This article seeks to provide a guide to setting up Centrify Authentication Service with an AWS Managed Microsoft® Active Directory (AD). By the end of this article, you should have a basic working configuration of Centrify Authentication Service using an AWS Managed Microsoft AD.

Below is a list of prerequisites to configure Centrify Authentication Service:

1. If not already configured, you will need to launch an AWS Managed Microsoft AD.
2. You will also need a Windows Server EC2 instance created and joined to the AWS Managed Microsoft AD.
3. You will also want to download the Centrify Authentication Service media to your EC2 instance.
4. Make sure you have an AD account with enough permissions to add OUs, Containers, Users, and Groups to the AWS Managed Microsoft AD. I used the default Admin user given to me when I set up the AWS Managed Microsoft AD.

Once you have the above prerequisites checked off, you can begin the installation and configuration of Centrify Authentication Service. This will be a pretty normal installation of the services, but some changes are made to the configuration due to the way that an AWS Managed Microsoft AD works.

To start, you will want to run the autorun.exe and select Authentication & Privilege at the beginning of the installer.

You can perform the installation of Microsoft SQL Server Compact for Sudoers Import if you would like. I have skipped it for this how-to.

Enter the User Name and Organization information.

Again, for simplicity's sake, I chose not to install Centrify Report Services, as it is not in the scope of this how-to.

I kept the default installation location; however, you can change it if you wish.

Once you have completed the installation, launch the Centrify Access Manager MMC and connect to your AD forest. As you can see my Domain Controller is automatically populated, if this does not happen for you, it may be because you are not logged into the EC2 instance as a Domain User.

I chose to use the currently logged in credentials for configuration; however, you can specify the credentials of another user if needed.

I recommend checking the Generate the Centrify recommended deployment structure so that the confirmation wizard can create an AD Container structure for you.

At this point, we will need to start altering the default locations as an AWS Managed Microsoft AD has some restrictions.

In the next window, you will want to choose a valid location to deploy the Centrify container structure. As an AWS Managed Microsoft AD only gives you permissions over your Domain OU, you will want to select it as the location. Mine is the stormten OU under the stormten.ninja directory.

Make sure the generation of your deployment structure completes successfully.

We will need to specify the license container as we did not deploy to the default location and do not have permissions to the default location in AWS Managed Microsoft AD.

If you generated the deployment structure as I did, the licenses container can be found in [Domain OU] > Centrify > Licenses

You will also need to specify a different location for your Centrify Zones Container. Mine is located in [Domain OU] > Centrify > Zones

We will not be able to configure the next two options due to limitations with an AWS Managed Microsoft AD. We can not alter the schema of AD because it is managed by AWS. This means we can not configure the Administrative Notification Handler and the Centrify Profile Property Pages.

Once you complete the configuration wizard, the installation and configuration of Centrify Authentication Service with the AWS Managed Microsoft AD is complete.

You can now create your Centrify Zones and populate them by Computers, Users, and Role Assignments.

You can visit this link for more information on the limitations of an AWS Managed Microsoft AD:

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html 
Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions