Seamless Active Directory domain logon architecture with Amazon AppStream 2.0

Amazon AppStream 2.0 now supports certificate-based authentication (CBA). CBA enables you to authenticate users with user certificates when they launch their Active Directory domain joined AppStream sessions. In this blog, I outline the benefits of CBA. The blog also provides a high-level view of the architecture of CBA with AppStream 2.0. It also shows the authentication workflow.

AppStream 2.0 with Active Directory

You can use Active Directory with AppStream 2.0 to centralize user and computer object management. With Active Directory, you can deploy consistent enterprise compliance and security policies. With Active Directory domain joined instances, you can enable file and share access, and other domain-joined resources. To access domain joined instances, there is a requirement of SAML 2.0-based user federation. When using SAML authentication without CBA, there is a second domain password prompt during user authentication. This can disrupt the user authentication flow.

Benefits of Certificate-Based Authentication with AppStream 2.0

By using CBA, you can achieve single sign-on in conjunction with the security and logon experience features of your SAML 2. 0 identity provider, such as passwordless authentication, to access AppStream 2.0 resources. Certificate-based authentication enables a single sign-on logon experience to access domain-joined desktop and application streaming sessions. Accessing resources without a second password prompt can enhance security and improve ease of use for end users.

AppStream 2.0 CBA with AWS Private Certificate Authority (Private CA)

AWS Private Certificate Authority (AWS Private CA) is a highly available, fully managed Public Key Infrastructure (PKI) service. Configuring AWS Private CA is a prerequisite to utilize AppStream 2.0 CBA. AppStream 2.0 CBA uses AWS Private CA’s recently launched short-lived certificate mode to rotate user certificates for every AppStream 2.0 session. By doing this, the AWS Private CA short-lived certificate mode allows you to align the lifetime of a user’s session credentials with a unique AppStream session and fleet instance. This can additionally improve security since certificates have a short validity period. With AppStream 2.0 CBA, no administration or user intervention is required to manage user certificates. To learn more about AWS Private CA short-lived certificate mode, please visit the AWS Private Certificate Authority User Guide.

AppStream 2.0 CBA authentication workflow

The following diagram illustrates your end-to-end user authentication flow from the initial browser request through SAML and Active Directory authentication using CBA.

1.  Navigate to the start URL for the SAML 2.0 identity provider using the Amazon AppStream 2.0 web, or native client.
2.  Authenticate to the SAML 2.0 identity provider. Authentication requirements are governed by the provider.
3. As a SAML 2.0 federated user, you are authorized to stream AppStream 2.0 resources.
4. Based on attributes in the SAML assertion, AppStream 2.0 requests and is issued a short-lived certificate from AWS Private CA, signed by the private CA root certificate.
5. AppStream 2.0 publishes the short-lived certificate to the AppStream 2.0 fleet instance.
6. AppStream 2.0 seamlessly authenticates you to Active Directory using the short-lived certificate.
7. You are signed in to your AppStream 2.0 streaming session.

Note: As a prerequisite to use CBA authentication, you must publish your private CA root certificate to your Active Directory Trusted Root Certification Authorities and Enterprise NTAuth stores.

Conclusion

In this post, you learned about the benefits of using Amazon AppStream 2.0 CBA. The key is to remove a password prompt for Active Directory domain joined AppStream 2.0 instances. I outlined the AppStream 2.0 CBA logon authentication workflow. By combining AppStream 2.0 CBA with AWS Private CA, and short-lived certificate mode you can reduce reliance on passwords and streamline the end user experience.

To learn more about how to get started with AppStream 2.0 certificate-based authentication review the administration guide for Certificate-Based Authentication.