1 . Value 1 indicates the local intranet zone.

– Then type the Dropbox URL, https://www.dropbox.com, and map it to value 2. Value 2 indicates the trusted zone. An example sample screenshot follows

g.      In the Show Contents dialog box, choose OK.
h.      In the Site to Zone Assignment List dialog box, choose OK.
i.       In the Group Policy Management Editor wizard, choose Computer configuration -> Administrative templates -> Windows components -> Internet Explorer -> Internet Control   Panel -> Security page -> choose “Intranet Zone.”
j.       In the details pane, choose Logon options.
k.      In the Logon Options Properties dialog box, choose Enabled.
l.       In the Logon options list, select Automatic logon only in Intranet zone, then choose OK.

Step 4: Configure Dropbox SSO options in admin panel

a.      Login to Dropbox web console as an administrator.
b.      Choose settings -> Authentication -> Single sign-on (this option is only available for Dropbox advanced or enterprise subscriptions)
c.       On single sign-on page, configure following settings

–         Single sign-on option =  “Required”
–         Identity provider sign-in URL  = the AD FS URL that points to Dropbox.
For example,
           https://federation.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=Dropbox
Replace federation.mydomain.com with your federation domain name.
–         Identity provider sign out URL  = optional.
–         X.509 certificate = upload the AD FS certificate(.cer) you have available as a pre-requisite item.

Step 5: Invite Active Directory user from Dropbox console.

In this step, you invite a test user to join Dropbox team as member. Make sure the team member’s email is populated into the corresponding Active Directory user account. If the email address is not populated on the Active Directory user, authentication to Dropbox will not be possible.

a.      From the Dropbox Admin console, choose Members
b.      Choose Invite members. Provide the email address associated with the test Active Directory user, using “Invite with an email.” Send invites.
c.       Your test user will receive an invitation in their email from Dropbox.
d.      The email will have a link “Join your team.” Choose the link. It will open a browser session, and asks you to enter first name, last name, then choose Create account.
Note: An Active Directory user is mapped to Dropbox user via their email address.
e.      Choose Create account on the Dropbox invitation page.
f.       Enter the test account User Principal Name (UPN) (for example, test1@mydomain.com) and the password. Choose submit.
g.      After successful authentication, the Dropbox welcome message is displayed.

Step 6:  Validate Dropbox configuration for the first login to AppStream 2.0 session

In this step, log in to the streaming session, launch Dropbox app for first time and validate user access with a link code.

a.      Log in to AppStream 2.0 streaming session and launch Dropbox application.
b.      Enter the email address associated with the Active Directory user who has authenticated. As soon as you put in email address, Dropbox will show the user is single sign-on enabled (refer to the following screenshot)
c.       Choose “Get your link code” from Dropbox application.
d.      This launches the service provider initiated single sign-on. Dropbox returns a link code on successful authentication.

e.       Click on “Copy link code” and paste it in the Dropbox application and submit the code. This will let the user sign in to the Dropbox.
This is a one-time validation for the first login to AppStream 2.0 streaming session. For the subsequent login sessions, Dropbox will automatically authenticate the user without having to enter credentials.

To remove resources created in this blog:

·        Stop and remove fleets assigned with the one or more images you created for testing.
·        Remove Image Builder instances with the Dropbox installed.
·        Remove images you created using the Image Assistant.
·        If you have created EC2 instances for setting up ADFS, AD or certificate authority, terminate the instances if they are no longer needed.

Conclusion

In this blog, you configured AD FS settings for Dropbox users to have a single sign on experience in an AppStream 2.0 streaming session.

You can use this configuration method to let the users sign in to Dropbox client for the first streaming session and generate a link code. After the link code is validated, for subsequent AppStream 2.0 sessions, users have a single sign-on experience. To remove a single point of failure, we recommend that the AD FS farm nodes be placed in different Availability Zones.

About the Authors

Mulalo Matamela is a Cloud Support Engineer for Amazon Web Services based in Cape Town. He has been working with the AWS Cloud for more than four years and is passionate about ADFS, SAML, identities and automation. In his spare time he enjoys spending time with his family.

Muni Doddala is a Solutions Architect with AWS’s Higher Education team. He has been working with the AWS Cloud for more than seven years and enjoys working with customers to understand the customer’s challenges and collaborating with the customer to build optimal solutions. Outside of work, he enjoys travel and the outdoors.