AWS directoryservice medium security documentation change
Summary
Added note requiring OCSP servers for SmartCard authentication to be routable through VPC network configuration with specific routing, security group, and ACL requirements
Security assessment
Addresses potential authentication failures during certificate revocation checks by enforcing network accessibility requirements for OCSP servers. Failure could allow revoked certificates for authentication.
Diff
diff --git a/directoryservice/latest/admin-guide/ad_connector_clientauth.md b/directoryservice/latest/admin-guide/ad_connector_clientauth.md index 1b2485e1b..bf49ab3df 100644 --- a//directoryservice/latest/admin-guide/ad_connector_clientauth.md +++ b//directoryservice/latest/admin-guide/ad_connector_clientauth.md @@ -99,0 +100,15 @@ In order to perform smart card authentication, AD Connector must check the revoc +###### Note + +Directories created after October 7, 2025, require that OCSP servers used for SmartCard certificate validation be routable through your VPC's network configuration. If your OCSP server is not accessible via your VPC's routing tables, security groups, and network ACLs, SmartCard authentication will fail during certificate revocation checks. To resolve this issue, please ensure that: + + * Network Routing: Your VPC route tables allow traffic to reach your OCSP server from the subnets where your AD Connector directory instances are deployed. + + * Security Groups: The security groups associated with your directory's network interfaces permit outbound traffic to your OCSP server on port 80 (HTTP). + + * Network ACLs: Your subnet network ACLs allow bidirectional traffic to/from your OCSP server. + + * Internet Gateway/NAT: If your OCSP server is internet-facing, ensure your VPC has appropriate internet gateway or NAT gateway configuration for the directory subnets. If your network type is IPv4, you will need to have NAT and internet gateway configured with your VPC. + + + +