Certificate Auto Enrollment: Difference between revisions
(→Configuring Certificate Auto Enrollment on the Server: NDES is NOT required.) |
(Add steps how to install AD CS) |
||
Line 2: | Line 2: | ||
=== Configuring Certificate Auto Enrollment on the Server === |
=== Configuring Certificate Auto Enrollment on the Server === |
||
'''Prerequisite''': An Active Directory domain and a Samba domain member already joined. |
|||
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. |
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. |
||
<pre> |
|||
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here]. |
|||
# Install Certificate Service Windows Features |
|||
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools |
|||
# Create User CES |
|||
$addc = Get-ADDomainController |
|||
$realm = $addc.domain.ToUpper() |
|||
$dnsdomain = $addc.domain |
|||
$domain = $realm.split('\.')[0] |
|||
$hostname = $addc.hostname |
|||
$ces_username = "CES" |
|||
$ces_username_lower = $ces_username.toLower() |
|||
$ces_upn = "$ces_username_lower@$dnsdomain" |
|||
$ces_user = "$domain\$ces_username" |
|||
$ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force |
|||
New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true |
|||
net localgroup IIS_IUSRS $domain\$ces_username /Add |
|||
# Setup Certificate Authority |
|||
$admin_creds = Get-Credential Administrator |
|||
# Details can be found at [1] |
|||
$params = @{ |
|||
CAType = "EnterpriseRootCA" |
|||
CACommonName = "$domain-ROOT-CA" |
|||
CryptoProviderName = "RSA#Microsoft Software Key Storage Provider" |
|||
KeyLength = 4096 |
|||
HashAlgorithmName = "SHA512" |
|||
OverwriteExistingCAinDS = $true |
|||
OverwriteExistingKey = $true |
|||
Credential = $admin_creds |
|||
Force = $true |
|||
} |
|||
Install-AdcsCertificationAuthority @params |
|||
</pre> |
|||
'''The CES service account needs have read permission on the CA''' |
|||
# Open the Certificate Authority Console |
|||
# Right Click on the CA -> Properties |
|||
# On the Security tab click on "Add .." |
|||
# Add the CES service account. |
|||
# For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates" |
|||
'''Request a Server Certificate for HTTPS from CA''' |
|||
Follow the instructions you can find [https://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx here]. |
|||
<pre> |
|||
# Restart IIS |
|||
iisreset /restart |
|||
# Get the SSL Certificate Thumbprint of the Web Server |
|||
Import-Module WebAdministration |
|||
$certs = Get-ChildItem IIS:SSLBindings | Foreach-Object { |
|||
[PSCustomObject]@{ |
|||
Site=$_.sites.value |
|||
HostName=$_.Host |
|||
Port=$_.Port |
|||
Thumb=$_.thumbprint |
|||
} |
|||
} |
|||
# Setup AdcsEnrollmentPolicyWebService |
|||
$params = @{ |
|||
AuthenticationType = "Kerberos" |
|||
SSLCertThumbprint = $certs.thumb |
|||
Credential = $admin_creds |
|||
} |
|||
Install-AdcsEnrollmentPolicyWebService @params -Force |
|||
# AdcsEnrollmentWebService: Details can be found at [2] |
|||
$params = @{ |
|||
AuthenticationType = "Kerberos" |
|||
SSLCertThumbprint = $certs.thumb |
|||
ServiceAccountName = $ces_user |
|||
ServiceAccountPassword = $ces_secpasswd |
|||
Credential = $admin_creds |
|||
} |
|||
Install-AdcsEnrollmentWebService @params -Force |
|||
# Set GPO for Auto Enrollment |
|||
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" |
|||
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword" |
|||
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String" |
|||
gpupdate /force |
|||
# AutoEnrollment successfully set up. |
|||
Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine |
|||
</pre> |
|||
'''Create Test Computer Certificate Template''' |
|||
You can follow the steps you can find [https://dmulder.github.io/group-policy-book/certautoenroll.html#certificate-templates here]. |
|||
'''Additional Resources''' |
|||
[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11) Certificate Authority Guidance] |
|||
[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831822(v=ws.11) Certificate Enrollment Web Service Guidance] |
|||
[https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment Configure server certificate auto-enrollment] |
|||
=== Enable Certificate Auto Enrollment on the Client === |
=== Enable Certificate Auto Enrollment on the Client === |
Revision as of 06:47, 22 January 2024
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
Prerequisite: An Active Directory domain and a Samba domain member already joined.
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured.
# Install Certificate Service Windows Features Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools # Create User CES $addc = Get-ADDomainController $realm = $addc.domain.ToUpper() $dnsdomain = $addc.domain $domain = $realm.split('\.')[0] $hostname = $addc.hostname $ces_username = "CES" $ces_username_lower = $ces_username.toLower() $ces_upn = "$ces_username_lower@$dnsdomain" $ces_user = "$domain\$ces_username" $ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true net localgroup IIS_IUSRS $domain\$ces_username /Add # Setup Certificate Authority $admin_creds = Get-Credential Administrator # Details can be found at [1] $params = @{ CAType = "EnterpriseRootCA" CACommonName = "$domain-ROOT-CA" CryptoProviderName = "RSA#Microsoft Software Key Storage Provider" KeyLength = 4096 HashAlgorithmName = "SHA512" OverwriteExistingCAinDS = $true OverwriteExistingKey = $true Credential = $admin_creds Force = $true } Install-AdcsCertificationAuthority @params
The CES service account needs have read permission on the CA
- Open the Certificate Authority Console
- Right Click on the CA -> Properties
- On the Security tab click on "Add .."
- Add the CES service account.
- For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates"
Request a Server Certificate for HTTPS from CA
Follow the instructions you can find here.
# Restart IIS iisreset /restart # Get the SSL Certificate Thumbprint of the Web Server Import-Module WebAdministration $certs = Get-ChildItem IIS:SSLBindings | Foreach-Object { [PSCustomObject]@{ Site=$_.sites.value HostName=$_.Host Port=$_.Port Thumb=$_.thumbprint } } # Setup AdcsEnrollmentPolicyWebService $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentPolicyWebService @params -Force # AdcsEnrollmentWebService: Details can be found at [2] $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb ServiceAccountName = $ces_user ServiceAccountPassword = $ces_secpasswd Credential = $admin_creds } Install-AdcsEnrollmentWebService @params -Force # Set GPO for Auto Enrollment Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String" gpupdate /force # AutoEnrollment successfully set up. Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
Create Test Computer Certificate Template
You can follow the steps you can find here.
Additional Resources
Certificate Authority Guidance Certificate Enrollment Web Service Guidance Configure server certificate auto-enrollment
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
- To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ====================================================================================================================== CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- ----------------------------------------------------------- ======================================================================================================================
Issuing the `getcert list` command will display the installed certificates:
Number of certificates and requests being tracked: 1. Request ID 'Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' CA: <My CA> issuer: CN=<My CA> subject: CN=<my hostname> expires: 2017-08-15 17:37:02 UTC dns: <my hostname> key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine pre-save command: post-save command: track: yes auto-renew: yes
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.