Certificate Auto Enrollment: Difference between revisions
From SambaWiki
| Line 17: | Line 17: | ||
$domain = $realm.split('\.')[0] |
$domain = $realm.split('\.')[0] |
||
$hostname = $addc.hostname |
$hostname = $addc.hostname |
||
$ces_username = "CES" |
|||
$ces_username_lower = $ces_username.toLower() |
|||
$ces_upn = "$ces_username_lower@$dnsdomain" |
|||
$ces_user = "$domain\$ces_username" |
|||
$ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force |
|||
New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true |
|||
net localgroup IIS_IUSRS $domain\$ces_username /Add |
|||
setspn -s http/$hostname $ces_user |
|||
# Setup Certificate Authority |
# Setup Certificate Authority |
||
| Line 46: | Line 35: | ||
Install-AdcsCertificationAuthority @params |
Install-AdcsCertificationAuthority @params |
||
</pre> |
</pre> |
||
'''The CES service account needs have read permission on the CA''' |
|||
# Open the Certificate Authority Console |
|||
# Right Click on the CA -> Properties |
|||
# On the Security tab click on "Add .." |
|||
# Add the CES service account. |
|||
# For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates" |
|||
'''Request a Server Certificate for HTTPS from CA''' |
'''Request a Server Certificate for HTTPS from CA''' |
||
| Line 86: | Line 67: | ||
AuthenticationType = "Kerberos" |
AuthenticationType = "Kerberos" |
||
SSLCertThumbprint = $certs.thumb |
SSLCertThumbprint = $certs.thumb |
||
ServiceAccountName = $ces_user |
|||
ServiceAccountPassword = $ces_secpasswd |
|||
Credential = $admin_creds |
Credential = $admin_creds |
||
} |
} |
||
Revision as of 10:14, 15 February 2024
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
Prerequisite: An Active Directory domain and a Samba domain member already joined.
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured.
# Install Certificate Service Windows Features
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools
# Create User CES
$addc = Get-ADDomainController
$realm = $addc.domain.ToUpper()
$dnsdomain = $addc.domain
$domain = $realm.split('\.')[0]
$hostname = $addc.hostname
# Setup Certificate Authority
$admin_creds = Get-Credential Administrator
# Details can be found at [1]
$params = @{
CAType = "EnterpriseRootCA"
CACommonName = "$domain-ROOT-CA"
CryptoProviderName = "RSA#Microsoft Software Key Storage Provider"
KeyLength = 4096
HashAlgorithmName = "SHA512"
OverwriteExistingCAinDS = $true
OverwriteExistingKey = $true
Credential = $admin_creds
Force = $true
}
Install-AdcsCertificationAuthority @params
Request a Server Certificate for HTTPS from CA
Follow the instructions you can find here.
# Restart IIS
iisreset /restart
# Get the SSL Certificate Thumbprint of the Web Server
Import-Module WebAdministration
$certs = Get-ChildItem IIS:SSLBindings | Foreach-Object {
[PSCustomObject]@{
Site=$_.sites.value
HostName=$_.Host
Port=$_.Port
Thumb=$_.thumbprint
}
}
# Setup AdcsEnrollmentPolicyWebService
$params = @{
AuthenticationType = "Kerberos"
SSLCertThumbprint = $certs.thumb
Credential = $admin_creds
}
Install-AdcsEnrollmentPolicyWebService @params -Force
# AdcsEnrollmentWebService: Details can be found at [2]
$params = @{
AuthenticationType = "Kerberos"
SSLCertThumbprint = $certs.thumb
Credential = $admin_creds
}
Install-AdcsEnrollmentWebService @params -Force
# Set GPO for Auto Enrollment
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String"
gpupdate /force
# AutoEnrollment successfully set up.
Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
Create Test Computer Certificate Template
You can follow the steps you can find here.
Additional Resources
- Certificate Authority Guidance
- Certificate Enrollment Web Service Guidance
- Configure server certificate auto-enrollment
- Configure HTTPS with an Enterprice CA
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
- Run `samba-gpupdate` to install the certificates.
- Issue the `getcert list` to display the installed certificates:
Number of certificates and requests being tracked: 1.
Request ID 'Machine':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
CA: <My CA>
issuer: CN=<My CA>
subject: CN=<my hostname>
expires: 2017-08-15 17:37:02 UTC
dns: <my hostname>
key usage: digitalSignature,keyEncipherment
eku: id-kp-clientAuth,id-kp-serverAuth
certificate template/profile: Machine
pre-save command:
post-save command:
track: yes
auto-renew: yes
- To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ================================================================================================================= CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- =================================================================================================================
- Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
- Set `keberos method = secrets and keytab` in the smb.conf
- Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
 | Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.