Certificate Auto Enrollment: Difference between revisions
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
'''Prerequisite''': An Active Directory domain and a Samba domain member already joined. |
'''Prerequisite''': An Active Directory domain and a Samba domain member already joined. |
||
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. |
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. The instructions here set up AD and CS on the same machine, this is not recommended! Check the Microsoft documentation how to set it up with multiple machines correctly. |
||
⚫ | |||
<pre> |
<pre> |
||
Line 11: | Line 13: | ||
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools |
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools |
||
# Create User CES |
|||
$addc = Get-ADDomainController |
$addc = Get-ADDomainController |
||
$realm = $addc.domain.ToUpper() |
$realm = $addc.domain.ToUpper() |
||
Line 17: | Line 18: | ||
$domain = $realm.split('\.')[0] |
$domain = $realm.split('\.')[0] |
||
$hostname = $addc.hostname |
$hostname = $addc.hostname |
||
$ces_username = "CES" |
|||
$ces_username_lower = $ces_username.toLower() |
|||
$ces_upn = "$ces_username_lower@$dnsdomain" |
|||
$ces_user = "$domain\$ces_username" |
|||
$ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force |
|||
New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true |
|||
net localgroup IIS_IUSRS $domain\$ces_username /Add |
|||
setspn -s http/$hostname.$realm $ces_user |
|||
# Setup Certificate Authority |
# Setup Certificate Authority |
||
Line 46: | Line 36: | ||
Install-AdcsCertificationAuthority @params |
Install-AdcsCertificationAuthority @params |
||
</pre> |
</pre> |
||
'''The CES service account needs have read permission on the CA''' |
|||
⚫ | |||
# Right Click on the CA -> Properties |
|||
# On the Security tab click on "Add .." |
|||
# Add the CES service account. |
|||
# For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates" |
|||
'''Request a Server Certificate for HTTPS from CA''' |
'''Request a Server Certificate for HTTPS from CA''' |
||
'''Manual steps''': Now follow the instructions you can find [https://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx here]. |
|||
Restart the Webserver using: |
|||
<pre> |
<pre> |
||
# Restart IIS |
# Restart IIS |
||
iisreset /restart |
iisreset /restart |
||
</pre> |
|||
'''Setup Certificate Web Services''' |
|||
<pre> |
|||
# Get the SSL Certificate Thumbprint of the Web Server |
# Get the SSL Certificate Thumbprint of the Web Server |
||
Import-Module WebAdministration |
Import-Module WebAdministration |
||
Line 86: | Line 73: | ||
AuthenticationType = "Kerberos" |
AuthenticationType = "Kerberos" |
||
SSLCertThumbprint = $certs.thumb |
SSLCertThumbprint = $certs.thumb |
||
ServiceAccountName = $ces_user |
|||
ServiceAccountPassword = $ces_secpasswd |
|||
Credential = $admin_creds |
Credential = $admin_creds |
||
} |
} |
||
Install-AdcsEnrollmentWebService @params -Force |
Install-AdcsEnrollmentWebService @params -Force |
||
</pre> |
|||
'''Setup GPO for Auto Enrollment''' |
|||
<pre> |
|||
# Set GPO for Auto Enrollment |
# Set GPO for Auto Enrollment |
||
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" |
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" |
Latest revision as of 07:16, 8 May 2024
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
Prerequisite: An Active Directory domain and a Samba domain member already joined.
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured. The instructions here set up AD and CS on the same machine, this is not recommended! Check the Microsoft documentation how to set it up with multiple machines correctly.
Setting up the Certificate Authority
# Install Certificate Service Windows Features Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools $addc = Get-ADDomainController $realm = $addc.domain.ToUpper() $dnsdomain = $addc.domain $domain = $realm.split('\.')[0] $hostname = $addc.hostname # Setup Certificate Authority $admin_creds = Get-Credential Administrator # Details can be found at [1] $params = @{ CAType = "EnterpriseRootCA" CACommonName = "$domain-ROOT-CA" CryptoProviderName = "RSA#Microsoft Software Key Storage Provider" KeyLength = 4096 HashAlgorithmName = "SHA512" OverwriteExistingCAinDS = $true OverwriteExistingKey = $true Credential = $admin_creds Force = $true } Install-AdcsCertificationAuthority @params
Request a Server Certificate for HTTPS from CA
Manual steps: Now follow the instructions you can find here.
Restart the Webserver using:
# Restart IIS iisreset /restart
Setup Certificate Web Services
# Get the SSL Certificate Thumbprint of the Web Server Import-Module WebAdministration $certs = Get-ChildItem IIS:SSLBindings | Foreach-Object { [PSCustomObject]@{ Site=$_.sites.value HostName=$_.Host Port=$_.Port Thumb=$_.thumbprint } } # Setup AdcsEnrollmentPolicyWebService $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentPolicyWebService @params -Force # AdcsEnrollmentWebService: Details can be found at [2] $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentWebService @params -Force
Setup GPO for Auto Enrollment
# Set GPO for Auto Enrollment Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String" gpupdate /force # AutoEnrollment successfully set up. Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
Create Test Computer Certificate Template
You can follow the steps you can find here.
Additional Resources
- Certificate Authority Guidance
- Certificate Enrollment Web Service Guidance
- Configure server certificate auto-enrollment
- Configure HTTPS with an Enterprice CA
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
- Run `samba-gpupdate` to install the certificates.
- Issue the `getcert list` to display the installed certificates:
Number of certificates and requests being tracked: 1. Request ID 'Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' CA: <My CA> issuer: CN=<My CA> subject: CN=<my hostname> expires: 2017-08-15 17:37:02 UTC dns: <my hostname> key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine pre-save command: post-save command: track: yes auto-renew: yes
- To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ================================================================================================================= CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- =================================================================================================================
- Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
- Set `keberos method = secrets and keytab` in the smb.conf
- Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.