AWS Federated Authentication with AD FS

SPL-102 - Version 1.2.10

© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or
redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc.
Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment.
Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Overview
This lab takes you through the process of configuring Active Directory Federation Services (AD FS) with
AWS Identity and Access Management (IAM), which enables Active Directory users and groups to access the
AWS Management Console. You will use the AWS support for Security Assertion Markup Language
(SAML), an open standard used by many identity providers (IdPs). This feature enables federated single sign-
on (SSO), which lets users sign in to the console or make programmatic calls to AWS application
programming interfaces (APIs) by using assertions from a SAML-compliant IdP like AD FS. With identity
federation, external identities or federated users are granted secure access to resources in the AWS account
without requiring you to create IAM users.

OBJECTIVES
After completing this lab, you will be able to:

 Install and set up AD FS on a Windows server

 Enable federated access to the AWS Management Console using an existing Active Directory server
 Create new roles in IAM and map those to your federated users
 Allow federated users to have access to the AWS Management Console

TECHNICAL KNOWLEDGE PREREQUISITES

To successfully complete this lab, you should be familiar with basic Windows Server administration and also
be highly fluent and conceptually solid with the techniques of federated identity and IdPs in general, and
SAML, Lightweight Directory Access Protocol (LDAP), Active Directory, and IAM in particular.

PREREQUISITES
This lab requires:

 Access to a notebook computer with Wi-Fi running Microsoft Windows, Mac OS X, or Linux
(Ubuntu, SuSE, or Red Hat)
 For Microsoft Windows users: Administrator access to the computer
 An internet browser such as Chrome, Firefox, or Internet Explorer 9 (previous versions of Internet
Explorer are not supported)
 Note This lab is currently incompatible with Internet Explorer 11. Use a different browser to launch
this lab.

DURATION
This lab takes approximately 60 minutes to complete.

Note Once you click Start Lab, it takes about 10 minutes for the environment to deploy.

AD FS FEDERATED AUTHENTICATION PROCESS

The following process details how a user would authenticate to AWS using Active Directory and AD FS:

Step 1. The flow is initiated when a user browses to the AD FS sample site
(https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside their domain. When you
install AD FS, you get a new virtual directory named AD FS for your default website, which includes this
page.

Step 2. The sign-on page authenticates the user against Active Directory. Depending on the user’s browser,
they might be prompted for their Active Directory username and password.

Step 3. The user’s browser receives a SAML assertion in the form of an authentication response from AD FS.

Step 4. The user’s browser posts the SAML assertion to the AWS sign-in endpoint for SAML
(https://signin.aws.amazon.com/saml). Behind the scenes, sign-in uses the AssumeRoleWithSAML API to
request temporary security credentials and then constructs a sign-in URL for the AWS Management Console.

Step 5. The user’s browser receives the sign-in URL and is redirected to the console.

PROVISIONED INFRASTRUCTURE
To help you focus on the topics for this lab, you have been provided an automatically generated environment,
which contains a preinstalled Active Directory domain controller with a domain called mydomain.local.

The domain controller instance is in a private subnet. There is also public subnet with an instance for network
address translation (NAT) and an instance for Remote Desktop Gateway (RD Gateway). The public subnet is
also referred to as a DMZ. Routing tables, subnets, and an internet gateway have also been provisioned as
needed by Active Directory. The following diagram shows this setup, including the AD FS instance that you
will launch in the private subnet during the lab:

The NAT instance allows outbound internet access (e.g., for Windows Update or to reach IAM) for instances
in the private subnet. The RD Gateway instance allows only inbound administrative access over remote
desktop protocol (RDP) to instances in the private subnet.

Note To log in to your private subnet instances, you must first use an RDP client to connect to the public-
facing RD Gateway instance. Then you can open an RDP connection from the RD Gateway instance to the
domain controller instance or AD FS instance in the private subnet using the private IP address. In this case,
the RD Gateway instance acts as a bastion (jump) host.

Start lab
1. To launch the lab, at the top of the page, choose Start lab .

You must wait for the provisioned AWS services to be ready before you can continue.

2. To open the lab, choose Open Console .

You are automatically signed in to the AWS Management Console in a new web browser tab.

Do not change the Region unless instructed.

COMMON SIGN-IN ERRORS

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

 Choose the click here link.

 Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
 Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button
from working as intended. If you experience an issue starting the lab:

 Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
 Refresh the page and try again.

Task 1: Configure your AD FS instance

Because the AD FS and domain controller instances are in a private subnet, you must go through RD Gateway
to connect to them. In this task, you connect to the RD Gateway instance.

3. In the AWS Management Console, click Services, and then click EC2.

4. In the left navigation pane, click Instances.

5. From the list of instances, select RDGW, and click Connect.

6. Click RDP client.

7. Click Download remote desktop file.

 8. Open the rdp file to log into the Windows instance using your RPD client.

9. Use the following to connect to the Windows instance:

 User name:

mydomain\Administrator

 Password: Paste the value of AdministratorPassword value located to the left side of the lab page.

Task 2: Connect to the domain controller instance

10. When the RD Gateway desktop appears, click Start , and type

Remote

11. In the search results, click Remote Desktop Connection.

12. In Remote Desktop Connection, for Computer, enter

10.0.0.10

Note This is the private IP address of the domain controller instance.

13. Click Connect.

14. When prompted for credentials:

 For Username, enter

administrator

 For Password, enter the AdministratorPassword value located to the left side of the lab page.

15. Click OK, and then click Yes.

16. If prompted that the identity of the remote computer cannot be verified, click Yes.

17. When prompted to allow your PC to be discoverable, click Yes.

You now have one RDP session running inside another, which can be confusing. It may help to drag the title
bar for one RDP session to the right or left so you can see the IP address of each instance.

18. On the domain controller instance (IP address 10.0.0.10), click Start , and type

Active Dir

19. In the search results, click Active Directory Users and Computers.

20. Right-click mydomain.local, and select New > Group.

21. In the New Object - Group window, for Group name, enter

AWS-View-EC2

Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive. Type this name exactly as it appears.

22. Click OK.

23. On the right side of the window, double-click mydomain.local.

24. Right-click AWS-View-EC2, and select Properties.

25. Click the Members tab.

26. Click Add.

27. For Enter the object names to select, enter

Administrator

28. Click Check Names.

29. Click OK, and then click OK again to close the windows.

Now you will create a second group to see how you can restrict user AWS Management Console access using
Active Directory. In a production environment, you would assign users to groups as appropriate; however, for
this lab you will use a single user and put them in multiple groups so you can see the functionality.

30. At the top-right of the Active Directory Users and Computers window, click the left arrow icon to
return to the mydomain.local level.

31. Right-click mydomain.local, and select New > Group.

 32. In the New Object - Group window, for Group name, enter

AWS-View-S3

Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive.

33. Click OK.

34. On the right side of the window, double-click mydomain.local.

35. Right-click AWS-View-S3, and select Properties.

36. Click the Members tab.

37. Click Add.

38. For Enter the object names to select, enter

Administrator

39. Click Check Names.

40. Click OK, and then click OK again to close the windows.

Now you need to create a user that will be used later to configure AD FS.

41. At the top-right of the Active Directory Users and Computers window, click the left arrow icon to
return to the mydomain.local level.

42. Right-click mydomain.local, and select New > User.

43. In the New Object - User window, configure the following:

 First name: Enter

ADFSSVC

 User logon name: Enter

ADFSSVC
Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive.

44. Click Next.

45. Uncheck the User must change password at next logon check box.

46. For Password and Confirm password, enter

Mypa$$word123

47. Click Next, and then click Finish.

48. Close the remote session to the domain controller instance.

Note The IP address of the domain controller instance is 10.0.0.10.

Task 3: Join your AD FS instance to the domain

49. On the RD Gateway instance, click Start , and type

Remote

50. In the search results, click Remote Desktop Connection.

51. In Remote Desktop Connection, for Computer, enter

10.0.0.15

Note This is the private IP address of the AD FS instance.

52. Click Connect.

53. When prompted for credentials:

 For Username, enter

administrator

 For Password, enter the AdministratorPassword value located to the left side of the lab page.
 54. Click OK, and then click Yes.

55. If prompted that the identity of the remote computer cannot be verified, click Yes.

56. When prompted to allow your PC to be discoverable, click Yes.

57. On the AD FS instance (IP address 10.0.0.15), click Start , and type

Windows PowerShell

58. In the search results, click Windows PowerShell.

59. Run the following command:

C:\Windows\System32\control.exe ncpa.cpl

Note You can paste into PowerShell by pressing CTRL+P or right-clicking.

60. Right-click the Ethernet icon, and select Properties.

61. In the Ethernet Properties window, double-click Internet Protocol Version 4 (TCP/IPv4).

62. Click Use the following DNS server addresses.

63. For Preferred DNS server, enter

10.0.0.10

64. Click OK.

65. Close the window.

66. Return to PowerShell and run the following command:

ping mydomain.local

This should resolve to 10.0.0.10, which is the IP address of the domain controller.

67. Open the System Properties window by running the following command in PowerShell:

systempropertiescomputername

68. Click Change.

69. Configure the following:

  Computer name: Enter

adfsserver

 Member of: Select Domain

 Domain: Enter

mydomain.local

70. Click OK. A Windows Security window appears.

71. Configure the following:

 User name: Enter

Administrator

 Password: Paste the AdministratorPassword value from the left side of the lab page

72. Click OK.

73. In the welcome pop-up box, click OK.

74. In the restart notification pop-up box, click OK.

75. Close any open windows.

76. The system prompts you to reboot the instance. Click Restart Now.

Task 4: Create a self-signed certificate on AD FS

In this task, you will connect to AD FS as the domain administrator.

77. Wait two minutes for the AD FS instance to restart.

78. On the RD Gateway instance, open Remote Desktop Connection.

79. Click Show Options.

Note Make sure you log in to the AD FS domain by updating the user name.

80. Configure the following:

 Computer: Enter
 10.0.0.15

 User name: Enter

mydomain\administrator

 Password: Enter the AdministratorPassword value from the left side of the lab page

Note To enter the user name and password, you might need to click More choices and then Use a different
account.

81. Click Connect.

82. Click OK, and then click Yes.

83. In the AD FS instance (IP address 10.0.0.15), click Start , and then click Server Manager.

Note It may take a few seconds for Server Manager to load completely.

84. If you see a windows that says, Try managing servers with Windows Admin Center, click the X to
close the window.

85. Click Add roles and features.

86. On the Before you begin page, click Next.

87. On the Select installation type page, click Next.

88. On the Select destination server page, click Next.

89. On the Select server roles page, select Web Server (IIS). A dialog box opens.

90. Click Add Features.

91. Click Next.

92. On the Select features page, click Next.

93. On the Web Server Role (IIS) page, click Next.

94. On the Select role services page, click Next.

95. On the Confirm installation selections page, click Install.

96. Wait for the installation to finish, and then click Close.
 97. Click Tools > Internet Information Services (IIS) Manager.

Note The Tools menu is at the top-right corner of the Server Manager dashboard.

98. In the left navigation pane, click ADFSSERVER.

99. Double-click Server Certificates.

Note You may need to scroll down to see this icon.

100. In the Actions pane on the right, click Create Self-Signed Certificate.

101. Configure the following:

 Specify a friendly name for the certificate: Enter

adfs

 Select a certificate store for the new certificate: Select Web Hosting

102. Click OK.

103. In the server certificates list, right-click the adfs certificate, and select Export.

104. Configure the following:

 Export to: Enter

C:\Users\administrator.mydomain\Desktop\adfs.pfx

 Password: Enter

Mypa$$word123

 Confirm password: Enter

Mypa$$word123

105. Click OK.

106. Close the Internet Information Services (IIS) Manager window.

Task 5: Install AD FS
107. In Server Manager, click Add roles and features.

108. On the Before you begin page, click Next.

109. On the Select installation type page, click Next.

110. On the Select destination server page, click Next.

111. On the Select server roles page, select Active Directory Federation Services.

112. Click Next.

113. On the Select features page, click Next.

114. On the Active Directory Federation Services (AD FS) page, click Next.

115. On the Confirm installation selections page, select Restart the destination server
automatically if required.

116. When prompted to allow automatic restarts, click Yes.

117. Click Install.

118. Wait for the installation to complete. Then, click the Configure the federation service on
this server link.

Note If you closed the window before clicking the link, open the next wizard by clicking the notification icon
in the Server Manager menu bar.

119. On the Welcome page, make sure Create the first federation server in a federation server
farm is selected. Then, click Next.

120. On the Connect to Active Directory Domain Services page, verify that mydomain\
administrator is listed.

Note If mydomain\administrator is not listed, follow these steps:

 Click Change
 For User name, enter

mydomain\administrator

 For Password, enter the AdministratorPassword value from the left side of the lab page
 Click OK
 121. Click Next.

122. On the Specify Service Properties page, click Import.

123. Select the adfs.pfx certificate file that you created earlier, and click Open.

124. When prompted for the certificate password, enter

Mypa$$word123

and click OK.

The SSL Certificate and Federation Service Name fields are updated.

125. For Federation Service Display Name, enter

AWSADFS

126. Click Next.

127. On the Specify Service Account page, click Select.

128. For Enter the object name to select, enter

ADFSSVC

129. Click Check Names, and then click OK.

130. For Account Password, enter

Mypa$$word123

131. Click Next.

132. On the Specify Configuration Database page, click Next.

133. On the Review Options page, review your options, and then click Next.

134. On the Pre-requisite Checks page, click Configure.

Note When the installation is finished, you may see an error message related to SPN configuration. This is a
known issue that sometimes occurs with AD FS setup. If you receive the error, open PowerShell and run the
following command:
setspn -a host/localhost adfssvc

This command registers the Service Principal Names. The success message should look like the following:

Checking domain DC=mydomain,DC=local

Registering ServicePrincipalNames for CN=ADFSSVC,DC=mydomain,DC=local
host/localhost
Updated object

135. In the AD FS Configuration Wizard, click Close.

136. Close the Server Manager window.

137. Open PowerShell, and run the following commands separately to download the SAML
metadata document for the AD FS instance:

cd Desktop
wget
https://adfsserver.mydomain.local/FederationMetadata/2007-06/FederationMet
adata.xml -OutFile FederationMetadata.xml

138. Open the FederationMetadata.xml file that you just created using a text editor such as
Notepad.

Note The FederationMetadata.xml is saved on the desktop.

139. Copy the contents of the file to a text file on your personal desktop.

Note Depending on your version and settings for remote desktop, you can try to copy and paste the file itself
from the remote desktop to your local desktop.

140. Save the text file as

FederationMetadata.xml

Next, you will upload the FederationMetadata.xml file to the AWS Management Console.

Task 6: Set up AWS IAM to work with AD FS

In this task, start by creating the IdP in IAM.

141. In the AWS Management Console, click Services, and click IAM.

142. In the left navigation pane, click Identity providers.

143. Click Add Provider.

 144. Configure the following:

 Provider Type: Select SAML

 Provider Name: Enter

ADFS

145. Click Choose File.

146. Browse to and select the FederationMetadata.xml file that you saved earlier.

147. Click Add provider.

For this lab two roles have been created for you to use for logging into the AWS Console with. One role AWS-
View-EC2, allows you to view all EC2 information, while the other, AWS-View-S3, allows you to view all S3
resources. You will setup the ADFS server to allow these roles to be assumed and examine the AWS Console
to see how access is restricted.

Task 7: Set up AWS as a trusted relying party

148. Return to the RDP session with the AD FS instance (10.0.0.15), and open Server Manager.

149. In the left navigation pane, click Local Server.

150. In the PROPERTIES section to the right, for IE Enhanced Security Configuration, click
the On link.

151. For both Administrators and Users, select Off, and then click OK.

152. Click Tools > AD FS Management.

Note The Tools menu is at the top-right corner of the Server Manager dashboard.

153. In the Actions pane on the right, click Add Relying Party Trust….

Note You can also click Required: Add a trusted relying party in the Overview section.

154. On the Welcome page, click Start.

155. On the Select Data Source page, confirm that Import data about the relying party
published online or on a local network is selected.

156. For Federation metadata address (host name or URL), enter

https://signin.aws.amazon.com/static/saml-metadata.xml
 157. Click Next.

158. On the Specify Display Name page, click Next.

159. On the Choose Access Control Policy page, click Next.

160. On the Ready to Add Trust page, click Next.

161. On the Finish page, select Configure claims issuance policy for the application.

162. Click Close.

CONFIGURE CLAIM RULES FOR THE AWS RELYING PARTY

In this section, you will add and configure claim rules, which ensure that elements such as NameId,
RoleSessionName, and Roles are added to the SAML authentication response. AWS requires these elements;
AD FS does not provide them by default.

163. In the AD FS Management area of Server Manager, in the left navigation pane, click
the Relying Party Trusts folder.

Note To access the AD FS Management area of Server Manager, click Tools > AD FS Management.
The Tools menu is at the top-right corner of the Server Manager dashboard.

164. In the Actions pane on the right, click Edit Claim Issuance Policy.

165. Click Add Rule.

166. For Claim rule template, select Transform an Incoming Claim.

167. Click Next.

168. On the Configure Claim Rule page, configure the following:

 Claim rule name: Enter

Name ID

 Incoming claim type: Select Windows account name

 Outgoing claim type: Select Name ID
 Outgoing name ID format: Select Persistent Identifier

169. Click Finish.

170. Click Add Rule again.

171. For Claim rule template, select Send LDAP Attributes as Claims.
 172. Click Next.

173. On the Configure Claim Rule page, configure the following:

 Claim rule name: Enter

RoleSessionName

 Attribute store: Select Active Directory

 LDAP Attribute: Select SAM-Account-Name
 Outgoing Claim Type: Enter

https://aws.amazon.com/SAML/Attributes/RoleSessionName

174. Click Finish.

175. Click Add Rule for the third time.

176. For Claim rule template, select Send Claims Using a Custom Rule.

177. Click Next.

178. On the Configure Claim Rule page, configure the following:

 Claim rule name: Enter

Get AD Groups

 Custom rule: Copy and paste the following:

c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnam
e", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types =
("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

This rule uses the standard Active Directory schema to identify user groups from Active Directory and pass
them to IAM.

179. Click Finish.

Note Leave the Edit Claim Issuance Policy window open.

180. In the AWS Management Console, click Services, and click IAM.

181. In the left navigation pane, click Identity providers.

 182. Click the Provider Name for the ADFS provider.

Note Click the Provider Name, not the checkbox next to the provider.

183. Copy the Provider ARN value and save it to use later.

Note The value should look similar to the following: arn:aws:iam::999999999999:saml-provider/ADFS

184. In the left navigation pane, click Roles.

185. Click the Role name for the AWS-View-EC2 role.

186. Copy the Role ARN value and save it to use later.

Note The value should look similar to the following: arn:aws:iam::999999999999:role/AWS-View-EC2

187. In your text editor, delete the word View-EC2 from the end of the role ARN.

Note The value should now look similar to the following: arn:aws:iam::111122223333:role/AWS-

188. Return to the RDP session of your AD FS instance.

189. In the Edit Claim Issuance Policy window, click Add Rule.

Note If you closed this window, follow these steps to open it:

 Within Server Manager, click Tools > AD FS Management

 In the left navigation pane, click the Relying Party Trust folder
 In the Actions pane on the right, click Edit Claim Issuance Policy

190. For Claim rule template, select Send Claims Using a Custom Rule.

191. Click Next.

192. On the Configure Claim Rule page, configure the following:

 Claim rule name: Enter

Roles

 Custom rule: Copy and paste the following:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type =

"https://aws.amazon.com/SAML/Attributes/Role", Value =
RegExReplace(c.Value, "AWS-", "SAMLARN,ROLEARN"));

193. In the pasted text, replace SAMLARN with the provider ARN value you saved earlier.
Replace ROLEARN with the role ARN value that you saved earlier.
Note Check that you have removed the word Production from the end of the role ARN.

The custom rule text should now look similar to the following:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type =

"https://aws.amazon.com/SAML/Attributes/Role", Value =
RegExReplace(c.Value, "AWS-",
"arn:aws:iam::111122223333:saml-provider/ADFS,arn:aws:iam::111122223333:ro
le/AWS-"));

194. Click Finish, and then click OK.

195. Close the AD FS Management window, and close Server Manager.

196. On the AD FS instance desktop, open PowerShell and run the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

Task 8: Test the configuration by logging into AWS

197. On your AD FS instance, open Google Chrome.

You may use any browser; however, you may need to change security configuration settings based on the
browser type.

198. Copy and paste the following URL in the address bar:

https://localhost/adfs/ls/IdpInitiatedSignOn.aspx

Note If prompted that the connection is not private, click Advanced, and then click Proceed to localhost
(unsafe).

199. Select Sign in to one of the following sites, and then click Sign in.

200. Enter the following values on the login page:

 User name: Enter

mydomain\Administrator

 Password: Enter the value of AdministratorPassword from the left side of the lab page

201. Select AWS-View-EC2, and click Sign In.

You are now signed in to the AWS Management Console as AWS-View-EC2/Administrator.

202. In the console, click Services, and then click EC2.

 203. In the left navigation, click Instances.

You should see three instances listed. This is because the role you assumed has read access to EC2.

Note If you do not see any resource information on the EC2 Dashboard, check the Region. Make sure the
Region you are using on the console within the RDP session matches the Region displayed to the left of these
instructions.

204. In the console, click Services, and then click S3.

Since you logged in with a role that only allows you to view EC2 information, you are denied access to view
any information about Amazon S3.

205. Return to the localhost AD FS login page by copying and pasting the following URL in the
address bar:

https://localhost/adfs/ls/IdpInitiatedSignOn.aspx

206. Click Sign in.

207. Select AWS-View-S3, and click Sign In.

208. In the console, click Services, and then click EC2.

209. In the left navigation, click Instances.

You should see a warning indicating You are not authorized to perform this operation. This is because the role
you signed in with does not have permission to use EC2.

210. In the console, click Services, and then click S3.

You should see several buckets listed.

By creating IAM roles and AD FS groups, you are able to assign specific permissions to users to limit their
access to appropriate parts of the AWS Management Console.

For reference, see the following detailed blog article on this topic (with Windows Server 2008
R2): https://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-
Windows-Active-Directory-ADFS-and-SAML-2-0

End lab
Follow these steps to close the console and end your lab.

211. Return to the AWS Management Console.

212. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.
 213. Choose End lab and then confirm that you want to end your lab.

Conclusion
Congratulations! You have now successfully:

 Installed and set up AD FS

 Added an AD FS server to a Windows domain
 Configured AWS as a trusted relying party
 Added sample rules
 Tested the configuration

Additional resources
 Amazon EC2

For more information about AWS Training and Certification, see https://aws.amazon.com/training/.

Your feedback is welcome and appreciated.

If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS
Training and Certification Contact Form.

Appendix
Access to a Microsoft Windows EC2 instance requires a secure connection using an RDP client. The following
directions walk you through the process of connecting to your Windows EC2 instance.

Choose one of the following guides:

 Connect from a Windows machine using an RDP client

 Connect from a macOS machine using an RDP client

CONNECT FROM A WINDOWS MACHINE USING AN RDP CLIENT

214. Open the Remote Desktop Connection application on your computer:

 On Windows 10, click the Start button. Start typing

Remote Desktop Connection

. In the list of results, click Remote Desktop Connection.

 On Windows 8.1, go to the Start screen. Start typing

 Remote Desktop Connection

. In the list of results, click Remote Desktop Connection.

 On Windows 7, click the Start button. In the search box, start typing

Remote Desktop Connection

. In the list of results, click Remote Desktop Connection.

215. For the Computer field, enter the public IP address of the Windows instance.

216. Click Connect.

217. When prompted for credentials, click Use another account.

Note You may need to click More choices and then Use a different account.

Note By default, the application uses your current Windows user name and domain. For the lab, you will use a
specified user name and domain in the RDP client.

218. Enter your credentials:

 Username: Enter

mydomain\Administrator

 Password: Paste the value of AdministratorPassword located to the left of these instructions.

219. Click OK.

220. If prompted that the identity of the remote computer cannot be verified, click Yes.

The connection to your remote instance should start momentarily. To continue this lab, click here to go to the
next step.

CONNECT FROM A MACOS MACHINE USING AN RDP CLIENT

221. Download the Microsoft Remote Desktop client from the Mac App Store.

222. Open the Microsoft Remote Desktop client.

223. To create a new connection, click New.

 224. Configure the following:

 Connection name: Enter

WINDOWS RDG

 PC Name: Enter the public IP address of the Windows instance

 User name: Enter

mydomain\Administrator

 Password: Paste the value of AdministratorPassword located to the left of these instructions.

225. Close the Edit Remote Desktops window by clicking the red close button at the top-left
corner.

226. In the Microsoft Remote Desktop window, select the WINDOWS RDGW connection, and
then click Start.

227. In the Verify Certificate dialog box, click Continue.

The connection to your remote instance should start momentarily. To continue this lab, click here to go to the
next step.