Access to AmazonWorkspaces - amazon-workspaces

I am setting up an Amazon Workspace instance, and need to provide the user with a password to log in. The invite email only contains the registration code.
How do I set up a user password to enable the user to login into Amazon workspace only (no console access)?
I am creating an AmazonWorkspace from a custom bundle, and adding a user to Simple AD.

Individual workspaces created in Amazon WorkSpaces are assigned to, and used by, individuals who are defined in a Directory.
From Manage Directories for Amazon WorkSpaces:
Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users. You can use one of the following options:
AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.
If you have your own Active Directory, then use it. If you do not have Active Directory, the simplest option is to choose Simple AD, which is a Active Directory-compatible Samba service. (Charges apply)
The user is selected when the WorkSpace is created. Amazon WorkSpaces will send a registration code to the end user. The end user then uses an Amazon WorkSpaces client to connect with the service. They provide the Registration Code to configure the client (once only), then login with their AD credentials.

To set the user password for AmazonWorkspace, set user password on the WorkMail application for that user. Directory service manages users for both AmazonWorkspaces and WorkMail, and the password is shared across.
The user must exist, but can be disabled. Email address can be anything, in my case users do not use AWS email.
Users defined in IAM are not visible from AmazonWorkspaces and WorkMail. If a user has console, S3, ec2, etc.. access in addition to Workspace, they would need to be defined separately in IAM and Directory.

Related

Test the pass through authentication connection of a new website using PowerShell

I need to test the pass through authentication connection of a new website using PowerShell.
The code that I have just creates the website.
New-WebApplication -Name DLTItemAnalysis -Site 'Default Web Site' -PhysicalPath C:\inetpub\wwwroot\ApplicationFolder\ApplicationFolder -ApplicationPool ApplicationPool
Set-WebConfiguration "/system.applicationHost/sites/site[#name='Default Web Site' and #id='1']/application[#path='/Application']/VirtualDirectory[#path='/']" -Value #{userName=$ServUserName ;password= $ServUserPassword}
Is there a way to also test the user connection like the GUI has?
I am not really sure what you are asking for here. for as documented:
It is an authentication bridge and a new powerful way of cloud authentication while still keeping your passwords on-premise. It securely validates user passwords with on-premise Active Directory without the need of extra on-premise infrastructure like ADFS. Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users with a better experience - one less password to remember and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
When a user types in his user name and password on office 365 portal https://portal.office.com, office 365 service encrypt this using public key and puts it in a queue for validation, one of lightweight agent makes an outbound call from your network to retrieve the user name and password and decrypts the password using organization’s private key and validate it against local AD. Local AD sends back the resulting success or failure and it goes back to Azure portal via an agent and the user is authenticated.
So, this is nothing more than a standard Windows Kerberos auth request being redirected. So, you are only require testing for normal Windows auth.
As noted above, PTA is a communications channel, not an auth type, like basic, integrated, Kerberos, Kerberos(required), etc. For a target to validate a specific auth type, the target has to be configured for it. There is not PTA auth type as noted above that you can configure on a target.
Microsoft's PTA Video
User sign-in with Azure Active Directory Pass-through Authentication
What is Azure Active Directory Pass-through Authentication? Azure
Active Directory (Azure AD) Pass-through Authentication allows your
users to sign in to both on-premises and cloud-based applications
using the same passwords. This feature provides your users a better
experience - one less password to remember, and reduces IT helpdesk
costs because your users are less likely to forget how to sign in.
When users sign in using Azure AD, this feature validates users'
passwords directly against your on-premises Active Directory

Using DB2 on Windows 10 computer with PIN instead of password (Azure AD accounts)

I'm new to DB2 database. I installed DB2 Express-C on my local machine (Windows 10) to play with it, and I created a sample database.
If I understand correctly, DB2 uses Windows accounts for access to database. The installation created a db2admin user, but this one does not have access to the sample database. So my understanding is that my Windows account has access to this database.
So here is the problem. My company uses Azure Active Directory accounts, using Windows Hello to log in - that means, using a PIN to log in instead of a password (meaning my password does not work for login). However, if I want to connect to the database, I need to do this with my account's password. How can I do this? Do I need to create a local account on my machine instead of using Azure account?
If you are able to create a local-user on your workstation, and assign it a password, and ensure it is a member of local groups DB2USERS (and optionally) DB2ADMNS if those local-groups exist, that is likely to be the easiest option.
You may need to have Windows local-administrative rights to be able to perform those actions.
You can then connect to any local Db2-databases with that local-account and its password (regardless of how you sign-in to Windows).
If you allowed Db2-installation to create local user db2admin (and give it a password) then that local-account is also able to connect to local Db2-databases, including the SAMPLE database. So it's unclear why you write that db2admin account does not have access to SAMPLE database. As long as db2admin has a valid password then that account can connect to SAMPLE if all default settings are active.
Db2-LUW is able to integrate with Active-Directory provided pre-requisites are met and special configuration is performed, see documentation. But unless you have special security plugins for Db2, then any account that wants to connect to local Db2-databases will need a password. With special security plugins, other forms of authentication are possible.
Windows 10 Azure account login gives license to only one user to access windows account. If you login with db2admin in your windows you might lost azure account I am facing such issues.
Better to communicate with IT team of your company and ask to provide DB2ADMN right to your Azure login user. DB2 install properly but not able to create database permission/authorization issue coming.

Add User to Visual Studio Team Services (Previously Visual Studio Online)

On the Users tab I'm trying to add a new user but the prompt says "Select user from directory" and when typing an email address to invite it just says "No identities found". This is a newly created account with default settings not linked to any azure subscription.
The settings show Allow External Guest Access which I assume should allow any microsoft account to be invited.
According to the screenshot you provided, your VSTS account is backed by an Azure Active Directory which requires that all users are directory members before they can get access to your Team Services account. So you need to add the user to your AAD first.
"External guest access" is used for external users who are added as guests through Office 365 or added using B2B collaboration by your Azure AD administrator.
Q: Can I control access to my Team Services account for external users in the connected directory?
A: Yes, but only for external users who are added as guests through
Office 365 or added using B2B collaboration by your Azure AD
administrator. These external users are managed outside the connected
directory. To learn more, contact your Azure AD administrator. The
setting below doesn't affect users who are added directly to your
organization's directory.
Refer to this link for more information: Team Services: Access with Azure Active Directory (Azure AD).

How to authorize clients in non-default directory to KeyVault

I created a KeyVault in my Azure subscription and a client application in one of my Azure AD directories. However, the client application is not registered in the default directory of the subscription.
When I run the following PowerShell cmdlet, it tries to look up the service principal in the default directory of the subscription and fails to find it.
PS > Set-AzureKeyVaultAccessPolicy -VaultName <vaultname>
-ServicePrincipalName <principal guid> -PermissionsToSecrets Get
I found an article describing how to change the default directory for a subscription in the management portal, but was wondering how to do the same using PowerShell.
The 'Select-AzureSubscription' cmdlet does not seem to support changing the default directory.
Nor does the 'Set-AzureKeyVaultAccessPolicy' support a parameter to indicate in which directory it should look.
Key Vault can only authorize applications (clients) registered in the directory associated with the Azure subscription, and the only way (currently) to change the 'home' directory associated with a subscription is through the Azure management portal.
I would imagine this is as designed behaviour, and can't imagine how / why it would change.
An Azure subscription has an Azure Active Directory attached to it, this is the directory it will use to authenticate against whenever someone tries to access resources.
While you can create trusts to other Active Directories simply creating an new AAD does not automatically enable that domain to be trusted by Azure.
Key Vault is designed to only be accessible to authenticated users, it is designed to provide secure data to those users. Since there is no authentication mechanism between the multiple directories you have created, there is no mechanism for Key Vault to determine who those directories belong to.
Key Vault needs to resolve a service principle through the Active Directory attached to the subscription it is running under (whether that is directly through that directory, or through another domain that it trusts). Anything else would create additional attack vectors and considerably weaken the product.

TFS 2010 Build agent not starting

My build agents are not starting after I change the properties credentials to the domain account from the network service. I done this because the network service account cannot write to my drop folder.
Each time I add the network service to the drop folder share, it appears then disappears.
http://msdn.microsoft.com/en-us/library/bb778394.aspx I followed this but some steps are different, i have xp and it doesn't show the share tab so i go through security tab
So I guess I'm asking two questions here;
Agents are not starting after changing credentials.
Network service not able to write to the drop folder.
Thanks in advance
Yes, Network Service won't have permissions to write to a drop location. That's pretty standard. You need to be using a domain account.
The TFS Build Service will need to run as a domain user so it can write to the drop location.
The domain account for the build agent will need to be in the TFS Project Collection group for build service accounts (internal to TFS). I can't remember what it's actually called but you need to be a collection administrator to update it.
The domain account will also need some login as batch/service permissions but that should be done automatically when you reconfigure the service. Do you use the TFS Admin console to reconfigure the agent or did you just set the credentials on the service? (You should use the TFS Admin console).