AWS Security Blog

How to Enable Multi-Factor Authentication for AWS Services by Using AWS Microsoft AD and On-Premises Credentials

You can now enable multi-factor authentication (MFA) for users of AWS services such as Amazon WorkSpaces and Amazon QuickSight and their on-premises credentials by using your AWS Directory Service for Microsoft Active Directory directory, also known as AWS Microsoft AD. MFA adds an extra layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which has been provided by your virtual or hardware MFA solution. These factors together provide additional security by preventing access to AWS services, unless users supply a valid MFA code.

To enable MFA for AWS services such as Amazon WorkSpaces and QuickSight, a key requirement is an MFA solution that is a Remote Authentication Dial-In User Service (RADIUS) server or a plugin to a RADIUS server already implemented in your on-premises infrastructure. RADIUS is an industry-standard client/server protocol that provides authentication, authorization, and accounting management to enable users to connect network services. The RADIUS server connects to your on-premises AD to authenticate and authorize users. For the purposes of this blog post, I will use “RADIUS/MFA” to refer to your on-premises RADIUS and MFA authentication solution.

In this blog post, I show how to enable MFA for your Amazon WorkSpaces users in two steps: 1) Configure your RADIUS/MFA server to accept Microsoft AD requests, and 2) configure your Microsoft AD directory to enable MFA.

Getting started

The solution in this blog post assumes that you already have the following components running:

  1. An active Microsoft AD directory
  2. An on-premises AD
  3. A trust relationship between your Microsoft AD and on-premises AD directories

To learn more about how to set up Microsoft AD and create trust relationships to enable Amazon WorkSpaces users to use AD on-premises credentials, see Now Available: Simplified Configuration of Trust Relationship in the AWS Directory Service Console.

Solution overview

The following network diagram shows the components you must have running to enable RADIUS/MFA for Amazon WorkSpaces. The left side in the diagram (covered in Step 1 below) represents your corporate data center with your on-premises AD connected to your RADIUS/MFA infrastructure that will provide the RADIUS user authentication. The right side (covered in Step 2 below) shows your Microsoft AD directory in the AWS Cloud connected to your on-premises AD via trust relationship, and the Amazon WorkSpaces joined to your Microsoft AD directory that will require the MFA code when you configure your environment by following Step 1 and Step 2.
Network diagram

Step 1 – Configure your RADIUS/MFA server to accept Microsoft AD requests

The following steps show you how to configure your RADIUS/MFA server to accept requests from your Microsoft AD directory.

  1. Obtain the Microsoft AD domain controller (DC) IP addresses to configure your RADIUS/MFA server:
    1. Open the AWS Management Console, choose Directory Service, and then choose your Microsoft AD Directory ID link.
      Screenshot of choosing Microsoft AD Directory ID link
    2. On the Directory details page, you will see the two DC IP addresses for your Microsoft AD directory (shown in the following screenshot as DNS Address). Your Microsoft AD DCs are the RADIUS clients to your RADIUS/MFA server.
      Screenshot of the two DC IP addresses for your Microsoft AD directory
  2. Configure your RADIUS/MFA server to add the RADIUS clients. If your RADIUS/MFA server supports DNS addresses, you will need to create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each Microsoft AD DC, using the DC IP addresses you obtained in Step 1:
    1. Open your RADIUS client configuration screen in your RADIUS/MFA solution.
    2. Create one RADIUS client configuration for each Microsoft AD DC. The following are the common parameters (your RADIUS/MFA server may vary):
      • Address (DNS or IP): Type the DNS address of your Microsoft AD directory or the IP address of your Microsoft AD DC you obtained in Step 1.
      • Port number: You might need to configure the port number of your RADIUS/MFA server on which your RADIUS/MFA server accepts RADIUS client connections. The standard RADIUS port is 1812.
      • Shared secret: Type or generate a shared secret that will be used by the RADIUS/MFA server to connect with RADIUS clients.
      • Protocol: You might need to configure the authentication protocol between the Microsoft AD DCs and the RADIUS/MFA server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.
      • Application name: This may be optional in some RADIUS/MFA servers and usually identifies the application in messages or reports.
    3. Configure your on-premises network to allow inbound traffic from the RADIUS clients (Microsoft AD DCs IP addresses) to your RADIUS/MFA server port, defined in Step 1.
    4. Add a rule to the Amazon security group of your Microsoft AD directory to allow inbound traffic from the RADIUS/MFA server IP address and port number defined previously.

Step 2 – Configure your Microsoft AD directory to enable MFA

The final step is to configure your Microsoft AD directory to enable MFA. When you enable MFA, Amazon WorkSpaces that are enabled in your Microsoft AD directory will require the user to enter an MFA code along with their user name and password.

To enable MFA in your Microsoft AD directory:

  1. Open the AWS Management Console, choose Directory Service, and then choose your Microsoft AD Directory ID link.
  2. Choose the Multi-Factor authentication tab and you will see what the following screenshot shows.
    Screenshot of Multi-Factor authentication tab
  3. Enter the following values to configure your RADIUS/MFA server to connect to your Microsoft AD directory:
    • Enable Multi-Factor Authentication: Select this check box to enable MFA configuration input settings fields.
    • RADIUS server IP address(es): Enter the IP addresses of your RADIUS/MFA server. You can enter multiple IP addresses, if you have more than one RADIUS/MFA server, by separating them with a comma (for example, 192.0.0.0, 192.0.0.12). Alternatively, you can use a DNS name for your RADIUS server when using AWS CLI.
    • Port: Enter the port number of your RADIUS/MFA server that you set in Step 1B.
    • Shared secret code: Enter the same shared secret you created in your RADIUS/MFA server in Step 1B.
    • Confirm shared secret code: Reenter your shared secret code.
    • Protocol: Select the authentication protocol between the Microsoft AD DCs and the RADIUS/MFA server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. I recommend MS-CHAPv2 because it provides the strongest security of the three options.
    • Server timeout (in seconds): Enter the amount of time to wait for the RADIUS/MFA server to respond to authentication requests. If the RADIUS/MFA server does not respond in time, authentication will be retried (see Max retries). This value must be from 1 to 20.
    • Max retries: Specify the number of times that communication with the RADIUS/MFA server is attempted before failing. This must be a value from 0 to 10.
  4. Choose Update directory to update the RADIUS/MFA settings for your directory. The update process will take less than two minutes to complete. When the RADIUS/MFA Status changes to Completed, Amazon WorkSpaces will automatically prompt users to enter their user name and password from the on-premises AD, as well as an MFA code at next sign-in.
    1. If you receive a Failed status after choosing the Update directory button, check the following three most common errors (if you make a change to the configuration, choose Update to apply the changes):
      1. A mismatch between the shared key provided in the RADIUS/MFA server and Microsoft AD configurations.
      2. Network connectivity issues between your Microsoft AD and RADIUS/MFA server, because the on-premises network infrastructure or Amazon security groups are not properly set.
      3. The authentication protocol configured in Microsoft AD does not match or is not supported by the RADIUS/MFA server.

Summary

In this blog post, I provided a solution overview and walked through the two main steps to provide an extra layer of protection for Amazon WorkSpaces by enabling RADIUS/MFA by using Microsoft AD. Because users will be required to provide an MFA code (and have a virtual or hardware MFA device) immediately after you complete the configuration in Step 2, be sure you test this implementation in a test/development environment before deploying it in production.

You can also configure the MFA settings for Microsoft AD using the Directory Service APIs. To learn more about AWS Directory Service, see the AWS Directory Service home page. If you have questions, please post them on the Directory Service forum.

– Peter

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.