Step 6: Configure FIM CM for User Self-Service

  • Article

Configuring Forefront Identity Manager 2010 Certificate Management for user self-service consists of the following:

  • Create the FIM CM Subscribers group

  • Add members to the FIM CM Subscribers group

  • Create a GPO to add https://fimcm1 to Local Intranet

  • Create and Configure the FIM CM Profile template

  • Assign the FIM CM Subscribers group the appropriate permissions to the FIMCMUser Certificate Template

  • Assign the FIM CM Subscribers group the appropriate permissions to the Contoso User Self-Service Profile Template

Create the FIM CM Subscribers group

Create an Active Directory group. This group will contain all of the users that are allowed to participate in self-service.

To create the FIM CM Subscribers group

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  4. Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.

  5. On the New Object – Group screen, in the Group name: box, type the following text:
    FIM CM Subscribers

  6. Click OK.

  7. Create FIM Subscribers

Add members to the FIM CM Subscribers group

Now we will add users to the FIM CM Subscribers group.

To add users to the FIM CM Subscribers group

  1. In Active Directory Users and Computers, double-click on the newly created FIM CM Subscribers group. This will bring up FIM CM Subscribers Properties

  2. In the FIM CM Subscribers Properties, at the top, select the Memebers tab.

  3. Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  4. In the box below Enter the object names to select (examples): enter Britta Simon and click Check Names. This should resolve with an underline. Click OK.

  5. Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  6. In the box below Enter the object names to select (examples): enter Lola Jacobson and click Check Names. This should resolve with an underline. Click OK.

  7. On the FIM CM Subscribers Properties click Apply. Click OK.

    Permissions Profile Template

  8. Close Active Directory Users and Computers.

Create a GPO to add https://fimcm1 to Local Intranet

Now we will create a Group Policy Object that will automatically add https://fimcm1 to the local intranet settings of Internet Explorer. This will make it easier for our users as they will not have to do this task manually.

To create a GPO to add https://fimcm1 to Local Intranet

  1. Click Start, select Administrative Tools, and then click Group Policy Management. This will open the Group Policy Management MMC.

  2. At the top, expand Forest:corp.contoso.com, expand Domains, expand corp.contoso.com, right-click Default Domain Policy and select Edit. This will bring up the Group Policy Management Editor

  3. On the left, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.

    Create GPO

  4. On the right, double-click Security Zones and Content Ratings. This will bring up the Security Zones and Content Ratings dialog box.

  5. In the top portion, under Security Zones and Privacy, select Import the current security zones and privacy settings. This will bring up a box that says that these settings will be ignored if Internet Explorer Enhanced Security is disabled. Click Continue.

    Create GPO

  6. Click Modify Settings. This will bring up the Internet Properties dialog box.

    Create GPO

  7. Click on the Local Intranet icon and click the Sites button. This will bring up the Local intranet dialog box.

  8. In the box under add this website to the zone: enter https://fimcm1 and click Add. Click Close. This will close the Local intranet dialog box.

    Create GPO

  9. Click Ok. This will close the Internet Properties dialog box.

  10. Click Apply and click OK. This will close the Security Zones and Content Ratings dialog box.

  11. Close Group Policy Management Editor.

  12. Close Group Policy Management.

Create and Configure the FIM CM Profile template

Now we will create and configure the FIM CM Profile template.

To create and configure the FIM CM Profile template

  1. Log on to FIMCM1 as corp\Administrator.

  2. Click Start, click All Programs, and then click Internet Explorer (64-bit).

  3. In Internet Explorer, in the address bar at the top, enter https://fimcm1/certificatemanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.

  4. Scroll down and under Administration click Manager profile templates. This will bring up Profile Template Management.

    Configure Profile Template

  5. On Profile Template Management, place a check in the box next to FIM CM Sample Profile Template and click Copy a selected profile template.

    Configure Profile Template

  6. Clear what is in the box under New profile template name: and enter Constoso User Self-Service Profile Template. Click OK.

    Configure Profile Template

  7. On the Edit Profile Template screen, down under Certificate Templates click Add new certificate template.

  8. This will bring up a screen that allows you to configure the certificate templates. On the right, place a check in the box to the left of corp-DC1-CA.

    Configure Profile Template

  9. Under Available Certificate Templates, scroll down and place a check in FIMCMUser. At the bottom, click Add.

  10. On the Edit Profile Template screen, down under Certificate Templates, place a check in the box next to User and click Delete selected certificate template. This will bring up a box that says OK to delete selected items? Click OK.

    Configure Profile Template

  11. On the Edit Profile Template screen, on the left, click Enroll Policy.

  12. Now scroll down under Workflow: Initiate Enroll Requests and select Add new principal for enroll requrest. This will bring up a screen that says you can set up permissions for users or groups.

  13. Click the Lookup button. This will bring up a Search for Users and Groups screen.

  14. Select Groups and in the box under Name: enter FIM CM Subscribers. Click Search.

  15. At the bottom of the screen, under User Logon you should see CORP\FIM CM Subscribers. Click on this.

    Configure Profile Template

  16. You should now return the previous screen and under Principal: you should see CORP\FIM CM Subscribers. Click OK.

  17. This will return you the Edit Profile Template screen and you should see that FIM CM Subscribers has been added under Workflow: Initiate Enroll Requests.

    Configure Profile Template

  18. Close Internet Explorer.

Assign the FIM CM Subscribers group the appropriate permissions to the FIMCMUser Certificate Template

Now we will assign the appropriate permissions to the FIMCMUser certificate template.

To assign the FIM CM Subscribers group the appropriate permissions to the FIMCMUser certificate template

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Server Manager.

  3. In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

  4. On the right, scroll down, right-click FIMCMUser and select Properties.

  5. At the top, click the Security tab.

  6. Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.

  7. In the box below Enter the object names to select (examples): enter FIM CM Subscribers and click Check Names. This should resolve with an underline. Click OK.

  8. Make sure FIM CM Subscribers is selected at the top and down under Permissions for FIM CM Subscribers place a check in Enroll. At this point Read and Enroll should both be checked. Click Apply. Click OK.

    Permissions Cert Template

  9. Close Server Manager.

Assign the FIM CM Subscribers group the appropriate permissions to the Contoso User Self-Service Profile Template

Now we will assign the appropriate permissions to the FIM CM Profile template we just created.

To assign the FIM CM Subscribers group the appropriate permissions to the Contoso User Self-Service Profile Template

  1. Click Start, select Administrative Tools, and then click Active Directory Sites and Services.

  2. At the top, under View, select Show Services Node.

  3. On the left, expand Services, expand Public Key Services and select Profile Templates.

  4. On the right, right-click Contoso User Self-Service Certificate Profile Template and select Properties.

  5. Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.

  6. In the box below Enter the object names to select (examples): enter FIM CM Subscribers and click Check Names. This should resolve with an underline. Click OK.

  7. Make sure FIM CM Subscribers is selected at the top and down under Permissions for FIM CM Subscribers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked. Click Apply. Click OK.

    Permissions Profile Template

  8. Close Active Directory Sites and Services.