Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control allows you to create allowlists and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience.
Client access control involves the server checking an access control list of certificates to determine whether a client is permitted to establish a QUIC connection with the server. The server validates the client certificate chain and ensures that it's trusted before proceeding with the access control checks. To configure client access control, an admin issues a certificate to the client and can add a hash of the certificate to an access control list maintained by the server.
If the client is permitted to connect to the server over QUIC, a TLS 1.3-encrypted tunnel over UDP port 443 is created. Client access control also supports certificates with subject alternative names. You can also configure SMB over QUIC to block access by revoking certificates or explicitly denying certain devices access. A server admin is able to prevent a client from accessing the server by revoking the client certificate, instead of relying solely on client access control.
Note
We recommend using SMB over QUIC with Active Directory domains, however it isn't required. You can also use SMB over QUIC on a workgroup-joined server with local user credentials and NTLM.
Allow access control entries can be added and removed using the Grant-SmbClientAccessToServer
and Revoke-SmbClientAccessToServer
cmdlets respectively. Deny access control entries can be added and removed using the Block-SmbClientAccessToServer
and Unblock-SmbClientAccessToServer
cmdlets respectively. The entries in the access control list can be displayed using the Get-SmbClientAccessToServer
cmdlet.
A leaf certificate can be granted or denied access by adding an access control entry that identifies the certificate by its SHA256 hash. A group of leaf certificates with a common issuer can all be granted or denied access by adding an issuer access control entry for the common issuer. An issuer entry can be added for intermediate CA certificates and root CA certificates. Using issuer entries can be useful since they help reduce the total number of entries that need to be added. If none of the certificates in the client's certificate chain are denied access and at least one is allowed access, the client is granted access. For example:
If an allow entry is added for a CA certificate and a deny entry is added for one of the leaf certificates, all certificates issued by the CA are granted access except for the certificate for which the deny entry is added.
If a deny entry is added for a CA certificate and an allow entry is added for one of the lead certificates, all certificates issued by the CA are denied access. The certificate, for which an allow entry was added, is denied access because any deny entry in the certificate chain takes priority over allow entries.
Suppose a Root CA has two intermediate CAs called intermediate CA 1 and intermediate CA 2. If an allow entry is added for the root CA and a deny entry is added for intermediate CA 2 then certificates issued by intermediate CA 1 are granted access and certificates issued by intermediate CA 2 are denied access.
Before you can configure client access control, you need an SMB server with the following prerequisites.
Important
Once KB5035857 is installed, you must enable this feature in Group Policy:
You also need an SMB client with the following prerequisites.
Important
Once KB5035854 is installed, you must enable this feature in Group Policy:
To manage the settings for the SMB client, it's necessary to first configure the SMB server to mandate that the client sends a valid and trusted certificate chain and to perform the access control checks based on the client certificate chain. To perform this action, run the following command:
Set-SmbServerCertificateMapping -RequireClientAuthentication $true
Note
If both RequireClientAuthentication and SkipClientCertificateAccessCheck are set to $true
, the server verifies the validity and trustworthiness of the client certificate chain but does not perform access control checks.
To gather your client certificate hash using PowerShell:
Open an elevated PowerShell prompt on the SMB client.
List the certificates in the client's certificate store by running the following command.
Get-ChildItem -Path Cert:\LocalMachine\My
Run the following command to store the certificate in a variable. Replace <subject name>
with the subject name of the certificate you want to use.
$clientCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Match "<subject name>"}
Make a note of the client certificate's SHA256 hash by running the following command. You need this identifier when configuring client access control.
$clientCert.GetCertHashString("SHA256")
Note
The thumbprint stored in the $clientCert
object uses the SHA1 algorithm. This is used by commands like New-SmbClientCertificateMapping
. You'll also need the SHA256 thumbprint to configure client access control, these thumbprints will be different derived using different algorithms against the same certificate.
To map the client certificate to the SMB client:
Open an elevated PowerShell prompt on the SMB client.
Run the New-SmbClientCertificateMapping
command to map the client certificate. Replace <namespace>
with the SMB server's fully qualified domain name (FQDN) and use the SHA1 client certificate thumbprint you gathered in the previous section using the variable.
New-SmbClientCertificateMapping -Namespace <namespace> -Thumbprint $clientCert.Thumbprint -StoreName My
Once complete, the client certificated is used by the SMB client to authenticate to the SMB server matching the FQDN.
Run a connectivity test by mapping to a share for your server or client device. To perform this, run one of the following commands:
NET USE \\<server DNS name>\<share name> /TRANSPORT:QUIC
Or
New-SmbMapping -RemotePath \\<server DNS name>\<share name> -TransportType QUIC
If you receive an error message indicating that access was denied by the server, then you're ready to proceed to the next step as this verifies the server certificate mapping and client certificate mapping are configured.
Follow the steps to grant a specific client access to the SMB server using client access control.
Sign in to the SMB server.
Open an elevated PowerShell prompt on the SMB server.
Run the Grant-SmbClientAccessToServer
to grant access to the client certificate. Replace <name>
with the SMB server's hostname and <hash>
using the SHA256 client certificate identifier you gathered in the Gather the SMB client certificate information section.
Grant-SmbClientAccessToServer -Name <name> -IdentifierType SHA256 -Identifier <hash>
You've now granted access to the client certificate. You can verify the client certificate access by running the Get-SmbClientAccessToServer
cmdlet.
Follow the steps to grant clients from a specific certification authority, also known as an issuer, using client access control.
Sign in to the SMB server.
Open an elevated PowerShell prompt on the SMB server.
Run the Grant-SmbClientAccessToServer
to grant access to the client certificate. Replace <name>
with the SMB server's hostname and <subject name>
with the complete X.500 distinguished name of the issuer certificate. For example, CN=Contoso CA, DC=Contoso, DC=com
.
Grant-SmbClientAccessToServer -Name <name> -IdentifierType ISSUER -Identifier "<subject name>"
Once this step is complete, run the New-SmbMapping
cmdlet as mentioned in Test mapping connectivity, as a second run is recommended to verify that client access control has been correctly configured.
Certain events, such as access allowed and access denied, are captured for troubleshooting purposes. These events provide information about the client certificates (excluding the root certificate) such as the subject, issuer, serial number, SHA1 and SHA256 hash, and the access control entries that apply to these certificates. These events display a connection ID. This ID is displayed in certain client connectivity events, which allows the administrator to easily match the server with the client that attempted to establish the connection.
Auditing these events are disabled by default and can be enabled by running the following command:
Set-SmbServerConfiguration -AuditClientCertificateAccess $true
Once enabled, these events are captured in the Event Viewer in the following paths:
Path | Event ID |
---|---|
Applications and Services Logs\Microsoft\Windows\SMBServer\Audit | 3007 3008 3009 |
Applications and Services Logs\Microsoft\Windows\SMBClient\Connectivity | 30831 |
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Module
Create and implement application allowlists with adaptive application control - Training
You're able to implement Adaptive application controls within your organization to protect your Windows Server IaaS VMs.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.