Reduce the human risk in your WorkSpaces security policy by enabling smartcard login for Windows and Linux with WorkSpaces Streaming Protocol
Key Takeaways:
- Amazon Workspaces users with Windows or Linux Workspaces can use smart cards to log in
- Only those using WorkSpaces Streaming Protocol are supported
- Smart cards are supported for both pre-session and in-session authentication; one is used for login and the other when performing actions that need administrative permissions
- You’ll need an Active Directory Connector (AD Connector) for pre-session authentication
- Smart card login also requires a PIN and provides enhanced security
Amazon WorkSpaces users who have Windows or Linux WorkSpaces can use smart cards and WorkSpaces Streaming Protocol (WSP) to log in. The use of a Common Access Card (CAC) or Personal Identity Verification (PIV) card provides tighter security by not only requiring users to verify their identity with a smartcard but also enter a PIN.
Smart cards are supported for both pre-session and in-session authentication. Pre-session authentication happens when users log in to their WorkSpaces. In-session authentication can be used while working in browsers and applications, and for actions that need administrative permissions.
Amazon WorkSpaces must be configured to use the Amazon WorkSpaces Streaming Protocol (WSP) to support access cards, which requires the Windows WorkSpaces Client 3.1.1 or higher. Let’s talk about additional requirements and how to use a smartcard to log in to your Amazon Workspace.
Requirements for smart card use
You’ll need an active directory connector (AD Connector) for pre-session authentication – it uses a certificate-based mutual transport layer security (mutual TLS) authentication to validate users to Active Directory. It does this by using a hardware or software-based smart card certificate. See directory configuration for information about how to set up your AD Connector and on-premises directory.
To use a smart card with Windows or Linux WorkSpaces
You will need Amazon WorkSpaces Windows client version 3.1.1 or later, or the WorkSpaces macOS client version 3.1.5 or later, to use a smart card with Windows or Linux WorkSpaces. In addition, the root CA and smart card certificates must meet certain requirements.
Pre-session authentication requires Online Certificate Status Protocol (OCSP) for certificate revocation checking. OCSP is also recommended, but not required, for in-session authentication.
Along with these requirements, user certificates must include the following attributes to be used for smart card authentication in Amazon WorkSpaces:
- The AD user’s userPrincipalName (UPN) in the subjectAltName (SAN) field of the certificate. We recommend issuing smart card certificates for the user’s default UPN.
- The Client Authentication (1.3.6.1.5.5.7.3.2) Extended Key Usage (EKU) attribute.
- The Smart Card Logon (1.3.6.1.4.1.311.20.2.2) EKU attribute.
Limitations
- Only one smart card at a time is currently allowed for in-session authentication and pre-session authentication.
- Enabling both smart card authentication and username and password authentication on the same directory is not currently supported for pre-session authentication.
- AD Connector directories are the only ones supported.
- Note that in-session authentication is available in all regions where WSP is supported, but pre-session authentication is available only in the following regions:
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Europe (Ireland)
- AWS GovCloud (US-West)
- US East (N. Virginia)
- US West (Oregon)
Once everything is configured, you’re ready to have users log in to your WorkSpace using a smart card.
How to use a smart card to log in to your WorkSpace
Open version 3.1.1 or later of the WorkSpaces Windows client application or version 3.1.5 or later of the WorkSpaces macOS client application. You can plug your smart card reader into your local machine and insert your card now or after step 2.
Then, follow these steps:
- 1. Enter the registration code provided by your WorkSpaces administrator and then select Register. If necessary, choose Change Registration Code at the bottom of the login page if you have a new registration code.
- 2. Once you’ve entered your registration code, you’ll see Insert your smart card on the login page. If you do not see this, make sure you’ve entered the right registration code. If you’ve entered the correct code and you don’t see this text, contact your WorkSpaces administrator.
- 3. If you haven’t done so, plug your smart card reader into your local machine and then insert your card into the reader.
- On the login page, select Insert your smart card.
- The Certificates dialog box appears. Choose your certificate and click OK.
- In the Smart Card dialog box, enter your PIN and then choose OK.
- On the Starting WorkSpace page, type in your PIN again and click Submit.
You should now be logged in to your WorkSpace. If you can’t sign in, close and reopen the WorkSpaces client application and try again. If still aren’t able to sign in, contact your WorkSpaces administrator.
Once you have logged in to your WorkSpace, you can continue to use the smart card on your local device as well as in the WorkSpace.
Using a smart card with Chrome or Firefox on Windows WorkSpaces
The Chrome browser doesn’t need any special configuration to work with your smart card. Your WorkSpaces administrator just has to enable Firefox to work with smart cards.
Using a smart card with Chrome or Firefox on Linux WorkSpaces
For Chrome:
- 1. Log in to your Linux WorkSpace using the WorkSpaces for Linux client application.
- 2. Open Terminal (Applications > System Tools > MATE Terminal).
- 3. Run the following command: cd; modutil -dbdir sql:.pki/nssdb/ -add “OpenSC” -libfile /lib64/opensc-pkcs11.so
If you already have Chrome open, close it and then press Enter. When the command finishes running, you should see this message: Module “OpenSC” added to database.
For Firefox:
Your WorkSpaces administrator may already have enabled Firefox to work with smart cards, but if your smart card doesn’t work in Firefox, you can enable it.
- 1. Open Firefox, click the menu button in the upper-right corner, and choose Preferences.
- 2. On the about:preferences page, see the left navigation pane and pick Privacy & Security.
- 3. Under Certificates, choose Security Devices.
- 4. In the Device Manager dialog box, select Load.
- 5. In the Load PKCS#11 Device Driver dialog box, enter:
-
- a. Module Name: OpenSC
- b. Module filename: /lib64/opensc-pkcs11.so
- 6. Click OK
Smart card support is enabled through Group Policy. As a best practice, install the Amazon WorkSpaces Group Policy administrative template for WSP to the Central Store of your Active Directory domain used by Amazon WorkSpaces directories. If you are applying this policy to an existing Amazon WorkSpaces deployment, all WorkSpaces will require the Group Policy update and a reboot for the change to take effect for all users.
To learn more about Amazon WorkSpaces, contact the CloudHesive team today. From cloud consulting to managed services and beyond, learn how we can help you build a robust cloud strategy that increases operational efficiencies.