Introduction to FIM CM Smart Cards

  • Article

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

Prerequisite Knowledge

This document assumes that you have a basic understanding of Microsoft® Forefront® Identity Manager (FIM) 2010, Active Directory® Domain Services (AD DS), and Active Directory Certificate Services (AD CS).

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This guide is intended for information technology (IT) planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010 by using Certificate Management.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete.

Note

These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.

Scenario Description

Fabrikam, a fictitious company, wants to evaluate the use of smart cards with Forefront Identity Manager Certificate Management (FIM CM).

Testing environment

The scenario outlined in this document has been developed using two physical computers. The first is a computer running Windows Server® 2008 with Hyper-V™ technology. The server has a 2 × 3.0 gigahertz (GHz) dual-core processor and 4 gigabytes (GB) of random access memory (RAM). This server hosts two virtual machines, shown in Table 1 below. The second physical computer is a portable computer with a GemPlus Gem PC Twin smart card reader.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

Table 1   Computers and roles

Name Memory Operating system Type Description

QS-DC.Fabrikam.com

512 MB

Windows Server 2008

Virtual

Domain controller

QS-FIMCA.Fabrikam.com

2,048 MB

Windows Server 2008

Virtual

FIM CM, AD CS, Microsoft SQL Server® 2008, Internet Information Services (IIS) 7.0

QS-Vista.Fabrikam.com

1,024 MB

Windows Vista® 64-bit Edition

Physical

Client

Note

Hyper-V is not a requirement to complete the steps outlined in this document. The steps can be implemented on physical computers as long as they reflect the same roles as in Table 1.

Before You Begin

This document covers only the basic smart card functionality of FIM CM. It is designed to get you started quickly in a test environment so that the product can be evaluated. This document does not cover using FIM CM with software certificates. For further information about software certificates, see Introduction to Certificate Management in the FIM 2010 document.

This document makes some assumptions and requires the following to be true before you complete the steps outlined in this document. It assumes that:

  • A fabrikam.com Active Directory forest is already in place.

  • QS-DC is the domain controller for this forest.

  • QS-FIMCM and QS-Vista are joined to this domain.

Setting up an Active Directory forest is outside the scope of this document.

Software requirements

The following table summarizes the software that is required to implement the procedures in this document.

Table 2   Software requirements for FIM CM

Software Description

AD DS

An Active Directory infrastructure with a domain controller running Windows Server 2008.

Certification authority (CA)

FIM CM requires at least one or more of the following: 32-bit Windows Server 2003 CA, 32-bit Windows Server 2008 Enterprise CA, or 64-bit Windows Server 2008 Enterprise CA. The certification authority must be an Enterprise CA.

FIM CM

At least one instance of the software installed on a server that is running Windows Server 2008 Enterprise 64-bit edition or Windows Server 2008 R2 Enterprise.

SQL Server 2008

FIM CM supports the 64-bit edition of SQL Server 2008 Enterprise or SQL Server 2008 Standard.

IIS 7.x

FIM CM uses IIS as its Web server to run the FIM CM Portal.

Microsoft .NET Framework 3.5

FIM CM is a Microsoft .NET–connected application. You must install .NET Framework 3.5 on the server. If FIM CM is installed on the same server as SQL Server 2008, then .NET Framework 3.5 Service Pack 1 (SP1) is required.

Microsoft Internet Explorer® 6.x or later

Because FIM CM requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x or later is required. In addition, FIM CM has advanced scripting features that are optimized for Internet Explorer.

Required accounts

The following table summarizes the accounts—and the permissions required by those accounts—necessary to implement the procedures in this document.

Table 3   Required accounts

Account Description and permissions

FIM CM Agent

Provides the following services:

  • Retrieves encrypted private keys from the CA

  • Protects smart card personal identification number (PIN) information in the FIM CM database

  • Protects communication between FIM CM and the CA

This user has the following access control settings:

  • Allow logon locally user right

  • Issue and Manage Certificates user right

  • Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp

  • Digital signature and encryption certificate issued and installed in the user store

FIM CM Key Recovery Agent

Recovers archived private keys from the CA.

This user has the following access control settings:

  • Allow logon locally user right

  • Local Administrators group member

  • Enroll permission on the KeyRecoveryAgent certificate template

  • Key Recovery Agent certificate, issued and installed in the user store. The certificate must be added to the list of the Key Recovery Agents on the CA.

  • Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp

FIM CM Authorization Agent

Determines user rights and permissions for users and groups.

This user has the following access control settings:

  • Pre–Windows 2000 Compatible Access domain group member

  • Generate security audits user right

FIM CM CA Manager Agent

Performs CA management activities.

This user must be assigned the Manage CA permission.

FIM CM Web Pool Agent

Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32 application programming interface (API) process that uses this user’s credentials.

This user has the following access control settings:

  • Local IIS_WPG group membership

  • Local Administrators group membership

  • Generate security audits user right

  • Act as part of the operating system user right

  • Replace process level token user right

  • Identity of the IIS application pool, CLMAppPool

  • Read permission on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser registry key

This account must also be trusted for delegation.

FIM CM Enrollment Agent

Performs enrollment on behalf of a user. This user has the following access control settings:

  • Enrollment Agent certificate that is issued and installed in the user store

  • Allow logon locally user right

  • Enroll permission on the Enrollment Agent certificate template (or the custom template, if one is used)

Britta Simon

A generic user who is used to test our implementation.

Group requirements

The following table summarizes the Active Directory groups that are required to implement the procedures in this document.

Table 4   Required groups

Group Remark

FIM CM Subscribers

A group of all users who access FIM CM for AD CS

Implementing the Procedures in this Document

To implement the procedures in this document, you complete the following steps in the order shown:

  1. Installing IIS 7.0

  2. Installing .NET Framework 3.5 SP1

  3. Deploying Active Directory Certificate Services

  4. Publishing the Key Recovery Agent, Enrollment Agent, and SmartCardLogon certificate template at the CA

  5. Installing SQL Server 2008

  6. Extending the Active Directory schema

  7. Creating the FIMCMObjects container in AD DS

  8. Creating the Active Directory user accounts

  9. Creating the Active Directory group account

  10. Adding the test user to the FIM CM Subscribers group

  11. Installing FIM CM

  12. Running the Certificate Manager Configuration Wizard

  13. Trusting the FIMCMWebAgent account for delegation

  14. Disabling Internet Explorer Enhanced Security for administrators

  15. Disabling kernel-mode authentication

  16. Creating the Fabrikam smart card profile template

  17. Assigning the FIM CM Subscribers group permissions to the service connection point

  18. Assigning FIM CM Subscribers group permissions to the Fabrikam user profile template

  19. Assigning the FIM CM Subscribers group permissions to the users certificate template

  20. Installing .NET Framework 3.5 SP1 on QS-Vista

  21. Installing the Gemalto smart card drivers

  22. Installing the CM client

  23. Adding the CM Web Portal to SiteLock

  24. Adding the FIM CM site to Trusted Sites in Internet Explorer

  25. Activating Initialize and script ActiveX controls not marked as safe for signing

  26. Downloading and installing hotfix 959887

  27. Activating and testing the smart card

  28. Retiring and testing the smart card

  29. Reissuing and testing the smart card

Later topics provide more detail about these steps.

Installing IIS 7.0

Complete the following procedures to set up a basic installation of IIS 7.0 for use with FIM CM. Tables 5 and Table 6 summarize the individual pieces of IIS 7.0 that must be installed.

Table 5   Required IIS 7.0 Web server role services

Role service Required features

Common HTTP features
  • Static content

  • Default document

  • Directory browsing

  • HTTP errors

  • HTTP redirection

Application development
  • Microsoft ASP.NET

  • .NET extensibility

  • Internet Server Application Programming Interface (ISAPI) extensions

  • ISAPI filters

Health and diagnostics
  • HTTP logging

  • Request monitor

Security
  • Windows Integrated Authentication

  • Request filtering

Performance
  • Static content compression

  • Dynamic content compression

Table 6   Required IIS 7.0 Management Tools role services

Role service Required features

IIS Management Console

N/A

IIS 6.0 Management Capability feature

N/A

To install IIS 7.0

  1. Log on to the QS-FIMCM server as the administrator.

  2. Click Start, and then click Server Manager.

  3. On the Server Manager page, right-click Roles, and then click Add Roles.

  4. In the Add Roles Wizard, on the Before You Begin page, click Next.

  5. On the Server Roles page, select the Web Server (IIS) check box, and then click Next.

    Note

    To add the Windows Process Activation Service, in the Add features required for Web Server (IIS) box, click the Add Required Features button.

  6. Click Next.

  7. On the Web Server (IIS) page, click Next.

  8. On the Role Services page, select the check boxes for all of the items that are listed in Tables 5 and 6, if they are not already selected.

    Note

    When you select ASP.NET, the Add features required for Web Server (IIS) box appears. Click the Add Required Features button to automatically select ISAPI extensions, ISAPI filters, and .NET extensibility. This also adds the .NET environment to the Windows Process Activation Service.

  9. Click Next.

  10. On the Confirmation page, review the information, and then click Install.

  11. When the installation is complete, on the Results page, click Close.

  12. Close Server Manager.

Installing .NET Framework 3.5 SP1

The following steps show you how to install the .NET Framework 3.5.

To install .NET Framework 3.5 SP1

  1. Log on to the QS-FIMCM server as the administrator.

  2. On the QS-FIMCM server, download .NET Framework 3.5 (https://go.microsoft.com/fwlink/?LinkID=129538).

  3. To install .NET Framework 3.5, double-click the dotnetfx35.exe file.

  4. On the Welcome to Setup page, read the Microsoft Software License Terms, select the I have read and ACCEPT the terms in the License Agreement check box, and then click Install.

  5. When the installation is complete, on the Setup Complete page, click Exit.

  6. On the Restart Server page, click Restart now.

Deploying Active Directory Certificate Services

The following steps show you how to set up AD CS on the QS-FIMCM server.

To install AD CS

  1. Log on to the QS-FIMCM server as the administrator.

  2. Click Start, and then click Server Manager.

  3. On the Server Manager page, right-click Roles, and then click Add Roles.

  4. In the Add Roles Wizard, on the Before You Begin page, click Next.

  5. On the Server Roles page, select the Active Directory Certificate Services check box, and then click Next.

  6. On the AD CS page, click Next.

  7. On the Role Services page, ensure that the Certification Authority check box is selected, and then click Next.

  8. On the Setup Type page, ensure that Enterprise is selected, and then click Next.

  9. On the CA Type page, ensure that Root CA is selected, and then click Next.

  10. On the Private Key page, ensure that Create a new private key is selected, and then click Next.

  11. On the Cryptography page, leave the default values unchanged, and then click Next.

  12. On the CA Name page, leave the default values unchanged, and then click Next.

  13. On the Validity Period page, leave the default values unchanged, and then click Next.

  14. On the Certificate database page, leave the default values unchanged, and then click Next.

  15. On the Confirmation page, review the information, and then click Install.

  16. When the installation is finished, on the Results page, click Close.

  17. Close Server Manager.

Publishing the Key Recovery Agent, Enrollment Agent, and SmartCardLogon certificate template at the CA

In this section, you publish the certificate template at the CA.

To publish the certificate templates at the CA

  1. Click Start, click Administrative Tools, and then click Certification Authority.

  2. In the certsrv Microsoft Management Console (MMC), expand fabrikam-QS-FIMCM-CA.

  3. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  4. In the list, press the CTRL key, and then select Enrollment Agent, Key Recovery Agent, and SmartCardLogon. Click OK.

  5. Verify that Enrollment Agent, Key Recovery Agent, and SmartCardLogon are now part of the list of Certificate Templates. Close the certsrv MMC.

Installing SQL Server 2008

The following steps show you how to set up a basic installation of SQL Server 2008 for a lab environment. Table 7 summarizes the required SQL Server 2008 features.

Table 7   Required SQL Server 2008 features

Feature Remarks

Database Engine Services
  • SQL Server replication

  • Full-text search

Management Tools - basic
  • Management tools - complete

To install SQL Server 2008

  1. Log on to the QS-FIMCM server as the administrator.

  2. Place the SQL Server 2008 installation medium into the CD drive.

  3. On the AutoPlay page, select Run SETUP.EXE.

  4. A message appears prompting you to install the .NET Framework and an updated version of Windows Installer. Click OK.

  5. To install the hotfix for Windows (KB942288), in the Windows Update Stand-alone Installer dialog box, click OK.

  6. When the installation is complete, click Restart Now.

  7. When the QS-FIMCM server has restarted, log on again as the administrator.

  8. Click Start, and then click Computer.

  9. Double-click the drive containing the SQL Server 2008 installation medium.

  10. On the SQL Server Installation Center page, click Installation.

  11. To start the SQL Server 2008 Setup Wizard, select New SQL Server stand-alone installation or add features in an existing installation.

  12. When the SQL Server 2008 Setup Wizard is finished running the prerequisite checks, it displays Passed: 6. Click OK to continue and close the wizard.

  13. In the new Setup wizard, open the Product Key page. Type your product key number, and then click Next.

  14. On the License Terms page, after reading the Microsoft Software License Terms, select the I accept the license terms check box, and then click Next.

  15. On the Setup Support Files page, click Install.

  16. When the installation is finished, a new wizard appears. On the Setup Support Rules page, click Next.

  17. On the Feature Selection page, select the items listed in Table 7, and then click Next.

  18. On the Instance Configuration page, leave the default values unchanged, and then click Next.

  19. On the Disk Space Requirements page, leave the default values unchanged, and then click Next.

  20. On the Server Configuration page, click the Use the same account for all SQL Server services button.

  21. On the Use the same account for all SQL Server services page, next to Account Name, type fabrikam\Administrator. Next to the password, type the administrator’s password. Click OK.

  22. Click Next.

  23. On the Database Engine Configuration page, click the Add Current User button, and then click Next.

  24. On the Error and Usage Reporting page, leave the default values unchanged, and then click Next.

  25. On the Installation Rules page, leave the default values unchanged, and then click Next.

  26. On the Ready to Install page, click Install.

  27. When the installation is completed, on the Installation Progress page, click Next.

  28. On the Complete page, click Close.

Extending the Active Directory schema

In this section, you extend the Active Directory schema. To simplify the process of extending the Active Directory schema, you use the Microsoft Visual Basic® script file that ships with Microsoft Identity Lifecycle Manager 2007 (ILM 2007).

To extend the Active Directory schema

  1. Log on to the QS-DC server as Administrator.

  2. Place the FIM 2010 installation medium in the server CD drive.

  3. Click Start, and then click Computer.

  4. Right-click the CD drive that contains the FIM 2010 installation medium, and then click Explore.

  5. In the Certificate Management installation folder, double-click the x64 folder, and then open the Schema folder.

  6. To update the Active Directory schema, in the Schema folder, double-click the ModifySchema.vbs file.

  7. To finalize the schema extension process, in the Success dialog box, click OK.

Creating the FIMCMObjects container in AD DS

In this section, you create the FIMCMObjects container in AD DS. This organizational unit (OU) will be the container for the additional Active Directory objects that are required.

To create the FIMCMObjects container

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. Right-click fabrikam.com, click New, and then click Organizational Unit.

  4. On the New Object – Organizational Unit page, in the Name text box, type FIMCMObjects, and then click OK.

  5. Close Active Directory Users and Computers.

Creating the Active Directory user accounts

In this section, you create the Active Directory user accounts that are used in this scenario. Seven total accounts will be created for this scenario. FIM CM uses six accounts to perform its various operations. Detailed information about these accounts are provided in Table 3. One account will also be used to simulate a regular user. Table 8 summarizes the accounts that will be created.

Note

You can allow the FIM CM Configuration Wizard to automatically create the six accounts that are required. However, since it is a best practice in a production environment to manually create these accounts and ensure that they have replicated prior to running the FIM CM Configuration Wizard, this approach will be used.

Table 8   Account summary

First name Last name User logon name Password

FIM CM Agent

FIMCMAgent

Pass1word!

FIM CM Key Recovery Agent

FIMCMKRAgent

Pass1word!

FIM CM Authorization Agent

FIMCMAuthAgent

Pass1word!

FIM CM CA Manager Agent

FIMCMManagerAgent

Pass1word!

FIM CM Web Pool Agent

FIMCMWebAgent

Pass1word!

FIM CM Enrollment Agent

FIMCMEnrollAgent

Pass1word!

Britta

Simon

bsimon

Pass1word!

To create the Active Directory user accounts

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand fabrikam.com, right-click FIMCMObjects, click New, and then click User.

  4. On the New Object – User page, in the First Name text box, type FIM CM Agent.

  5. In the User logon text box, type FIMCMAgent, and then click Next.

  6. In the Password text box, type Pass1word!.

  7. In the Confirm Password text box, type Pass1word!.

  8. Clear the User must change password at next logon check box.

  9. Select the Password never expires check box, and then click Next.

  10. Click Finish.

  11. Repeat these steps for all the accounts that are listed in Table 8.

Creating the Active Directory group account

In this section, you create the one Active Directory group account that is used in this scenario.

Table 9   Group account summary

Group name Group scope Group type

FIM CM Subscribers

Global

Security

To create the Active Directory group object

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand fabrikam.com, right-click FIMCMObjects, click New, and then click Group.

  4. On the New Object – Group page, in the Group Name text box, type FIM CM Subscribers.

  5. Ensure that the Group Scope is Global and that the Group Type is Security.

  6. Click OK.

Adding the test user to the FIM CM Subscribers group

In this section, you add the test user to the FIM CM Subscribers group.

To add Britta Simon to the FIM CM Subscribers group

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand fabrikam.com, select FIMCMObjects, right-click FIM CM Subscribers, and then click Properties.

  4. On the FIM CM Subscribers Properties page, on the Members tab, click the Add button.

  5. On the Select Users, Contacts, Computers, or Groups page, in the Enter the object names to select text box, type Britta Simon, and then click Check Names.

    When the account resolves successfully, the name is underlined.

  6. Click OK.

  7. Click Apply, and then click OK.

  8. Close Active Directory Users and Computers.

Installing FIM CM

The following steps show you how to install the FIM CM binaries.

To install FIM CM

  1. Log on to the QS-FIMCM server as the administrator.

  2. Place the FIM 2010 installation medium into the CD drive.

  3. On the startup screen, under Identity Manager Certificate Management, select Install Certificate Management 64 bit.

    Note

    You may be prompted by the following message: Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer? For this scenario, you can safely ignore this warning and click Yes.

  4. On the File Download – Security Warning page, click Run.

  5. On the Internet Explorer – Security Warning page, click Run.

  6. In the Forefront Identity Manager Certificate Management Setup Wizard, on the Welcome page, click Next.

  7. On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the license agreement check box, and then click Next.

  8. On the Custom Setup page, leave the default values unchanged, and then click Next.

  9. On the Virtual Web Folder page, ensure that the Virtual folder is set at the default value of CertificateManagement, and then click Next.

  10. On the Install Forefront Identity Manager Certificate Management page, click Install.

  11. When the installation is complete, click Finish.

Running the Certificate Manager Configuration Wizard

The following steps will show you how to configure FIM CM.

To run the Certificate Manager Configuration Wizard

  1. Log on to the QS-FIMCM server as the administrator.

  2. On the QS-FIMCM server, click Start, select All Programs, click Microsoft Forefront Identity Manager, and then click Certificate Manager Config Wizard.

  3. On the Welcome page, click Next.

  4. On the Certification Authority page, leave the default values unchanged, and then click Next.

  5. On the SQL Server page, leave the default values unchanged, and then click Next.

  6. On the Database page, leave the default values unchanged, and then click Next.

  7. On the Active Directory page, leave the default values unchanged, and then click Next.

  8. On the FIM CM Agent Accounts page, clear the Use the FIM CM default settings check box, and then click Custom Accounts.

  9. On the Agents – FIM CM page, on the FIM CM Agent tab, in the User Name text box, type FIMCMAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  10. On the Key Recovery Agent tab, in the User Name text box, type FIMCMKRAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  11. On the Authorization Agent tab, in the User Name text box, type FIMCMAuthAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  12. On the CA Manager Agent tab, in the User Name text box, type FIMCMManagerAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  13. On the Web Pool Process Worker Agent tab, in the User Name text box, type FIMCMWebAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  14. On the Enrollment Agent tab, in the User Name text box, type FIMCMEnrollAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.

  15. Click OK and, on the FIM CM Agent Accounts page, click Next.

  16. On the Certificates page, leave the default values unchanged, and then click Next.

  17. On the E-mail page, leave the default values unchanged, and then click Next.

  18. On the Summary page, review the configuration, and then click Configure.

    Note

    A message appears prompting you to configure the FIM CM virtual IIS directory to require a secure channel (SSL). This message can be safely ignored. Click OK.

  19. When the configuration completes, click Finish.

Trusting the FIMCMWebAgent account for delegation

In this section, you trust the FIMCMWebAgent account.

To trust the FIMCMWebAgent account for delegation

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand fabrikam.com, select FIMCMObjects, right-click FIM CM Web Pool Agent, and then click Properties.

  4. On the FIM CM Web Agent Properties page, on the Delegation tab, select Trust this user for delegation to any service (Kerberos).

  5. Click Apply, and then click OK.

  6. Close Active Directory Users and Computers.

Disabling Internet Explorer Enhanced Security for administrators

In this section, you will disable the Internet Explorer Enhanced Security Configuration.

To disable Internet Explorer Enhanced Security Configuration

  1. Log on to the QS-FIMCM server as the administrator.

  2. Click Start, and then click Server Manager.

  3. On the Server Manager page, scroll down to Security Information, and then select Configure IE ESC.

  4. On the Internet Explorer Enhanced Security Configuration page, under Administrators, select Off.

  5. Click OK.

  6. Close Server Manager.

Disabling kernel-mode authentication

To use FIM CM with IIS 7.0, you must disable kernel-mode authentication.

To disable kernel-mode authentication

  1. Log on to the QS-FIMCM server as the administrator.

  2. On the QS-FIMCM server, click Start, click Administrative Tools, and open the Internet Information Services Manager.

  3. In the console tree, expand Sites, expand Default Web Site, and then click CertificateManagement.

  4. In the center pane, scroll down and double-click Authentication.

  5. Right-click Windows Authentication, and then click Advanced Settings.

  6. Clear the Enable kernel-mode authentication check box.

  7. Click OK.

  8. Close Internet Information Services Manager.

Creating the Fabrikam smart card profile template

In this section, you create the Fabrikam smart card profile template.

To create the Fabrikam smart card profile template

  1. Log on to the QS-FIMCM server as the administrator.

  2. In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.

  3. On the Forefront Identity Manager page, click Click to enter.

  4. On the Forefront Identity Manager Certificate Management home page, under Administration, click Manage profile templates.

  5. On the Profile Template Management page, select the FIM CM Sample Smart Card Logon Profile Template check box, and then click Copy a selected profile template.

  6. On the Duplicate Profile page, clear the New profile template name text box, and then type Fabrikam Smart Card Profile Template. Click OK.

  7. On the Edit Profile Template [FIM CM User Profile Template] page, scroll down to Smart Card Configuration, and then click Change Settings.

  8. In the User PINs section, under User PIN policy, select User Provided, and then click OK.

  9. On the Edit Profile Template [FIM CM User Profile Template] page, under Select a view, click Enroll Policy.

  10. On the Edit Profile Template [FIM CM User Profile Template] page, under Workflow: Initiate Enroll Request, click Add new principal for enroll request initiation.

  11. On the Edit Profile Template [FIM CM User Profile Template] page, next to the Principal box, click Lookup.

  12. On the Search for Users and Groups page, select Groups, and in the Name text box, type FIM CM Subscribers. Click Search.

  13. When the search is completed, under User Logon, click fabrikam\FIM CM Subscribers.

  14. Click OK.

  15. On the Edit Profile Template [FIM CM User Profile Template] page, under Select a view, click Retire Policy.

  16. On the Edit Profile Template [FIM CM User Profile Template] page, under Workflow: Initiate Enroll Request, click Add new principal for enroll request initiation.

  17. On the Edit Profile Template [FIM CM User Profile Template] page, next to the Principal box, click Lookup.

  18. On the Search for Users and Groups page, select Groups, and in the Name text box, type FIM CM Subscribers, and then click Search.

  19. When the search is finished, under User Logon, click fabrikam\FIM CM Subscribers.

  20. Click OK.

  21. Close Internet Explorer.

Assigning the FIM CM Subscribers group permissions to the service connection point

In this section, you assign the FIM CM Subscribers group permissions to the service connection point.

To assign the FIM CM Subscribers group permissions to the service connection point

  1. Log on to the QS-DC server as Administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand fabrikam.com, expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click QS2-FIMCM, and then click Properties.

  4. On the QS2-FIMCM Properties page, click the Security tab, and then click Add.

  5. In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.

    When the account successfully resolves, the name is underlined.

  6. Click OK.

  7. Ensure that the FIM CM Subscribers group is selected, and then under Allow, select Read.

  8. Click Apply, and then click OK.

  9. Close Active Directory Users and Computers.

Assigning FIM CM Subscribers group permissions to the Fabrikam user profile template

In this section, you grant access to the FIM CM user profile template. This must be done before your user, Britta Simon, can use the template.

To assign permissions to the Fabrikam user profile template

  1. Log on to the QS-DC server as the administrator.

  2. Click Start, click Administrative tools, and then click Active Directory Sites and Services.

  3. Click View, and then click Show services node.

  4. Expand Services, expand Public Key Services, and then select Profile Templates.

  5. Right-click Fabrikam User Profile Template, and then click Properties.

  6. On the Security tab, click the Add button.

  7. In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.

    When the account successfully resolves, the name is underlined.

  8. Click OK.

  9. Ensure that the FIM CM Subscribers group is selected, and under Allow, select Read and FIM CM Enroll.

  10. Click Apply, and then click OK.

  11. Close Active Directory Sites and Services.

Assigning the FIM CM Subscribers group permissions to the users certificate template

In this section, you assign the FIM CM Subscribers group permissions to the users certificate template.

To assign the FIM CM Subscribers group permissions to the users certificate template

  1. Log on to the QS-FIMCM server as the administrator.

  2. Click Start, click Run, and then in the text box, type mmc. Click OK.

  3. Select File, and then click Add/Remove Snap-in.

  4. In the Add or Remove Snap-ins page, select Certificate Templates, and then click Add.

  5. Click OK.

  6. On the Console1 page, click Certificate Templates (QS-FIMCM).This populates the center pane with a list of certificate templates.

  7. Right-click User, and then click Properties.

  8. In the User Properties page, on the Security tab, click the Add button.

  9. In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.

    When the account successfully resolves, the name is underlined.

  10. Click OK.

  11. Ensure that the FIM CM Subscribers group is selected, and, under Allow, select the Read and Enroll check boxes.

  12. Click Apply, and then click OK.

  13. Close Console1.

Installing .NET Framework 3.5 SP1 on QS-Vista

The following steps will show you how to set up .NET Framework 3.5 on the QS-Vista client. This is a requirement prior to installing the FIM CM client.

To install .NET Framework 3.5 SP1 on QS-Vista

  1. Log on to the QS-Vista client as the administrator.

  2. On the QS-Vista client, download .NET Framework 3.5 (https://go.microsoft.com/fwlink/?LinkID=129538).

  3. When the download is completed, double-click the dotnetfx35.exe file.

  4. On the Welcome to Setup page, after reading the Microsoft Software License Terms, select the I have read and ACCEPT the terms in the License Agreement check box, and then click Install.

  5. When the installation is completed, on the Setup Complete page, click Exit.

  6. On the Restart page, click Restart now.

Installing the Gemalto smart card drivers

The following steps will show you how to install the Gemalto smart card drivers.

To install the Gemalto smart card drivers

  1. Log on to the QS-Vista client as the administrator.

  2. On the QS-Vista client, download the Gemalto drivers (https://go.microsoft.com/fwlink/?LinkId=186367).

  3. When the download is finished, double-click the GemCCIDen-us_32.msi file.

  4. On the Welcome to the PC CCID Setup Wizard page, click Next.

  5. On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the License Agreement check box, and then click Next.

  6. On the Ready to install PC CCID page, click Install.

  7. When the installation is completed, click Finish.

  8. Plug the Gem PC Twin smart card reader into a USB port on QS-Vista and verify that it is detected.

Installing the CM client

The following steps will show you how to install the CM client

To install the CM client

  1. Log on to the QS-Vista client as the administrator.

  2. On the startup screen, under Identity Manager Clients, Add-ins and Extensions, select Install CM Client 32 bit.

    Note

    You may be prompted by the following message: Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer? For this scenario, you can safely ignore this warning and click Yes.

  3. On the File Download – Security Warning page, click Run.

  4. On the Internet Explorer – Security Warning page, click Run.

  5. In the Forefront Identity Manager CM Client Setup wizard, on the Welcome page, click Next.

  6. On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the license agreement check box, and then click Next.

  7. On the Custom Setup page, leave the default values unchanged, and then click Next.

  8. On the Install Forefront Identity Manager CM Client page, click Install.

  9. When the installation is completed, click Finish.

Adding the CM Web Portal to SiteLock

The following steps show you how to add the CM Web Portal to SiteLock.

To add the CM Web Portal to SiteLock

  1. Log on to the QS-Vista client as the administrator.

  2. Click Start, and then click Run.

  3. In the Open text box, type regedit, and then click OK.

  4. In Registry Editor, navigate to the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient, right-click SiteLock, and then click Modify.

  5. On the Edit String page, in the Value data text box, type fabrikam.com, and then click OK.

    Tip

    The value for SiteLock takes a delimited list of allowable domains. Items in this list are separated by a “;”. Both http and https are allowed. The record is considered a match if the domain matches the domain of the URL exactly, or if the URL is a subdomain of an exact match. For additional information, see Release Notes for Forefront Identity Manager Certificate Manager (FIM CM) (https://go.microsoft.com/fwlink/?LinkId=206114)

  6. Close the Registry Editor.

Adding the FIM CM site to Trusted Sites in Internet Explorer

In this section, you add the FIM CM site to Trusted Sites in Internet Explorer.

To add the FIM CM site to Trusted Sites in Internet Explorer

  1. Log on to the QS-Vista client as Britta Simon.

  2. In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.

  3. In the Tools menu, click Internet Options.

  4. On the Security tab, in the Select a zone to view or change security settings box, click Trusted sites.

  5. Click the Sites button.

  6. On the Trusted sites page, in the Add this website to the zone box, type http:qs-fimcm, clear the Require server verification (https:) for all sites in this zone check box, and then click Add.

  7. Click Close.

  8. On the Internet Options page, click OK.

  9. Close Internet Explorer.

Activating Initialize and script ActiveX controls not marked as safe for signing

In this section, you activate Initialize and script ActiveX controls not marked as safe for signing in Internet Explorer. This is required because you do not use SSL in our lab environment. By default, in Windows Vista SP1, the Web control that you use to request a certificate is only marked as safe if it is hosted in SSL.

To activate Initialize and script ActiveX controls not marked as safe for signing

  1. Log on to the QS-Vista client as Britta Simon.

  2. In Internet Explorer, click the Tools menu, and then click Internet Options.

  3. On the Security tab, in the Select a zone to view or change security settings box, click Trusted sites.

  4. Click the Custom level button.

  5. On the Security Settings – Trusted Sites Zone page, in the Settings box, under Initialize and script ActiveX controls not marked as safe for signing, click Enable.

  6. Click OK.

  7. On the Internet Options page, click OK.

  8. Close Internet Explorer.

Downloading and installing hotfix 959887

The following steps will show you how to download and install hotfix 959887. This is a hotfix for Windows Server 2008 SP1 and RTM designed to correct an issue with using smart cards to log on to a Windows Server 2008 forest.

To download and install hotfix 959887

  1. Log on to the QS-DC server as the administrator.

  2. On the QS-DC server, download the hotfix from You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer (https://go.microsoft.com/fwlink/?LinkID=160495).

    Note

    When you download this hotfix, the product description is about Windows Vista. This is also intended for Windows Server 2008.

  3. When the download finishes, double-click the 365203_intl_x64_zip.exe file.

  4. On the Open File – Security Warning page, click Run.

  5. On the Microsoft Self-Extractor page, click Continue.

  6. Specify a location to unzip the files, and then click OK.

  7. In the password text box, type the password that was provided in the e-mail message for the hotfix, and then click OK.

  8. On the All files were successfully unzipped page, click OK.

  9. Navigate to the location where the files were extracted, and double-click the Windows6.0-KB959887-x64.msu file.

  10. To install the hotfix, on the Windows Update Standalone Installer page, click OK.

  11. When the installation is finished, click Restart Now.

Activating and testing the smart card

In this section, you test the implementation. To test this, you log on to the QS-Vista client as Britta Simon and request a user certificate.

To activate and test the smart card

  1. Log on to the QS-Vista client as Britta Simon.

  2. In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.

  3. On the Forefront Identity Manager page, click Click to enter.

  4. On the Forefront Identity Manager Certificate Management home page, click Request a permanent smart card.

  5. On the Profile Selection: Permanent Smart Card page, select the Fabrikam Smart Card profile template, and then click Next.

  6. On the Enrollment Request Initiation page, in the Sample Data Item text box, type Sample Data Item.

  7. To begin the activation process, click Next.

  8. On the FIM CM Smart Card Client PIN Entry page, in the New PIN and the Confirm PIN text boxes, type 12345, and then click OK.

  9. On the Request Complete page, verify the information, and then click Main Menu.

  10. Close Internet Explorer.

  11. Log off QS-Vista.

  12. Press CTRL+ALT+DELETE, and then click Switch User.

  13. Select Britta Simon Smart card logon, type 12345 for the PIN, and then click the arrow. You are now successfully logged on.

Retiring and testing the smart card

In this section, you retire a smart card in FIM 2010 R2. A retired smart card can be reused. If you do not plan to reuse your smart cards, you can disable them instead.

To retire and test the smart card

  1. Log on to the QS-Vista client as Britta Simon.

  2. In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.

  3. On the Forefront Identity Manager page, click Click to enter.

  4. On the Forefront Identity Manager Certificate Management home page, click Show details of my smart card.

  5. On the Now Insert Your Smart Card page, insert the smart card into the smart card reader, and then click OK.

  6. On the Review Details of a Smart Card Profile page, click Retire this smart card.

  7. On the Retire Smart Card page, in the Sample Data Item text box, type Sample Data Item, and click Next.

  8. To begin the retiring process, on the Retiring Smart Card page, verify the information, and then click Next.

  9. On the Request Compete page, click Main Menu.

  10. Close Internet Explorer.

  11. Log off QS-Vista.

  12. Press CTRL+ALT+DELETE. A No valid certificates found message appears.

Reissuing and testing the smart card

In this section, you reissue a smart card for logging on. To test this procedure, you log on to the QS-Vista client as Britta Simon and request a user certificate.

To re-issue and test the smart card

  1. Log back on the QS-Vista client as Britta Simon. Do this by selecting Switch User, and then selecting Other User. Type Britta’s credential information in the boxes.

  2. In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.

  3. On the Forefront Identity Manager page, click Click to enter.

  4. On the Forefront Identity Manager Certificate Management home page, click Request a permanent smart card.

  5. On the Profile Selection: Permanent Smart Card page, select the Fabrikam Smart Card profile template, and then click Next.

  6. On the Enrollment Request Initiation page, in the Sample Data Item text box, type Sample Data Item.

  7. To begin the reissue process, click Next.

  8. On the FIM CM Smart Card Client PIN Entry page, in the New PIN and the Confirm PIN text boxes, type 67890. Click OK.

  9. On the Request Complete page, verify the information, and then click Main Menu.

  10. Close Internet Explorer.

  11. Log off QS-Vista.

  12. Press CTRL+ALT+DELETE, and then click Switch User.

  13. Select Britta Simon Smart card logon, type 67890 for the PIN, and then click the arrow. You are now successfully logged on.