Certificate Auto Enrollment: Difference between revisions
Line 17: | Line 17: | ||
$domain = $realm.split('\.')[0] |
$domain = $realm.split('\.')[0] |
||
$hostname = $addc.hostname |
$hostname = $addc.hostname |
||
$ces_username = "CES" |
|||
$ces_username_lower = $ces_username.toLower() |
|||
$ces_upn = "$ces_username_lower@$dnsdomain" |
|||
$ces_user = "$domain\$ces_username" |
|||
$ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force |
|||
New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true |
|||
net localgroup IIS_IUSRS $domain\$ces_username /Add |
|||
setspn -s http/$hostname $ces_user |
|||
# Setup Certificate Authority |
# Setup Certificate Authority |
||
Line 46: | Line 35: | ||
Install-AdcsCertificationAuthority @params |
Install-AdcsCertificationAuthority @params |
||
</pre> |
</pre> |
||
'''The CES service account needs have read permission on the CA''' |
|||
# Open the Certificate Authority Console |
|||
# Right Click on the CA -> Properties |
|||
# On the Security tab click on "Add .." |
|||
# Add the CES service account. |
|||
# For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates" |
|||
'''Request a Server Certificate for HTTPS from CA''' |
'''Request a Server Certificate for HTTPS from CA''' |
||
Line 86: | Line 67: | ||
AuthenticationType = "Kerberos" |
AuthenticationType = "Kerberos" |
||
SSLCertThumbprint = $certs.thumb |
SSLCertThumbprint = $certs.thumb |
||
ServiceAccountName = $ces_user |
|||
ServiceAccountPassword = $ces_secpasswd |
|||
Credential = $admin_creds |
Credential = $admin_creds |
||
} |
} |
Revision as of 10:14, 15 February 2024
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
Prerequisite: An Active Directory domain and a Samba domain member already joined.
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured.
# Install Certificate Service Windows Features Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools # Create User CES $addc = Get-ADDomainController $realm = $addc.domain.ToUpper() $dnsdomain = $addc.domain $domain = $realm.split('\.')[0] $hostname = $addc.hostname # Setup Certificate Authority $admin_creds = Get-Credential Administrator # Details can be found at [1] $params = @{ CAType = "EnterpriseRootCA" CACommonName = "$domain-ROOT-CA" CryptoProviderName = "RSA#Microsoft Software Key Storage Provider" KeyLength = 4096 HashAlgorithmName = "SHA512" OverwriteExistingCAinDS = $true OverwriteExistingKey = $true Credential = $admin_creds Force = $true } Install-AdcsCertificationAuthority @params
Request a Server Certificate for HTTPS from CA
Follow the instructions you can find here.
# Restart IIS iisreset /restart # Get the SSL Certificate Thumbprint of the Web Server Import-Module WebAdministration $certs = Get-ChildItem IIS:SSLBindings | Foreach-Object { [PSCustomObject]@{ Site=$_.sites.value HostName=$_.Host Port=$_.Port Thumb=$_.thumbprint } } # Setup AdcsEnrollmentPolicyWebService $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentPolicyWebService @params -Force # AdcsEnrollmentWebService: Details can be found at [2] $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentWebService @params -Force # Set GPO for Auto Enrollment Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String" gpupdate /force # AutoEnrollment successfully set up. Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
Create Test Computer Certificate Template
You can follow the steps you can find here.
Additional Resources
- Certificate Authority Guidance
- Certificate Enrollment Web Service Guidance
- Configure server certificate auto-enrollment
- Configure HTTPS with an Enterprice CA
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
- Run `samba-gpupdate` to install the certificates.
- Issue the `getcert list` to display the installed certificates:
Number of certificates and requests being tracked: 1. Request ID 'Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' CA: <My CA> issuer: CN=<My CA> subject: CN=<my hostname> expires: 2017-08-15 17:37:02 UTC dns: <my hostname> key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine pre-save command: post-save command: track: yes auto-renew: yes
- To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ================================================================================================================= CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- =================================================================================================================
- Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
- Set `keberos method = secrets and keytab` in the smb.conf
- Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.