Forum Discussion
SMB over QUIC Client Access Control is inconsistent
In our case the issue was the certificate EKU. Almost 100% sure the guidance was followed when we set this up many months ago, so I believe the doc has since been updated - regardless it does clearly point out that Client Authentiation needs to be an EKU:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-over-quic-client-access-control
Once we reissued a cert with Client Auth in the EKU, CAC started working for us. w00t!
In our case the issue was the certificate EKU. Almost 100% sure the guidance was followed when we set this up many months ago, so I believe the doc has since been updated - regardless it does clearly point out that Client Authentiation needs to be an EKU:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-over-quic-client-access-control
Once we reissued a cert with Client Auth in the EKU, CAC started working for us. w00t!
It sounds like you've resolved the issue by reissuing the certificate with the proper Client Authentication Extended Key Usage (EKU), which is essential for SMB over QUIC client access control.
This is a common pitfall in certificate-based configurations, where an incorrect EKU setting can prevent the correct functionality of secure communications, such as SMB over QUIC. For SMB over QUIC to function properly, the client certificate needs to include Client Authentication in its EKU.
The documentation may indeed have changed over time, and it’s great that you caught this detail. It's always a good idea to double-check the latest guidance, especially with certificates and security protocols, as they can have specific requirements that evolve over time.
I'm glad to hear that reissuing the certificate solved the issue and that Client Access Control (CAC) is now working for you.