Enable Azure File Shares SMB Over QUIC

Enable Azure File Shares SMB Over QUIC

This post summarize the steps to enable SMB over QUIC using a Windows 2022 Azure Edition server in the Azure Cloud. 

It shows how to configure SMB over QUIC from Windows Admin Center and from Command Line. 

Introduction

Microsoft implemented QUIC under the name MsQuic. It is included in the Windows 10 21Hx, 11, and Server 2022 operating systems. 

QUIC only in the Azure Edition

Microsoft is therefore positioning SMB over QUIC for so-called edge file servers. These are servers that are accessible from outside and typically run in the cloud or in the DMZ of the local network.

However, Windows Server 2022 reserves SMB over QUIC for the new Datacenter: Azure Edition. As expected, this is available in the Microsoft cloud. It can also be run on-prem, but only in a VM on Azure Stack HCI. A normal Hyper-V server is thus left out for no technical reason.

Since SMB over QUIC requires a proper signed certificate, our first step is to get one public signed certificate using a Win-ACME tool. 

Win ACME

Installation Win-ACME

• Download the latest version of the program from this website. 
• Unzip files to a non-temporary folder, so that the scheduled task will be able to run. We recommend using %programfiles%\win-acme or c:\win-acme.
• Run wacs.exe (this requires administrator privileges).
• Follow the instructions on the screen to configure your first renewal.

 A simple Windows ACMEv2 client (WACS)
 Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
 Connecting to https://acme-v02.api.letsencrypt.org/...
 Connection OK!
 Scheduled task not configured yet
 Please report issues at https://github.com/win-acme/win-acme
 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit
 Please choose from the menu: M
 Running in mode: Interactive, Advanced
 Source plugin IIS not available: No supported version of IIS detected.
 Please specify how the list of domain names that will be included in the
 certificate should be determined. If you choose for one of the "all bindings"
 options, the list will automatically be updated for future renewals to
 reflect the bindings at that time.
 1: Read bindings from IIS
 2: Manual input
 3: CSR created by another program
 C: Abort
 How shall we determine the domain(s) to include in the certificate?: 2
 Description:        A host name to get a certificate for. This may be a
                     comma-separated list.
 Host: quic.51sec.org
 Source generated using plugin Manual: quic.51sec.org
 Friendly name '[Manual] quic.51sec.org'. <Enter> to accept or type desired name: <Enter>
 The ACME server will need to verify that you are the owner of the domain
 names that you are requesting the certificate for. This happens both during
 initial setup *and* for every future renewal. There are two main methods of
 doing so: answering specific http requests (http-01) or create specific dns
 records (dns-01). For wildcard domains the latter is the only option. Various
 additional plugins are available from https://github.com/win-acme/win-acme/.
 1: [http-01] Save verification files on (network) path
 2: [http-01] Serve verification files from memory
 3: [http-01] Upload verification files via FTP(S)
 4: [http-01] Upload verification files via SSH-FTP
 5: [http-01] Upload verification files via WebDav
 6: [dns-01] Create verification records manually (auto-renew not possible)
 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 8: [dns-01] Create verification records with your own script
 9: [tls-alpn-01] Answer TLS verification request from win-acme
 C: Abort
 How would you like prove ownership for the domain(s)?: 6
 After ownership of the domain(s) has been proven, we will create a
 Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
 determines properties of the certificate like which (type of) key to use. If
 you are not sure what to pick here, RSA is the safe default.
 1: Elliptic Curve key
 2: RSA key
 C: Abort
 What kind of private key should be used for the certificate?: 2
 When we have the certificate, you can store in one or more ways to make it
 accessible to your applications. The Windows Certificate Store is the default
 location for IIS (unless you are managing a cluster of them).
 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store
 5: No (additional) store steps
 How would you like to store the certificate?: 4
 1: [My] - General computer store (for Exchange/RDS)
 2: [Default] - Use global default, currently My
 Choose store to use, or type the name of another unlisted store: 2
 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store
 5: No (additional) store steps
 Would you like to store it in another way too?: 5
 Installation plugin IIS not available: No supported version of IIS detected.
 With the certificate saved to the store(s) of your choice, you may choose one
 or more steps to update your applications, e.g. to configure the new
 thumbprint, or to update bindings.
 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps
 Which installation step should run first?: 3
 Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.3-September-21-2022.pdf
 Open in default application? (y/n*) - no
 Do you agree with the terms? (y*/n) - yes
 Enter email(s) for notifications about problems and abuse (comma-separated): [email protected]
 [quic.51sec.org] Authorizing...
 [quic.51sec.org] Authorizing using dns-01 validation (Manual)
 Domain:             quic.51sec.org
 Record:             _acme-challenge.quic.51sec.org
 Type:               TXT
 Content:            "-QDr36wRwvaiX50c9UXAEsi8FI0VwhrJY9eHTOCqIx4"
 Note:               Some DNS managers add quotes automatically. A single set
                     is needed.
 Please press <Enter> after you've created and verified the record
 [quic.51sec.org] Preliminary validation succeeded
 [quic.51sec.org] Preliminary validation succeeded
 [quic.51sec.org] Authorization result: valid
 Domain:             quic.51sec.org
 Record:             _acme-challenge.quic.51sec.org
 Type:               TXT
 Content:            "-QDr36wRwvaiX50c9UXAEsi8FI0VwhrJY9eHTOCqIx4"
 Please press <Enter> after you've deleted the record
 Downloading certificate [Manual] quic.51sec.org
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [Manual] quic.51sec.org @ 2023/1/1 14:12:14 to store My
 Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\win-acme
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Random delay 04:00:00
 - Time limit 02:00:00
 Do you want to specify the user the task will run as? (y/n*) - no
 Adding renewal for [Manual] quic.51sec.org
 Next renewal due at 2023/2/25 14:12:23
 Certificate [Manual] quic.51sec.org created
 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit
 Please choose from the menu:

Open the local certificate store through MMC

Proceed as follows to open the local certificate store through the MMC Snap-in:

1. Click Start → Run and type mmc followed by Enter.
   
   
   
2. Click File and select Add/Remove Snap in and click Add... in the next window
   
3. Select Certificates in the Available snap-ins field and then click Add.
   
   
   
4. Select Computer Account and then click Next.
   
   
   
5. Select Local computer and click Finish.
   
   
   
6. Close the Add or Remove Snap-ins window by clicking OK.
   
   7. Expand Personal - Certificates folder to check this new Public Letsencrypt issued certificate for quic.51sec.org

For DNS record, here is an example from my provider:

Windows Admin Center (Optional)

 

Enable / Install Windows Admin Center to your Azure VM

Grant your user Windows Admin Center Administrator Login role

Open firewall for tcp port 6536 to allow access

Here is how it looks like after you connect to your Azure Edition Win2022 server through Windows Admin Center:

Enabling SMB over QUIC From Windows Admin Center (Optional)

Once your Windows Admin center installed on your Server 2022 Azure Admin, and you have opened firewall port, you can connect it to your server to check or make some changes for the server configuration. 

From Settings page, configure File Sharing across the Internet with SMB over QUIC:

From my testing using Azure Windows Admin Center, this configuration window will not show up. I am not able to get same screen as Microsoft Learn page: https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic

If you are having same problem, you can check next section for doing same thing using command line commands.

Enabling SMB over QUIC From Command Line 

By default, SMB over QUIC has been enabled on Win 2022 Azure Edition, but it was not assosicated with any certificate(s).

PS C:\Users\netsec> Get-SmbServerConfiguration |select EnableSMBQUIC, RestrictNamedPipeAccessViaQuic, DisableSmbEncryptionOnSecureConnection

EnableSMBQUIC RestrictNamedPipeAccessViaQuic DisableSmbEncryptionOnSecureConnection
------------- ------------------------------ --------------------------------------
         True                           True                                   True

You then change them according to this pattern, but it is not necessary to make those changes:

Set-SmbServerConfiguration -DisableSmbEncryptionOnSecureConnection $false

The other two settings are also available as parameters.

Here are steps to map your Certificate to SMB configuration:

Other than doing this from Windows Admin Center, you can achieve the same with PowerShell, as shown below. You need to gather the data from the chosen cert and enter any DNS name from the Subject Alternate Names field that you want to use for access via SMB over QUIC.

$CertName = 'quic.51sec.org'
$Thumbprint = '2fa7c3a0cf7d7155aafde7aa8f2d0d8bf2391e44'
$MyCertDnsNamesToAllow = @('quic.51sec.org')
$Subject = 'CN=quic'
$DisplayName = 'quic.51sec.org'
Foreach ($DnsName in $MyCertDnsNamesToAllow ){
New-SmbServerCertificateMapping -Name $DnsName -Thumbprint $Thumbprint -StoreName My -subject $Subject -DisplayName $DisplayName -Type QUIC -Flags None
}

Run Get-SmbServerCertificateMapping to watch your mapping result:

PS C:\Users\ns> Get-SmbServerCertificateMapping
Name           Subject           Thumbprint                               DisplayName                                 StoreName Type Flags
----           -------           ----------                               -----------                                 --------- ---- -----
quic.51sec.org CN=quic.51sec.org 2fa7c3a0cf7d7155aafde7aa8f2d0d8bf2391e44 [Manual] quic.51sec.org @ 2023/1/1 14:12:14 My        QUIC None

PS C:\Users\ns>

If you want to remove the configuration, you can do so, as shown below

1	Remove-SmbServerCertificateMapping -Thumbprint '2fa7c3a0cf7d7155aafde7aa8f2d0d8bf2391e44' -Name $MyCertDnsNamesToAllow

Verify that they are gone with Get-SmbServerCertificateMapping.

After verified the certificate has been mapped to your SMB over QUIC configuraiton, you will find the result also from WAC (Windows Admin Center):

Connect Shares Using SMB over QUIC from Windows 11 Client

After you made a share from your Winodws 2022 Azure Edition Server, you can try this now. To make sure we are going to use SMB over QUIC, you need to make sure your Windows Azure Firewall blocking tcp 445. 

In following screenshot, it shows UDP 443 has been opened (SMB over QUIC). And DenyAllInBound rule will block tcp 445 (Normal SMB traffic).

By default if a Windows Client SMB connection cannot be established via TCP 445 , the client automatically switches to QUIC. Admins can force this behavior by blocking TCP:445 in the firewall.


As an alternative, a network drive can be mapped on the client such that SMB over QUIC is explicitly activated. To do so, use the new switch /transport: quic for net use and the TransportType QUIC parameter with the New-SmbMapping cmdlet.

You will need to provde a username/password which has proper permission with access to this sharing folder.

C:\Users\admin>net use * \\quic.51sec.org\temp /TRANSPORT:QUIC
Enter the user name for 'quic.51sec.org': administrator1
Enter the password for quic.51sec.org:
Drive Z: is now connected to \\quic.51sec.org\temp.

The command completed successfully.


C:\Users\admin>netstat -na | find "443"
  TCP    10.10.1.130:49676      52.226.139.121:443     ESTABLISHED
  TCP    10.10.1.130:49766      52.226.139.180:443     ESTABLISHED
  UDP    0.0.0.0:50293          20.203.193.13:443
  UDP    [::]:50293             [::ffff:20.203.193.13]:443

C:\Users\admin>

Note: If you are using a self-signed certificate, you can add a name resultion record into your client machine's host file. 

References

• How to use SMB over QUIC in Windows Server 2022
• SMB over QUIC Testing Guide – Part I
• SMB over QUIC Testing Guide – Part II
• SMB over QUIC certificate issuance - https://www.youtube.com/watch?v=L0yl5Z5wToA
• SMB over QUIC configuration and usage - https://www.youtube.com/watch?v=OslBSB8IkUw
• Access Azure File Shares with SMB over QUIC (Third Party Certificate)
• MAKING SMB ACCESSIBLE WITH NTLMQUIC (Linux Quic-Go)
• SMB over QUIC

via Blogger http://blog.51sec.org/2023/01/enable-azure-file-shares-smb-over-quic.html
January 01, 2023 at 11:15AM Cloud