Certificate Auto Enrollment

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

Prerequisite: An Active Directory domain and a Samba domain member already joined.

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured.

# Install Certificate Service Windows Features
Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools

# Create User CES
$addc = Get-ADDomainController
$realm = $addc.domain.ToUpper()
$dnsdomain = $addc.domain
$domain = $realm.split('\.')[0]
$hostname = $addc.hostname

$ces_username = "CES"
$ces_username_lower = $ces_username.toLower()
$ces_upn = "$ces_username_lower@$dnsdomain"
$ces_user = "$domain\$ces_username"
$ces_secpasswd = ConvertTo-SecureString -String "P@sSwOrd1" -AsPlainText -Force

New-ADUser -Name $ces_username -GivenName $ces_username -Surname Service -DisplayName "CES Service" -UserPrincipalName $ces_upn -AccountPassword $ces_secpasswd -ChangePasswordAtLogon:$false -PasswordNeverExpires $true -Enabled $true

net localgroup IIS_IUSRS $domain\$ces_username /Add

# Setup Certificate Authority
$admin_creds = Get-Credential Administrator

# Details can be found at [1]
$params = @{
    CAType                  = "EnterpriseRootCA"
    CACommonName            = "$domain-ROOT-CA"
    CryptoProviderName      = "RSA#Microsoft Software Key Storage Provider"
    KeyLength               = 4096
    HashAlgorithmName       = "SHA512"
    OverwriteExistingCAinDS = $true
    OverwriteExistingKey    = $true
    Credential              = $admin_creds
    Force                   = $true
}
Install-AdcsCertificationAuthority @params

The CES service account needs have read permission on the CA

1. Open the Certificate Authority Console
2. Right Click on the CA -> Properties
3. On the Security tab click on "Add .."
4. Add the CES service account.
5. For the CES account ensure that the "Allow" check box is selected for "Read". Clear the "Allow" check box for "Request Certificates"

Request a Server Certificate for HTTPS from CA

Follow the instructions you can find here.

# Restart IIS
iisreset /restart

# Get the SSL Certificate Thumbprint of the Web Server
Import-Module WebAdministration
$certs = Get-ChildItem IIS:SSLBindings | Foreach-Object {
  [PSCustomObject]@{
     Site=$_.sites.value
     HostName=$_.Host
     Port=$_.Port
     Thumb=$_.thumbprint
  }
}

# Setup AdcsEnrollmentPolicyWebService
$params = @{
    AuthenticationType     = "Kerberos"
    SSLCertThumbprint      = $certs.thumb
    Credential             = $admin_creds
}
Install-AdcsEnrollmentPolicyWebService @params -Force

# AdcsEnrollmentWebService: Details can be found at [2]
$params = @{
    AuthenticationType     = "Kerberos"
    SSLCertThumbprint      = $certs.thumb
    ServiceAccountName     = $ces_user
    ServiceAccountPassword = $ces_secpasswd
    Credential             = $admin_creds
}
Install-AdcsEnrollmentWebService @params -Force

# Set GPO for Auto Enrollment
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword"

Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String"

gpupdate /force

# AutoEnrollment successfully set up.
Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine

Create Test Computer Certificate Template

You can follow the steps you can find here.

Additional Resources

• Certificate Authority Guidance
• Certificate Enrollment Web Service Guidance
• Configure server certificate auto-enrollment
• Configure HTTPS with an Enterprice CA

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

• Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
• Join to an Active Directory domain (one where the CA has been previously configured as explained above).
• Run `samba-gpupdate` to install the certificates.
• Issue the `getcert list` to display the installed certificates:

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

• To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:

Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
=================================================================================================================

• Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
• Enable group policy apply:
  • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
  • For a SSSD joined machine by installing the oddjob-gpupdate package.

Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.