# AWS Private CA Connector for Active Directory
AWS Private CA can issue and manage certificates required by AWS Managed Microsoft AD. Using the AWS Private CA Connector for Active Directory (Connector for AD), you can replace on-premises enterprise or other third-party CAs with a managed private CA that you own, providing certificate enrollment to users, groups, and machines that are managed by your AD.
You can use the Connector for AD with AWS Managed Microsoft AD to eliminate on-premises infrastructure by migrating your AD and public key infrastructure to the cloud. For customers looking to use AWS Private CA with their on-premises AD, this feature also integrates with AWS Managed Microsoft AD Connector.
**Topics**
+ [Are You a First-Time Connector for AD User?](#first-time-user)
+ [Set up Connector for AD](connector-for-ad-getting-started-prerequisites.md)
+ [Get started with AWS Private CA Connector for Active Directory](connector-for-ad-getting-started.md)
+ [AWS Private CA connectors for Active Directory](connector-for-ad-procedures.md)
+ [Integrating Connector for AD into event-driven applications using Amazon EventBridge](eventbridge-integration.md)
+ [Troubleshoot issues with AWS Private CA Connector for Active Directory](troubleshoot-connector-ad.md)
## Are You a First-Time Connector for AD User?
If you are a first-time user of Connector for AD, we recommend that you begin by reading the following sections:
+ [What is AWS Private CA?](PcaWelcome.md)
+ [What is Directory Service?](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html)
### Access Connector for AD
You can access Connector for AD through the console, AWS CLI, and APIs. You can get access to the connector in the console from the AWS Private CA console, from your Directory Service console, or by searching for Connector for AD in the AWS Management Console search bar.
### Pricing
Connector for AD is offered as a feature of AWS Private CA at no additional cost. You only pay for the private certificate authorities and the certificates you issue through them.
For the latest AWS Private CA pricing information, see [AWS Private Certificate Authority Pricing](https://aws.amazon.com/private-ca/pricing/). You can also use the [AWS pricing calculator](https://calculator.aws/#/createCalculator/certificateManager) to estimate costs.
# Set up Connector for AD
The steps in this section are prerequisites to using Connector for AD. It assumes that you've already created an AWS account. After you complete the steps on this page, you can get started with creating a connector for AD.
## Step 1: Create a private CA using AWS Private CA
Set up a private certificate authority (CA) for issuing certificates to your directory objects. For more information, see [Certificate authorities in AWS Private CA](creating-managing.md).
The private CA must be in the `Active` state to create a Connector for AD. The private CA's subject name must include a common name. Connector creation will fail if you try to create a connector using a private CA without a common name.
## Step 2: Set up an Active Directory
In addition to a private CA, you need an active directory in a virtual private cloud (VPC). Connector for AD supports the following directory types offered by Directory Service:
+ [AWS Managed Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad): With Directory Service you can run Microsoft Active Directory (AD) as a managed service. AWS Directory Service for Microsoft Active Directory also referred to as AWS Managed Microsoft AD, is powered by Windows Server 2019. With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft Sharepoint and custom .Net and SQL Server-based applications.
+ [ Active Directory Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector): AD Connector is a directory gateway that can redirect directory requests to your on-premises Microsoft Active Directory, without caching any information in the cloud. AD Connector supports connecting to a domain hosted on Amazon EC2
## (Active Directory Connector only) Step 3: Delegate permissions to service account
**Note**
If you are using AWS Managed Microsoft AD the additional permissions are delegated automatically when you authorize the Connector for AD service with your directory. You can skip this prerequisite step.
When using the Directory Service AD Connector, you need to delegate additional permissions to the service account. Set access-control list (ACL) on the service account to allow the ability:
+ Add and remove a Service Principal Name (SPN) to itself
+ Create and update certification authorities in the following containers:
```
#containers
CN=Public Key Services,CN=Services,CN=Configuration
CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration
```
+ Create and update a NTAuthCertificates Certification Authority (CA) object. Note: if the NTAuthCertificates CA object exists then you must delegate permissions for it. If the object does not exist then you must delegate the ability to create child objects on the Public Key Services container.
```
#objects
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration
```
The PowerShell script available in the official [Connector for Active Directory repository](https://github.com/aws-samples/sample-aws-privateca-connector-for-active-directory) can be used to delegate the additional permissions required for the Directory Service AD Connector service account.
This script creates the NTAuthCertificates certification authority object.
For the latest version of the script and usage details, refer to the README in the [GitHub repository](https://github.com/aws-samples/sample-aws-privateca-connector-for-active-directory).
## Step 4: Create IAM Policy
To create a connector for AD, you need an IAM policy that allows you to create connector resources, share your private CA with the Connector for AD service, and authorize the Connector for AD service with your directory.
This is an example a user managed policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "pca-connector-ad:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificate",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"acm-pca:PutPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "acm-pca:IssueCertificate",
"Resource": "*",
"Condition": {
"ArnLike": {
"acm-pca:TemplateArn": "arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V*"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": "pca-connector-ad.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:DescribeDirectories",
"ds:ListTagsForResource",
"ds:UnauthorizeApplication",
"ds:UpdateAuthorizedApplication"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "arn:*:ec2:*:*:vpc-endpoint/*"
}
]
}
```
------
Connector for AD requires additional AWS RAM permissions, for both console and command line use.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:CreateResourceShare",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ram:Principal": "pca-connector-ad.amazonaws.com",
"ram:RequestedResourceType": "acm-pca:CertificateAuthority"
}
}
},
{
"Effect": "Allow",
"Action": [
"ram:GetResourcePolicies",
"ram:GetResourceShareAssociations",
"ram:GetResourceShares",
"ram:ListPrincipals",
"ram:ListResources",
"ram:ListResourceSharePermissions",
"ram:ListResourceTypes"
],
"Resource": "*"
}
]
}
```
------
## Step 5: Share your private CA with Connector for AD
You will need to share your private CA with the connectors service by using AWS Resource Access Manager service principal sharing.
When you create a connector in the AWS console, the resource share is automatically created for you.
When you create a resource share using the AWS CLI, you will use the AWS RAM **create-resource-share** command.
The following command creates a resource share:
```
$ aws ram create-resource-share \
--region us-east-1 \
--name MyPcaConnectorAdResourceShare \
--permission-arns arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority \
--resource-arns arn:aws:acm-pca:region:account:certificate-authority/CA_ID \
--principals pca-connector-ad.amazonaws.com \
--sources account
```
The service principal that calls CreateConnector has certificate issuance permissions on the PCA. To prevent service principals that use Connector for AD from having general access to your AWS Private CA resources, restrict their permissions using `CalledVia`.
## Step 6: Create directory registration
You authorize the Connector for AD service with your directory so the connector can communicate with your directory. To authorize the Connector for AD service, you create a directory registration. For more information on creating a directory registration, see [Manage directory registrations](directory-registration.md)
## Step 7: Configure security groups
Communication between your VPC and the Connector for AD connector is through AWS PrivateLink, which requires a security group(s) with inbound rules that open port 443 TCP on your VPC. You will be asked for this security group when you create a connector. You can specify the source as custom and select your VPC's CIDR block. You can choose to restrict this further (i.e. IP, CIDR, and security group ID).
## Step 8: Configure network access for directory objects
Directory objects require public internet access to validate Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs) from the following domains:
```
*.windowsupdate.com
*.amazontrust.com
```
Minimum required access rules:
+ Required for OCSP and CRL communication:
```
TCP 80: (HTTP) to 0.0.0.0/0
```
+ Required for Connector for AD:
```
TCP 443: (HTTPS) to 0.0.0.0/0
```
+ Required for Active Directory:
```
TCP 88: (Kerberos) to Domain Controller IP range
TCP/UDP 389/636: (LDAP/LDAPS) to Domain Controller IP range, depending on Domain Controller configuration
TCP/UDP 53: (DNS) to 0.0.0.0/0
```
If the devices do not have public internet access, certificate issuance will fail intermittently with the error code ` WS_E_OPERATION_TIMED_OUT. `
**Note**
If you are configuring a security group for an Amazon EC2 instance, it does not have to be the same one in Step 7.
# Get started with AWS Private CA Connector for Active Directory
With AWS Private CA Connector for Active Directory, you can issue certificates from your private CA to your Active Directory objects for authentication and encryption. When you create a connector, AWS Private Certificate Authority creates an endpoint for you in your VPC for your directory objects to request certificates.
To issue certificates, you create a connector and AD-compatible templates for the connector. When you create a template, you can set enrollment permissions for your AD groups.
**Topics**
+ [Before you begin](#connector-for-ad-before-you-begin)
+ [Step 1: Create a connector](#connector-for-ad-getting-started-step1)
+ [Step 2: Configure Microsoft Active Directory policies](#connector-for-ad-getting-started-step2)
+ [Step 3: Create a template](#connector-for-ad-getting-started-step3)
+ [Step 4: Configure Microsoft group permissions](#connector-for-ad-getting-started-step4)
## Before you begin
The following tutorial guides you through the process of creating a connector for AD and a connector template. To follow this tutorial, you must first fulfill the prerequisites listed in the section.
## Step 1: Create a connector
To create a connector, see [Creating a connector for Active Directory](create-connector-for-ad.md).
## Step 2: Configure Microsoft Active Directory policies
Connector for AD is unable to view or manage the customer's group policy object (GPO) configuration. The GPO controls the routing of AD requests to the customer's AWS Private CA or to other authentication or certificate vending servers. An invalid GPO configuration may result in your requests being routed incorrectly. It is up to customers to configure and test the Connector for AD configuration.
Group Policies are associated with a Connector, and you may choose to create multiple Connectors for a single AD. It is up to you to manage the access control to each connector if its group policy configurations are different.
The security of the data plane calls depends on Kerberos and your VPC configuration. Anyone with access to the VPC can make data plane calls as long as they are authenticated to the corresponding AD. This exists outside of the boundary of AWSAuth and managing authorization and authentication is up to you, the customer.
When using AWS Managed Microsoft AD, use the Directory Service **enable-ca-enrollment-policy** command to configure GPOs on the domain controller of the AWS Managed Microsoft AD instance.
The following command enables enrolling domain controllers:
```
$ aws ds enable-ca-enrollment-policy \
--pca-connector-arn MyPcaConnectorAdArn \
--directory-id MyDirectoryId
```
When using AD Connector, use the following steps to create a GPO that points to the URI generated when you created a connector. This step is *required* to use Connector for AD from the console or the command-line.
Configure GPOs.
1. Open **Server Manager** on the DC
1. Go to **Tools** and choose **Group Policy Management** in the upper right corner of the console.
1. Go to **Forest > Domains**. Select your domain name and right click on your domain. Select *Create a GPO in this domain, and link it here …* and enter `PCA GPO` for the name.
1. The newly created GPO will now be listed under your domain name.
1. Choose **PCA GPO** and select **Edit**. If a dialog box opens with the alert message *This is a link and that changes will be globally propagated*, acknowledge the message to continue. The **Group Policy Management Editor** should open.
1. In the **Group Policy Management Editor**, go to **Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies (choose the folder)**.
1. Go to **object type** and choose **Certificate Services Client - Certificate Enrollment Policy**
1. In the options, change **Configuration Model** to **Enabled**.
1. Confirm that **Active Directory Enrollment Policy** is **checked** and **Enabled**. Choose **Add**.
1. The **Certificate Enrollment Policy Server** window should open.
1. Enter the certificate enrollment policy server endpoint that was generated when you created your connector in the **Enter enrollment server policy URI** field.
1. Leave the **Authentication Type** as **Windows integrated**.
1. Choose **Validate**. After validation succeeds, select **Add**. The dialog box closes.
1. Go back to **Certificate Services Client - Certificate Enrollment Policy** and check the box beside the newly created connector to ensure that the connector is the default enrollment policy
1. Choose **Active Directory Enrollment Policy** and select **Remove**.
1. In the confirmation dialog box, choose **Yes** to delete the LDAP-based authentication.
1. Choose **Apply** and **OK** on the **Certificate Services Client > Certificate Enrollment Policy** window and close it.
1. Go to the **Public Key Policies** folder and choose **Certificate Services Client - Auto-Enrollment**.
1. Change the **Configuration Model** option to **Enabled**.
1. Confirm that **Renew expired certificates** and **Update Certificates** are both checked. Leave the other settings as they are.
1. Choose **Apply**, then **OK**, and close the dialogue box.
Configure the Public Key Policies for user configuration next. Go to **User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies**. Follow the procedures outlined from step 6 to step 21 to configure the Public Key Policies for user configuration.
Once you've finished configuring GPOs and Public Key Policies, objects in the domain will request certificates from AWS Private CA Connector for AD and get certificates issued by AWS Private CA.
## Step 3: Create a template
To create a template, see [Create a connector template](create-ad-template.md).
## Step 4: Configure Microsoft group permissions
To configure Microsoft group permissions, see [Manage Connector for AD template access control entries](ad-groups-permissions.md).
# AWS Private CA connectors for Active Directory
The procedures in this section describe how to create Active Directory (AD) connectors, configure templates, and integrate with AWS Private CA and Active Directory. You can perform these operations from the AWS Private CA Connector for AD console, by using the Connector for AD section of the AWS CLI, or by using the AWS Private CA Connector for AD API.
**Note**
Although AWS Private CA Connector for AD is closely integrated with AWS Private CA, the two services have separate APIs. For more information, see the [AWS Private Certificate Authority API Reference](https://docs.aws.amazon.com/privateca/latest/APIReference/) and the [AWS Private CA Connector for Active Directory API Reference](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/).
# Creating a connector for Active Directory
Use the following procedures to create a connector using the console, command line, or API for AWS Private CA Connector for Active Directory.
------
#### [ Console ]
**To create a connector using the console**
Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. On the first-time service landing page or the **Connectors for Active Directory** page, choose **Create connector**.
1. On the **Create Private CA Connector for Active Directory** page, provide information in the **Active Directory** section.
+ Under **Select your Active Directory type**, choose one of the two available types:
+ **AWS Directory Service for Microsoft Active Directory** – Specifies an Active Directory managed by Directory Service.
+ **On-premises Active Directory with AWS AD Connector**– Uses AD Connector to access an Active Directory that you host on-premises.
+ Under **Select your directory**, choose your directory from the list.
Alternatively, you can choose **Create directory**, which opens the Directory Service console in a new window. When you finish creating a new directory, return to the AWS Private CA Connector for Active Directory console and refresh the list of directories. Your new directory should be available for selection.
**Note**
When creating a directory, note that Connector for AD supports only the following directory types offered in the Directory Service console:
**AWS Managed Microsoft AD**
**AD Connector**
+ Under **Select security groups for VPC endpoint**, choose a security group from the list.
Alternatively, you can choose **Create security group**, which opens the Amazon EC2 console to the **Create security group** page in a new window. When you finish creating a security group, return to the AWS Private CA Connector for Active Directory console and refresh the list of security groups. Your new security group should be available for selection.
1. In the **IP address type** section, choose from the following options:
+ **IPv4** - Enables IPv4 connectivity to the service. Choose this option only if all subnets hosting your directory have IPv4 address ranges.
+ **Dualstack** - Enables both IPv4 and IPv6 connectivity to the service. Choose this option only if all subnets hosting your directory have both IPv4 and IPv6 address ranges.
1. In the **Private certificate authority** section, choose a private CA from the list.
Alternatively, you can choose **Create Private CA**, which opens the AWS Private CA console to the **Private certificate authorities** page in a new window. When you finish creating a CA, return to the AWS Private CA Connector for Active Directory console and refresh the list of CAs. Your new CA should be available for selection.
1. In the **Tags – optional** pane, you can apply and remove metadata on your AD resource. Tags are key-value string pairs where the key must be unique to the resource and the value is optional. The pane displays any existing tags for the resource in a table. The following actions are supported.
+ Choose **Manage tags** to open the **Manage tags** page.
+ Choose Add new tag to create a tag. Fill in the **Key** field and, optionally, the **Value** field. Choose **Save changes** to apply the tag.
+ Choose the **Remove** button next to a tag to mark it for deletion, and choose **Save changes** to confirm.
1. After providing the required information and reviewing your choices, choose **Create connector**. This opens the **Connectors for Active Directory** details page where can view the progress of your connector as it is created.
After the process of creating a connector completes, assign it a service principal name.
------
#### [ API ]
**To create a connector using the API**
To create a connector for Active Directory with the API, use the [ CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To create a connector using the AWS CLI**
To create a connector for Active Directory with the CLI, use the [ create-connector](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/create-connector.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Create a connector template
A template is a list of configurations for how the certificate should look once issued, and how the client should handle the certificates. The following procedures explain how to create a template.
------
#### [ Console ]
**To create a template using the console**
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. Choose a connector from the **Connectors for Active Directory** list and then choose **View details**.
1. On the details page for the connector, find the **Templates **section and then choose **Create template**.
1. On the **Create template** page, in the **Template creation method ** section, choose one of the method options.
+ **Start from a predefined template** (default) – Choose from a list of predefined templates for AD applications:
+ **Code Signing**
+ **Computer**
+ **Domain Controller Authentication**
+ **EFS Recovery Agent**
+ **Enrollment Agent**
+ **Enrollment Agent (Computer)**
+ **IPSec**
+ **Kerberos Authentication**
+ **RAS and IAS Server**
+ **Smartcard Logon**
+ **Trust List Signing**
+ **User Signature**
+ **Workstation Authentication**
+ **Start from an existing template that you created** – Choose from a list of custom templates that you previously created.
+ **Start from a blank template** – Choose this option to begin creating a completely new template.
1. In the **Certificate settings** section, define the following settings for certificates based on this template.
+ **Certificate type** – Specify whether to create **User** or **Computer** certificates.
+ **Auto-enrollment** – Choose whether to activate auto-enrollment for certificates based on this template.
+ **Validity period** – Specify a certificate validity period as an integer value of hours, days, weeks, months, or years. The minimum value is 2 hours.
+ **Renewal period** – Specify a certificate renewal period as an integer value of hours, days, weeks, months, or years. The renewal period must be no more than 75% of the validity period.
+ **Subject name** – Choose one or more options to be included in the subject name based on information contained in Active Directory.
**Note**
At least one subject name or subject alternative name option must be specified.
+ **Common name**
+ **DNS as common name**
+ **Directory path**
+ **Email**
+ **Subject alternative name** – Choose one or more options to be included in the subject alternative name based on information contained in Active Directory.
**Note**
At least one subject name or subject alternative name option must be specified.
+ **Directory GUID**
+ **DNS name**
+ **Domain DNS**
+ **Email**
+ **Service principal name (SPN)**
+ **User principal name (UPN)**
1. In the **Certificate request handling and enrollment options** section, specify the purpose of certificates based on the template, choosing one of the following options.
+ **Signature**
+ **Encryption**
+ **Signature and encryption**
+ **Signature and smartcard logon**
Next, choose which of the following features to activate. Options vary depending on the certificate purpose.
+ **Delete invalid certificates (do not archive)**
+ **Include symmetric algorithms**
+ **Exportable private key**
Finally, choose a certificate enrollment option. Options vary depending on the certificate purpose.
+ **No user input required**
+ **Prompt user during enrollment**
+ **Prompt user during enrollment and require user input**
1. In the **Application policies** section, choose all of the application policies that apply. The available policies are listed across several pages. Some policies may be preselected because of previous settings.
1. In the **Custom application policies** section, you can add custom OIDs to the template, and specify whether application policy extensions are critical.
1. In the **Cryptography settings** section, choose the following categories of cryptography settings for certificates based on this template.
1. In the **Groups and permissions** section, you can view the templates existing groups and permissions for enrollment, or you can choose the **Add new groups and permissions** button to add a new ones. The button opens a form requiring the following information:
+ **Display name**
+ **Security identifier** (SID)
+ **Enroll**, with options ALLOW \$1 DENY \$1 NOT SET
+ **Auto-enroll**, with options ALLOW \$1 DENY \$1 NOT SET
1. In the **Supersede templates** section, you can notify Active Directory that the current template supersedes one or more templates created in AD. Apply the superseding template by choosing **Add template from Active Directory to supersede** and specifying the common name of the superseding template.
1. In the **Tags – optional** pane, you can apply and remove metadata on your AD resource. Tags are key-value string pairs where the key must be unique to the resource and the value is optional. The pane displays any existing tags for the resource in a table. The following actions are supported.
+ Choose **Manage tags** to open the **Manage tags** page.
+ Choose Add new tag to create a tag. Fill in the **Key** field and, optionally, the **Value** field. Choose **Save changes** to apply the tag.
+ Choose the **Remove** button next to a tag to mark it for deletion, and choose **Save changes** to confirm.
1. After providing the required information and reviewing your choices, choose **Create template**. This opens **Template details**, where you can review the new template's settings, edit or delete the template, manage groups and permissions, manage superseded templates, manage tags, and set automatic re-enrollment for certificate holders.
------
#### [ API ]
**To create a connector template using the API**
Use the [ CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To create a connector template using the AWS CLI**
Use the [ create-template](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/create-template.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Update a template for Active Directory
Use the following procedures to update a template using the console, command line, or API for AWS Private CA Connector for Active Directory.
------
#### [ Console ]
**To update a template using the console**
Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. On the list of your **Connectors for Active Directory**, select the connector whose template that you'd like to update. Choose **Edit** to view and modify the connector's templates.
1. In your connector's template details page, choose **Edit**. Follow the prompts to make your updates. When you're done editing an area, choose **Save** to save your changes.
------
#### [ API ]
**To update a template using the API**
To update a template for Active Directory with the API, use the [UpdateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_UpdateTemplate.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To update a template using the AWS CLI**
To update a connector for Active Directory with the CLI, use the [ update-template](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/update-template.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
## How Connector for Active Directory propagates your template changes
AWS Private CA applies template to your policy when your client refreshes the policy cache, which is every eight hours. This includes changes to template group access control entries. When your client refreshes the cache, it queries the connector for available templates. In the case of **auto-enrollment refresh, the client issues certificates that match either or both of the following conditions:
+ The certificate is within the renewal period.
+ The certificate isn't present on the client device.
For *manual refresh*, the client will query the connector, and you must set the template to issue.
If you're debugging, you can manually clear the policy cache to immediately see the template changes. To do so, run the following Powershell command on your client.
```
certutil -f -user -policyserver * -policycache delete
```
# List connectors for Active Directory
You can use the AWS Private CA Connector for Active Directory console or AWS CLI to list the connectors that you own.
------
#### [ Console ]
**To list your connectors using the console**
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. Review the information in the **Connectors for Active Directory** list. You can navigate through multiple pages of connectors using the page numbers at upper-right. Each connector occupies a row displaying the following columns of information by default.
+ **Connector ID** – The unique ID of the connector.
+ **Directory name** – The Active Directory resource associated with the connector.
+ **Connector status** – Connector status. Possible values are: **Creating** \$1 **Active** \$1 **Deleting** \$1 **Failed**.
+ **Service principal name status** – Status of the service principal name (SPN) associated with the connector. Possible values are: **Creating** \$1 **Active** \$1 **Deleting** \$1 **Failed**.
+ **Directory registration status** – Registration status of the associate director. Possible values are:**Creating** \$1 **Active** \$1 **Deleting** \$1 **Failed**.
+ **Created at** – Time stamp at the connector's creation.
By choosing the gear icon in the upper-right corner of the console, you can customize the number of connectors shown on a page using the **Page size** preference.
------
#### [ API ]
**To list your connectors using the API**
Use the [ListConnectors](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListConnectors.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To list your connectors using the AWS CLI**
Use the [list-connectors](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-connectors.html) command to list your connectors.
------
# List connector templates
You can use the AWS Private CA Connector for Active Directory console or AWS CLI to list templates for connectors that you own. Connector templates are based on AWS Private CA [ BlankEndEntityCertificate\$1APIPassthrough/V1](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#BlankEndEntityCertificate_APIPassthrough) templates.
------
#### [ Console ]
**To list your templates using the console**
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. Choose a connector from the **Connectors for Active Directory** list and then choose **View details**.
1. On the connector details page, review the information in the **Templates** section. You can navigate through multiple pages of templates using the page numbers at upper-right. Each template occupies a row displaying the following columns of information.
+ **Template name** – The human-readable name of the template.
+ **Template status** – Status of the template. Possible values are: **Active** \$1 **Deleting**.
+ **Template ID** – The unique identifier of the template.
------
#### [ API ]
**To list your connectors using the API**
Use the [ ListTemplates](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListTemplates.html) action in the AWS Private CA Connector for Active Directory API to list templates for the specified connector.
------
#### [ CLI ]
**To list your connectors using the AWS CLI**
Use the [ list-templates](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-templates.html) command to list templates for the specified connector.
------
# View connector details
Use the following procedures to view the configuration details of a connector in the console, command line, or API for AWS Private CA Connector for Active Directory.
------
#### [ Console ]
**To view details for a connector using the console**
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. Choose a connector from the **Connectors for Active Directory** list and then choose **View details**.
1. On the connector details page, review the information in the Connector details, pane, which includes the following:
+ **Connector ID**
+ **Connector status**
+ **Additional status details**
+ **Connector ARN**
+ **Certificate enrollment policy server endpoint**
+ **Directory name**
+ **Directory ID**
+ **AWS Private CA subject**
+ **AWS Private CA status**
+ **IP address type**
+ **VPC endpoint and security groups**
1. In the **Templates** pane, you can create or manage templates associated with the connector.
1. From the **Service principal name (SPN)** pane, you can view the service principle name associated with the connector.
1. From the **Directory Registration** pane, you can view or change the directory registration associated with the connector.
1. From the **Tags — *optional*** pane, you can create or manage tags associated with the connector.
------
#### [ API ]
**To list your connectors using the API**
Use the [GetConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_GetConnector.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To list your connectors using the AWS CLI**
Use the [get-connector](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/get-connector.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# View connector template details
Use the following procedures to view the configuration details of a connector template using the console, command line, or API for AWS Private CA Connector for Active Directory
------
#### [ Console ]
**To view details for a connector template using the console**
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. Choose a connector from the **Connectors for Active Directory** list and then choose **View details**.
1. On the connector details page, review the information in the **Templates** section, and select the template that you wish to inspect. Then choose **View details**.
1. On the details page, the **Template details** pane displays the following information about the template:
+ **Template name**
+ **Template ID**
+ **Template status**
+ **Template schema version**
+ **Template version**
+ **Template ARN**
+ **Certificate type**
+ **Auto-enrollment turned on**
+ **Validity period**
+ **Renewal period**
+ **Subject name requirements**
+ **Subject alternative name requirements**
+ **Certificate request and enrollment settings**
+ **Cryptography provider category**
+ **Key algorithm**
+ **Minimum key size (bits)**
+ **Hash algorithm**
+ **Cryptography providers**
+ **Key usage extension settings**
From this pane, you can also perform the following actions using the ** Edit**, **Delete**, and **Actions** buttons.
+ **Edit**
+ **Delete**
+ **Manage groups and permissions** – For more information, see [Configure groups and permissions](create-ad-template.html#create-ad-template-console-12).
+ **Manage superseded templates** – For more information, see [Review and create](create-ad-template.html#create-ad-template-console-15).
+ **Manage tags** – For more information, see [Tagging Connector for AD resources](ad-tags.md).
+ **Re-enroll all certificate holders** – This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template. For more information, see the [ UpdateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_UpdateTemplate.html) API.
1. The lower pane displays a row of tabs allowing changes to the configuration of the template.
+ **Groups and permissions** – View and manage permissions for Active Directory groups to enroll certificates using this template. For more information, see [Configure groups and permissions](create-ad-template.html#create-ad-template-console-12)
+ **Application policies** – View and manage template application policies. For more information, see [Assign application policies](create-ad-template.html#create-ad-template-console-9).
+ **Superseded templates** – View and manage superseded templates. For more information, see [Review and create](create-ad-template.html#create-ad-template-console-15).
+ **Tag*optional*** – View and manage tagging on this template. For more information, see [Tagging Connector for AD resources](ad-tags.md).
------
#### [ API ]
**To list your connectors using the API**
Use the [ GetTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_GetTemplate.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To list your connectors using the AWS CLI**
Use the [ get-template](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/get-template.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Manage directory registrations
------
#### [ Console ]
**To manage directory registrations using the console**
Directory registrations for connectors can be managed from the top level of the AWS Private CA Connector for Active Directory console. This topic walks through the available management options.
1. Sign in to your AWS account and open the AWS Private CA Connector for Active Directory console at **[https://console.aws.amazon.com/pca-connector-ad/home](https://console.aws.amazon.com/pca-connector-ad/home)**.
1. In the left navigation area, choose **Directory registrations**.
1. The **Directory registrations** page displays a table of registered directories with the following fields:
+ **Directory ID** – The unique ID of the directory
+ **Directory name** – The directory domain site name
+ **Directory type**
+ **Registered** – The status of the registration. Supported values are CREATING \$1 ACTIVE \$1 DELETING \$1 FAILED.
+ **Directory status** – The status of the directory
Use can use **Register directory** to create a new registration.
1. You can select one of the listed registrations in order to manage it. This enables the **View registration details** and **Deregister directory** buttons. The **View registration details** button opens the details page for the registration.
1. The **Directory registration details** pane displays the following information:
+ **Directory domain site name**
+ **Directory ID** – The unique ID of the directory. Choosing the link takes you to the AWS Directory Service console.
+ **Directory type**
+ **Status** – Status of the directory
+ **Directory registration ARN** – The Amazon resource name of the directory registration
+ **Additional status information**
1. In the **Connectors and service principal name (SPNs)** pane, you can manage SPNs for the connector. For more information, see [View connector details](ad-spn.html).
1. In the **Tags – optional** pane, you can apply and remove metadata on your AD resource. Tags are key-value string pairs where the key must be unique to the resource and the value is optional. The pane displays any existing tags for the resource in a table. The following actions are supported.
+ Choose **Manage tags** to open the **Manage tags** page.
+ Choose Add new tag to create a tag. Fill in the **Key** field and, optionally, the **Value** field. Choose **Save changes** to apply the tag.
+ Choose the **Remove** button next to a tag to mark it for deletion, and choose **Save changes** to confirm.
------
#### [ API ]
**To manage directory registrations using the API**
**Create**: [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) action in the AWS Private CA Connector for Active Directory API.
**Retrieve**: [GetDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_GetDirectoryRegistration.html) action in the AWS Private CA Connector for Active Directory API.
**List**: [ListDirectoryRegistrations](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListDirectoryRegistrations.html) action in the AWS Private CA Connector for Active Directory API.
**Delete**: [DeleteDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DeleteDirectoryRegistration.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To manage directory registrations using the CLI**
**Create**: Use the [create-directory-registration](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/create-directory-registration.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Retrieve**: [get-directory-registration](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/get-directory-registratio.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**List**: [list-directory-registrations](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-directory-registratios.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Delete**: [delete-directory-registration](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/delete-directory-registratio.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Manage Connector for AD template access control entries
An access control entry grants controls which Active Directory groups can or cannot enroll certificates for a specific Connector for AD template. When you can create or manage groups and permissions in Connector for AD, you must provide the Security identifier (SID) of the group object from Active Directory. You can obtain the SID using the following PowerShell command. For information about SIDs, see [How security identifiers work](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers) in the Microsoft Directory Domain Services documentation.
```
$ Get-ADGroup -Identity "my_active_directory_group_name"
```
The following procedures illustrate how to create and manage Connector for AD template access group entries.
------
#### [ Console ]
**To manage template group permissions using the console**
You can manage groups and permissions for an existing template can be managed from a template's details page. For more information, see [View connector template details](https://docs.aws.amazon.com/privateca/latest/userguide/view-ad-template.html).
Set permissions on which groups can or cannot enroll certificates for the specific template. You provide the security identifier (SID) of the group. Then you set the enroll and auto-enroll permissions for the group. For auto-enrollment, both enroll and auto-enroll must be set to "Allow."
------
#### [ API ]
**To manage template group permissions using the API**
**Create**: [ CreateTemplateGroupAccessControlEntry](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplateGroupAccessControlEntry.html) action in the AWS Private CA Connector for Active Directory API.
**Update**: [ UpdateTemplateGroupAccessControlEntry](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_UpdateTemplateGroupAccessControlEntry.html) action in the AWS Private CA Connector for Active Directory API.
**Retrieve**: [ GetTemplateGroupAccessControlEntry](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_GetTemplateGroupAccessControlEntry.html) action in the AWS Private CA Connector for Active Directory API.
**List**: [ ListTemplateGroupAccessControlEntries](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListTemplateGroupAccessControlEntries.html) action in the AWS Private CA Connector for Active Directory API.
**Delete**: [ DeleteTemplateGroupAccessControlEntry](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DeleteTemplateGroupAccessControlEntry.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To manage template group permissions using the CLI**
**Create**: [ create-template-group-access-control-entry](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/create-template-group-access-control-entry.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Update**: [ update-template-group-access-control-entry](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/update-template-group-access-control-entry.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Retrieve**: [ get-template-group-access-control-entry](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/get-template-group-access-control-entry.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**List**: [ list-template-group-access-control-entries](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-template-group-access-control-entries.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Delete**: [ delete-template-group-access-control-entries](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/delete-template-group-access-control-entries.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Configuring the service principal name
Learn how to configure the service principal name for the connector.
------
#### [ Console ]
**To manage manage service principal names using the console**
The service principal name (SPN) of an existing AD connector can be managed from the details page of the connector. For more information, see Managing directory registration [View connector details](view-connector-for-ad.html)
------
#### [ API ]
**To manage service principal names using the API**
**Create**: [ CreateServicePrincipalName](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateServicePrincipalName.html) action in the AWS Private CA Connector for Active Directory API.
**Retrieve**: [ GetServicePrincipalName](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_GetServicePrincipalName.html) action in the AWS Private CA Connector for Active Directory API.
**List**: [ ListServicePrincipalNames](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListServicePrincipalNames.html) action in the AWS Private CA Connector for Active Directory API.
**Delete**: [ DeleteServicePrincipalName](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DeleteServicePrincipalName.html) action in the AWS Private CA Connector for Active Directory API.
------
#### [ CLI ]
**To manage service principal names using the CLI**
**Create**: [ create-service-principal-name](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/create-service-principal-name.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Retrieve**: [ get-service-principal-name](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/get-service-principal-name.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**List**: [ list-service-principal-names](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-service-principal-names.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Delete**: [ delete-service-principal-name](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/delete-service-principal-name.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Tagging Connector for AD resources
You can apply tags to your connectors, templates, and directory registrations. Tagging adds metadata to a resource that can assist with organization and management.
------
#### [ Console ]
**To manage resource tagging using the console**
Tagging of existing resources is managed on the details page for the resource. For more information, see the following procedures:
+ [View connector template details](view-template.html)
+ [Managing directory registrations](directory-registration.html)
------
#### [ API ]
**To manage resource tagging using the API**
**Tag**: [ TagResource](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_TagResource.html) action in the AWS Private CA Connector for Active Directory API.
**List tags**: [ ListTagsForResource](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListTagsForResource.html) action in the AWS Private CA Connector for Active Directory API.
**Untag**: [ UntagResource](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_UntagResource.html) action in the AWS Private CA Connector for Active Directory API.
Important - It is acceptable to use tags to label objects containing confidential data. However, the tags themselves shouldn't contain any personally identifiable information (PII), sensitive, or confidential information.
------
#### [ CLI ]
**To manage resource tagging using the CLI**
**Tag**: [ tag-resource](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/tag-resource.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**List tags**: [ list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/list-tags-for-resource.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
**Untag**: [ untag-resource](https://docs.aws.amazon.com/cli/latest/reference/pca-connector-ad/untag-resource.html) command in the AWS Private CA Connector for Active Directory section of the AWS CLI.
------
# Integrating Connector for AD into event-driven applications using Amazon EventBridge
You can incorporate Connector for AD into event-driven applications (EDAs) that use events that occur in Connector for AD to communicate between application components and initiate downstream processes.
For example, you could invoke other AWS services or custom components when the following Connector for AD events occur in your account:
+ A certificate is created or when creation fails.
+ A certificate is enrolled, or enrollment fails.
You do this by using Amazon EventBridge to route events from Connector for AD to other software components. Amazon EventBridge is a serverless service that uses events to connect application components together, making it easier for you to integrate AWS services like Connector for AD into event-driven architectures without additional code and operations.
## How EventBridge routes Connector for AD events
Here's how EventBridge works with Connector for AD events:
As with many AWS services, Connector for AD generates and sends events to the EventBridge default *event bus*. An event bus is a router that receives events and routes them to the destinations, or *targets*, that you specify. Targets can include other AWS services, custom applications, and SaaS partner applications.
EventBridge routes events according to *rules* you create on the event bus. For each rule, you specify a filter, or *event pattern*, to select only the events you want. Whenever an event is sent to the event bus, EventBridge compares it against each rule. If the event matches the rule, EventBridge routes the event to the specified target(s).
![\[AWS services send events to the EventBridge default event bus. If the event matches a rule's event pattern, EventBridge routes the event to the targets specified for that rule.\]](http://docs.aws.amazon.com/privateca/latest/userguide/images/eventbridge-integration-how-it-works.png)
## Connector for AD events
For a list of Connector for AD events sent to EventBridge, refer to the Connector for AD topic in the [https://docs.aws.amazon.com/eventbridge/latest/ref/events-ref-pca-connector-ad.html](https://docs.aws.amazon.com/eventbridge/latest/ref/events-ref-pca-connector-ad.html).
### Event structure
All events from AWS services contain two types of data:
+ A common set of fields containing metadata about the event, such as the AWS service that is the source of the event, the time the event was generated, the account and region in which the event took place, and others. For definitions of these general fields, see [Event structure ](https://docs.aws.amazon.com/eventbridge/latest/ref/overiew-event-structure.html) in the *Amazon EventBridge Events Reference*.
+ A `detail` field that contains data specific to that particular service event.
## Creating event patterns that match Connector for AD events
Event patterns are filters where specify what data the events you want to select should contain.
Each event pattern is a JSON object that contains:
+ A `source` attribute that identifies the service sending the event. For Connector for AD events, the source is `aws.pca-connector-ad`.
+ (Optional): A `detail-type` attribute that contains an array of the event names to match.
+ (Optional): A `detail` attribute containing any other event data on which to match.
For example, the following event pattern would select all Certificate Policy Enrollment Succeeded events from Connector for AD:
```
{
"source": ["aws.pca-connector-ad"],
"detail-type": ["Certificate Policy Enrollment Succeeded"]
}
```
For more information on writing event patterns, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *EventBridge User Guide*.
## Receiving events from EventBridge
You can specify Connector for AD certificates as the target for a rule. This enables Connector for AD to receive events from a wide variety of sources, including other AWS services, custom applications, and SaaS partners. For more information, see [Creating rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *EventBridge User Guide*.
For a full list of the AWS services that you can specify as targets, see [Target types](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html#eb-console-targets) in the *EventBridge Events Reference*.
# Troubleshoot issues with AWS Private CA Connector for Active Directory
Use the information here to help you diagnose and fix AWS Private Certificate Authority Connector for AD issues.
**Topics**
+ [Troubleshoot Connector for AD error codes](c4adTroubleshootingError.md)
+ [Troubleshoot Connector for AD connector creation failures](c4adTroubleshootingConnectorCreationFailure.md)
+ [Troubleshoot Connector for AD SPN creation failure](c4adTroubleshootingSpnFailure.md)
+ [Troubleshoot Connector for AD template update issues](c4adTroubleshootingUpdatedTemplate.md)
# Troubleshoot Connector for AD error codes
Connector for AD sends error messages for several reasons. For information on each error and recommendations about resolving them, see the following table. You can receive these errors by subscribing to Amazon EventBridge Scheduler events (event source: `aws.pca-connector-ad`) or by using manual enrollment in Windows.
| Error code | Root cause | Remediation |
| --- | --- | --- |
| 0x8FFFA000 | Kerberos authentication failed. | Make sure that your directory is reachable and the client is either a user or computer. If you're using auto-enrollment, then fix your AWS resource service principal. If you're using the Active Directory UI to get a cert, run `gpupdate /force`. |
| 0x8FFFA001 | The SOAP message must contain an action header. | Add an action header. |
| 0x8FFFA002 | The connector does not have access to the private CA it is connected to. | Share your private CA with the connector by creating an AWS Resource Access Manager (RAM) to share between your private CA and the Connector for AD service. |
| 0x8FFFA003 | The private CA for this connector is not active. | Move the private CA to Active state. If your private CA is in the pending certificate state, then install the CA certificate. |
| 0x8FFFA004 | The private CA for this connector does not exist. | Move your certificate authority to the Active state if it is in the Deleted state. If your private CA is permanently deleted then create a new connector with a different CA. |
| 0x8FFFA005 | The template specified the `directoryGuid` attribute for the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester. | Active Directory did not generate a `directoryGuid` for your directory. Troubleshoot in Active Directory. |
| 0x8FFFA006 | The template specified the `dnsHostName` attribute for the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester. | Add the `dnsHostName` attribute to your AD object. |
| 0x8FFFA007 | The template specified the email attribute to be included in the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester. | Add the email attribute to your AD object |
| 0x8FFFA008 | The SOAP message must have an action header of either `http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies` or `http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep`. | Update the action header to use one of the specified values. |
| 0x8FFFA009 | The BinarySecurityToken must be encoded in `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary`. | Update the binary security token type. |
| 0x8FFFA00A | The BinarySecurityToken is invalid. | Check that the CSR is generated correctly. |
| 0x8FFFA00B | The BinarySecurityToken must have a value type of either `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7` or `http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10`. | Update the binary security token value type to a valid value. |
| 0x8FFFA00C | The BinarySecurityToken contained invalid CMS. | The Base64 is valid but the cryptographic message syntax (CMS) is invalid. Review the CMS syntax. |
| 0x8FFFA00D | The BinarySecurityToken contained an invalid CSR. | Check that the CSR was generated correctly. |
| 0x8FFFA00E | The private CA was unable to issue a certificate using the specific template. | Review the validation exception from AWS Private CA. You can view the validation exception in Amazon EventBridge or AWS CloudTrail. |
| 0x8FFFA00F | The SOAP message must have a request type of `http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue`. | Set the request type to `http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue`. |
| 0x8FFFA010 | The SOAP message must have a to header of either the connector's `CertificateEnrollmentPolicyServerEndpoint` field or the URI field in the XCEP response. | Set the header of the request security token to either the `CertificateEnrollmentPolicyServerEndpoint` field or the URI field in the XCEP response. |
| 0x8FFFA011 | The SOAP message must have only one action header. | Review the SOAP message header of the request security token and set the header correctly. |
| 0x8FFFA012 | The SOAP message must have only one `messageId` header. | Review the SOAP message header of the request security token and set the header correctly. |
| 0x8FFFA013 | The SOAP message must have only one to header. | Review the SOAP message header of the request security token and set the header correctly. |
| 0x8FFFA014 | The requester does not have access to the requested template. | Allow the requester's group to enroll using the requested template by creating an Access Control Entry. |
| 0x8FFFA015 | Either the `CertificateTemplateInformation` or the `CertificateTemplateName` extension must be present in the BinarySecurityToken. | Add the security extension to your CSR. |
| 0x8FFFA016 | The requested template was not found for the given connector. | Templates are child resources to each connector. Create the template for the connector using `createTemplate`. |
| 0x8FFFA017 | The request was denied due to request throttling. | Slow down the rate of requests. |
| 0x8FFFA018 | The SOAP message must contain a `to` header. | Review the header of the SOAP message. |
| 0x8FFFA019 | Could not process the SOAP message due to an unrecognized header. | Review the header of the SOAP message. |
| 0x8FFFA01A | The template specified the UPN attribute to be included in the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester. | Add an UPN to the Active Directory object. |
# Troubleshoot Connector for AD connector creation failures
Connector for AD connector creation can fail for various reasons. When connector creation fails, you'll receive the failure reason in the API response. If you're using the console, then the failure reason is displayed in the Connector **details** page under the **Additional status details** field within in the Connector **details** container. The following table describes failure reasons and recommended steps for resolution.
| Failure status | Description | Remediation |
| --- | --- | --- |
| CA\$1CERTIFICATE\$1REGISTRATION\$1FAILED | Connector for AD is unable to import CA certificates into your directory. | Review the [Prerequisites](connector-for-ad-getting-started-prerequisites.md) page and check that your service account has the right permissions. After delegating the correct permissions to your service account, delete the failed connector and create a new one. For information about delegating permissions, see [Delegate privileges to your service account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html#connect_delegate_privileges) in the *AWS Directory Service Administration Guide*. |
| DIRECTORY\$1ACCESS\$1DENIED | Connector for AD unable to access your directory. | You must grant Connector for AD access to your directory. Review the [Step 4: Create IAM Policy](connector-for-ad-getting-started-prerequisites.md#prereq-iam) section to make sure that you the IAM policy associated with your AWS account enables you to access and describe directories. After granting the correct permissions to your AWS role, delete the failed connector and create a new one. If using Connector for AD with an AWS Directory Service AD Connector, make sure that the AD Connector service account's password isn't expired and is valid. For information about AD Connector service accounts, see [Getting started with AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html) in the *AD Connector Administration Guide*. |
| INTERNAL\$1FAILURE | Connector for AD experienced an internal failure. | Try again later. Delete the failed connector and create a new one. |
| INSUFFICIENT\$1FREE\$1ADDRESSES | The VPC subnet must have at least one available private IP address. | Ensure that there is an available private IP address in the subnet. Delete the failed connector and create a new one. |
| INVALID\$1SUBNET\$1IP\$1PROTOCOL | Connector for AD is unable to create the endpoint on your VPC because the subnets associated with your directory do not support the specified IP address type. | Ensure the VPC and subnets that host your directory support your chosen IP address type. For more information, see [IP address types](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html#aws-service-ip-address-type). Delete the failed connector and create a new one with the supported IP address type. |
| PRIVATECA\$1ACCESS\$1DENIED | Connector for AD is unable to access your private CA. | Review the [Prerequisites](connector-for-ad-getting-started-prerequisites.md) page and check that you have the permissions to create a connector. For information, see [Step 4: Create IAM Policy](connector-for-ad-getting-started-prerequisites.md#prereq-iam). If you're creating a connector through AWS CLI or API, review the [Prerequisites](connector-for-ad-getting-started-prerequisites.md) page and check that you have shared the private CA with Connector for AD using AWS Resource Access Manager. After checking and fixing IAM permissions and AWS RAM resource sharing, delete the failed connector and create a new one. |
| PRIVATECA\$1RESOURCE\$1NOT\$1FOUND | Connector for AD can't find the specified private CA. | Make sure that you specify the correct private CA [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html), then delete the failed connector and create a new one using your intended private CA ARN. |
| SECURITY\$1GROUP\$1NOT\$1IN\$1VPC | The security group isn't in the VPC that hosts your directory. | Use a security group that is in the VPC that hosts your directory. For more information, see [Step 7: Configure security groups](connector-for-ad-getting-started-prerequisites.md#prereq-security-groups). Delete the failed connector and create a new one with a security group that is in the VPC. |
| VPC\$1ACCESS\$1DENIED | Connector for AD can't access the Amazon VPC that hosts your directory. | Check your IAM permissions. Delete the failed connector and create a new one. For an example IAM policy that includes access permissions, see [Step 4: Create IAM Policy](connector-for-ad-getting-started-prerequisites.md#prereq-iam) |
| VPC\$1ENDPOINT\$1LIMIT\$1EXCEEDED | Connector for AD can't create an endpoint in your Amazon VPC. You have reached the limit of VPC endpoints that you can create for your account. | Delete Amazon VPC endpoints, or request a limit increase. Once you've done one of the two steps, delete the failed connector and create a new one. For information about quotas, see [Amazon Virtual Private Cloud Service quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). |
| VPC\$1RESOURCE\$1NOT\$1FOUND | Connector for AD can't find the specified VPC. | Make sure that you specified the correct VPC and that the VPC exists. Then delete the failed connector and create a new one using the correct VPC ID. |
# Troubleshoot Connector for AD SPN creation failure
Service principal name (SPN) creation can fail for various reasons. When SPN creation fails you'll receive the failure reason in the API response. If you're using the console, then the failure reason is displayed in the Connector details page under the **Additional status details** field within the **Service principal name (SPN)** container. The following table describes failure reasons and recommended steps for resolution.
| Failure status | Description | Remediation |
| --- | --- | --- |
| DIRECTORY\$1ACCESS\$1DENIED | Connector for AD can't access your directory. | Grant Connector for AD access to your directory. For an example IAM policy that includes permissions that grant directory access, see [Step 4: Create IAM Policy](connector-for-ad-getting-started-prerequisites.md#prereq-iam). |
| DIRECTORY\$1NOT\$1REACHABLE | Connector for AD can't access your directory. | Check the network between AWS and your directory, and try creating an SPN again. |
| DIRECTORY\$1RESOURCE\$1NOT\$1FOUND | Connector for AD can't find the specified directory. | Make sure you specify the correct directory ID, then delete the failed connector and create a new one using your intended directory ID. |
| INTERNAL\$1FAILURE | Connector for AD experienced an internal failure. | Try again later. |
| SPN\$1EXISTS\$1ON\$1DIFFERENT\$1AD\$1OBJECT | The service principal name (SPN) exists on a different Active Directory object. | Delete the SPN from the Active Directory object, and try creating the SPN again. |
| SPN\$1LIMIT\$1EXCEEDED | Connector for AD can't create the SPN because you've reached the limit of SPNs per directory. The maximum number of SPNs per directory is 10. | Delete one or more SPNs from your account, and try creating the SPN again. |
# Troubleshoot Connector for AD template update issues
If you made changes to your template or group access control entry, but you don't see the changes, this might be due to policy caching. AWS Private CA applies template to your policy when your client refreshes the policy cache, which is every eight hours. When your client refreshes the cache, it queries the connector for available templates. In the case of **auto-enrollment refresh, the client issues certificates that match either or both of the following conditions:
+ The certificate is within the renewal period.
+ The certificate isn't present on the client device.
For *manual refresh*, the client will query the connector, and you must set the template to issue.
If you're debugging, you can manually clear the policy cache to immediately see the template changes. To do so, run the following Powershell command on your client.
```
certutil -f -user -policyserver * -policycache delete
```