Forum Discussion
Wes808
Oct 20, 2024Brass Contributor
SMB over QUIC Client Access Control is inconsistent
We have set up SMB over QUIC on some Windows 2025 file servers and generally it works well. Unfortunately of course, it is not secure by design since there is no MFA or conditional access in the pic...
- Nov 13, 2024
In our case the issue was the certificate EKU. Almost 100% sure the guidance was followed when we set this up many months ago, so I believe the doc has since been updated - regardless it does clearly point out that Client Authentiation needs to be an EKU:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-over-quic-client-access-control
Once we reissued a cert with Client Auth in the EKU, CAC started working for us. w00t!
Wes808
Nov 13, 2024Brass Contributor
In our case the issue was the certificate EKU. Almost 100% sure the guidance was followed when we set this up many months ago, so I believe the doc has since been updated - regardless it does clearly point out that Client Authentiation needs to be an EKU:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-over-quic-client-access-control
Once we reissued a cert with Client Auth in the EKU, CAC started working for us. w00t!
kyazaferr
Nov 13, 2024Steel Contributor
It sounds like you've resolved the issue by reissuing the certificate with the proper Client Authentication Extended Key Usage (EKU), which is essential for SMB over QUIC client access control.
This is a common pitfall in certificate-based configurations, where an incorrect EKU setting can prevent the correct functionality of secure communications, such as SMB over QUIC. For SMB over QUIC to function properly, the client certificate needs to include Client Authentication in its EKU.
The documentation may indeed have changed over time, and it’s great that you caught this detail. It's always a good idea to double-check the latest guidance, especially with certificates and security protocols, as they can have specific requirements that evolve over time.
I'm glad to hear that reissuing the certificate solved the issue and that Client Access Control (CAC) is now working for you.