Certificate Auto Enrollment: Difference between revisions

From SambaWiki
(Created page with "Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate co...")
 
 
(20 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
[https://dmulder.github.io/group-policy-book/certautoenroll.html Certificate Auto Enrollment] allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.


= Configuring Certificate Auto Enrollment on the Server =
=== Configuring Certificate Auto Enrollment on the Server ===


'''Prerequisite''': An Active Directory domain and a Samba domain member already joined.
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured.


The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. The instructions here set up AD and CS on the same machine, this is not recommended! Check the Microsoft documentation how to set it up with multiple machines correctly.
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here].


'''Setting up the Certificate Authority'''
= Enable Certificate Auto Enrollment on the Client =

<pre>
# Install Certificate Service Windows Features
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools

$addc = Get-ADDomainController
$realm = $addc.domain.ToUpper()
$dnsdomain = $addc.domain
$domain = $realm.split('\.')[0]
$hostname = $addc.hostname

# Setup Certificate Authority
$admin_creds = Get-Credential Administrator

# Details can be found at [1]
$params = @{
CAType = "EnterpriseRootCA"
CACommonName = "$domain-ROOT-CA"
CryptoProviderName = "RSA#Microsoft Software Key Storage Provider"
KeyLength = 4096
HashAlgorithmName = "SHA512"
OverwriteExistingCAinDS = $true
OverwriteExistingKey = $true
Credential = $admin_creds
Force = $true
}
Install-AdcsCertificationAuthority @params
</pre>

'''Request a Server Certificate for HTTPS from CA'''

Follow the instructions you can find [https://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx here].

<pre>
# Restart IIS
iisreset /restart
</pre>

'''Setup Certificate Web Services'''
<pre>
# Get the SSL Certificate Thumbprint of the Web Server
Import-Module WebAdministration
$certs = Get-ChildItem IIS:SSLBindings | Foreach-Object {
[PSCustomObject]@{
Site=$_.sites.value
HostName=$_.Host
Port=$_.Port
Thumb=$_.thumbprint
}
}

# Setup AdcsEnrollmentPolicyWebService
$params = @{
AuthenticationType = "Kerberos"
SSLCertThumbprint = $certs.thumb
Credential = $admin_creds
}
Install-AdcsEnrollmentPolicyWebService @params -Force

# AdcsEnrollmentWebService: Details can be found at [2]
$params = @{
AuthenticationType = "Kerberos"
SSLCertThumbprint = $certs.thumb
Credential = $admin_creds
}
Install-AdcsEnrollmentWebService @params -Force
</pre>

'''Setup GPO for Auto Enrollment'''
<pre>
# Set GPO for Auto Enrollment
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword"

Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String"

gpupdate /force

# AutoEnrollment successfully set up.
Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
</pre>

'''Create Test Computer Certificate Template'''

You can follow the steps you can find [https://dmulder.github.io/group-policy-book/certautoenroll.html#certificate-templates here].

'''Additional Resources'''

* [https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11) Certificate Authority Guidance]
* [https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831822(v=ws.11) Certificate Enrollment Web Service Guidance]
* [https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment Configure server certificate auto-enrollment]
* [https://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx Configure HTTPS with an Enterprice CA]

=== Enable Certificate Auto Enrollment on the Client ===
To setup Certificate Auto Enrollment:
To setup Certificate Auto Enrollment:
# Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
* Install [https://fedorahosted.org/certmonger certmonger], and [https://github.com/openSUSE/cepces cepces]. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
# Join to an Active Directory domain (one where the CA has been previously configured as explained above). <pre>Note: Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.</pre>
* Join to an Active Directory domain (one where the CA has been previously configured as explained above).
* Run `samba-gpupdate` to install the certificates.
# Enable group policy apply:
* Issue the `getcert list` to display the installed certificates:
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
#* For a SSSD joined machine by installing the oddjob-gpupdate package.
# To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
<pre>
<pre>
Number of certificates and requests being tracked: 1.
Request ID 'Machine':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
CA: <My CA>
issuer: CN=<My CA>
subject: CN=<my hostname>
expires: 2017-08-15 17:37:02 UTC
dns: <my hostname>
key usage: digitalSignature,keyEncipherment
eku: id-kp-clientAuth,id-kp-serverAuth
certificate template/profile: Machine
pre-save command:
post-save command:
track: yes
auto-renew: yes
</pre>
* To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
<pre>
Resultant Set of Policy
Resultant Set of Policy
Computer Policy
Computer Policy


GPO: Default Domain Policy
GPO: Default Domain Policy
======================================================================================================================
=================================================================================================================
CSE: gp_cert_auto_enroll_ext
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
-----------------------------------------------------------
Line 34: Line 147:
[ Machine ]
[ Machine ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================================================================
-----------------------------------------------------------
======================================================================================================================
</pre>
</pre>
* Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
* Set `keberos method = secrets and keytab` in the smb.conf
* Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
* Enable group policy apply:
** For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
** For a SSSD joined machine by installing the [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate] package.
{{Imbox
| type = note
| text = Samba's gpupdate will work with SSSD, but will require the [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate] package in order to apply policies automatically.
}}


= Certificates =
=== Certificates ===
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.

Latest revision as of 10:17, 15 February 2024

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

Prerequisite: An Active Directory domain and a Samba domain member already joined.

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured. The instructions here set up AD and CS on the same machine, this is not recommended! Check the Microsoft documentation how to set it up with multiple machines correctly.

Setting up the Certificate Authority

# Install Certificate Service Windows Features
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools

$addc = Get-ADDomainController
$realm = $addc.domain.ToUpper()
$dnsdomain = $addc.domain
$domain = $realm.split('\.')[0]
$hostname = $addc.hostname

# Setup Certificate Authority
$admin_creds = Get-Credential Administrator

# Details can be found at [1]
$params = @{
    CAType                  = "EnterpriseRootCA"
    CACommonName            = "$domain-ROOT-CA"
    CryptoProviderName      = "RSA#Microsoft Software Key Storage Provider"
    KeyLength               = 4096
    HashAlgorithmName       = "SHA512"
    OverwriteExistingCAinDS = $true
    OverwriteExistingKey    = $true
    Credential              = $admin_creds
    Force                   = $true
}
Install-AdcsCertificationAuthority @params

Request a Server Certificate for HTTPS from CA

Follow the instructions you can find here.

# Restart IIS
iisreset /restart

Setup Certificate Web Services

# Get the SSL Certificate Thumbprint of the Web Server
Import-Module WebAdministration
$certs = Get-ChildItem IIS:SSLBindings | Foreach-Object {
  [PSCustomObject]@{
     Site=$_.sites.value
     HostName=$_.Host
     Port=$_.Port
     Thumb=$_.thumbprint
  }
}

# Setup AdcsEnrollmentPolicyWebService
$params = @{
    AuthenticationType     = "Kerberos"
    SSLCertThumbprint      = $certs.thumb
    Credential             = $admin_creds
}
Install-AdcsEnrollmentPolicyWebService @params -Force

# AdcsEnrollmentWebService: Details can be found at [2]
$params = @{
    AuthenticationType     = "Kerberos"
    SSLCertThumbprint      = $certs.thumb
    Credential             = $admin_creds
}
Install-AdcsEnrollmentWebService @params -Force

Setup GPO for Auto Enrollment

# Set GPO for Auto Enrollment
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword"

Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String"

gpupdate /force

# AutoEnrollment successfully set up.
Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine

Create Test Computer Certificate Template

You can follow the steps you can find here.

Additional Resources

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

  • Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
  • Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  • Run `samba-gpupdate` to install the certificates.
  • Issue the `getcert list` to display the installed certificates:
Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
  • To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
=================================================================================================================
  • Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
  • Set `keberos method = secrets and keytab` in the smb.conf
  • Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
  • Enable group policy apply:
    • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
    • For a SSSD joined machine by installing the oddjob-gpupdate package.

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.