Configuring the FIM CM Service

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) is an administrative service that performs workflow tasks. FIM CM performs the following functions:

• Notifies users of certificate renewals

• Processes external API requests

• Performs online updates of profile templates and smart cards

Note

Not all FIM CM deployments require each function. You can choose the appropriate functions for your FIM CM deployment.

When you install FIM CM on the FIM CM server, you must configure FIM CM manually to enable its functions and management policies.

The following sections describe how to configure FIM CM:

• Configuring FIM CM

• Configure FIM CM for Renewal Requests

• Configure FIM CM to Use the External API

• Configure FIM CM for Online Updates

Configuring FIM CM

To configure FIM CM, perform the following steps:

1. Step 1: Create a new domain user account

2. Step 2: Grant required user rights to the domain user account

3. Step 3: Add the domain user account to the required groups

4. Step 4: Configure FIM CM to use the domain user account

5. Step 5: Configure FIM CM to start automatically

6. Step 6: Configure SQL Server for Windows Integrated Authentication

7. Step 7: Restart FIM CM

8. Step 8: Configure FIM CM extended permissions

Step 1: Create a new domain user account

Before you configure FIM CM to use a domain user account in step 4 of the following procedure, you must create a new domain user account.

To create a new domain user account

1. Log on to a domain controller as a domain administrator.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In Active Directory Users and Computers, right-click Users, and then click New User.

4. On the New User page, type a user name and password, clear the User must change password at next logon check box, and then click OK.

Note

Be sure to create the user account as a user account in the domain and not as a user account on the local computer.

Step 2: Grant required user rights to the domain user account

You use Security Policy Editor (Secpol.msc) to grant the following required user rights to the domain user account:

• Act as part of the operating system

• Generate security audits

• Replace a process level token

• Log on as a service

To grant the required user rights to the user

1. Log on to a domain controller as a domain administrator.

2. Click Start, click Run, type secpol.msc, and then click OK.

3. In Local Security Settings, double-click Local Policies, and then click User Rights Assignment.

4. In the details pane, right-click the user that you want, and then click Properties.

5. In [setting] Properties, click Add User or Group.

6. In Select Users or Groups, type the name for the user account, and then click OK.

7. In [setting] Properties, click OK.

8. Repeat steps 3 through 6 for each user right that you want to grant.

Step 3: Add the domain user account to the required groups

You use the Active Directory® Users and Computer snap-in to add the domain user account to the following groups on the FIM CM server:

• Administrators

• IIS_IUSRS

  Note

  In Internet Information Services (IIS) 7.0, the IIS_IUSRS built-in group replaces IIS_WPG. If you are using an older version of IIS, use the IIS_WPG group. For additional information, see Understanding Built-In User and Group Accounts in IIS 7 (https://go.microsoft.com/fwlink/?LinkId=184266).

To add the domain user account to the required groups

1. Log on as an administrator.

2. Click Start, point to Administrative Tools, and then click Computer Management.

3. In Computer Management, double-click Configuration, double-click Local Users and Groups, click Groups, right-click GroupName, and then click Add to Group.

4. GroupName is the name of the group.

5. In GroupName Properties, click Add.

6. In Select Users, Computers, or Groups, type the name of the user account, and then click OK.

7. In GroupName Properties, click OK.

8. Repeat steps 2 through 5 for each group that you want to add.

Step 4: Configure FIM CM to use the domain user account

You must configure FIM CM to use the domain user account that you created in step 1.

To configure FIM CM to use the domain user account

1. Log on as an administrator.

2. Click Start, click Run, type Services.msc, and then click OK.

3. In Services (local), right-click Forefront Identity Manager CM Update Service, and then click Properties.

4. On the Forefront Identity Manager CM Update Service Properties page, on the Log on tab, click This account.

5. In This account, type the name of the user account.

6. In Password, type the password of the user account.

7. In Confirm password, type the password again, and then click OK.

Step 5: Configure FIM CM to start automatically

To ensure that FIM CM processes requests correctly, you must configure it to start automatically.

To configure FIM CM to start automatically

1. Log on as an administrator.

2. Click Start, point to All Programs, point to Administrative Tools, and then click Services.

3. In Services (local), right-click Forefront Identity Manager CM Update Service, and then click Properties.

4. On the Forefront Identity Manager CM Update Service Properties page, click the General tab.

5. In Startup type, select Automatic, and then click OK.

Step 6: Configure SQL Server for Windows Integrated Authentication

If your Microsoft SQL Server® database uses Microsoft Windows® Integrated Authentication, you must perform the steps in the following procedure. However, if your database uses mixed-mode authentication, do not perform this procedure.

To configure SQL Server for integrated authentication with FIM CM

1. Log on to the computer running SQL Server as a user who is a database administrator.

2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click Enterprise Manager.

3. In the console tree, double-click Microsoft SQL Servers, double-click SQL Server Group, double-click (local) Windows NT, and then double-click Security.

4. In the console tree, right-click Logins, and then click New Login.

5. To find the new domain user account that you created in step 1, on the General tab, next to Name, click the ellipsis button (…).

6. Click the name of the new domain user account, and then click OK.

7. In the SQL Server Login Properties dialog box, select Windows Authentication, select the domain, and then select Grant access.

8. FIM CM uses the default domain.

9. On the Database Access tab, click Permit for the FIM CM database.

10. In Database roles for CM, for public and for cmApp, select Permit.

11. Selecting Permit ensures that the service has the appropriate permissions to write to the FIM CM database.

Step 7: Restart FIM CM

To apply the configuration changes that you made, you must restart FIM CM.

To restart FIM CM

1. Log on to the FIM CM server as an administrator.

2. Click Start, point to All Programs, point to Administrative Tools, and then click Services.

3. In Services (local), right-click Forefront Identity Manager CM Update Service, and then click Restart.

Step 8: Configure FIM CM extended permissions

Finally, configure the FIM CM extended permissions that are required for the management policies workflow that uses FIM CM. For a list of all of the FIM CM extended permissions, see Installing FIM CM on a Server.

The following topics describe specific FIM CM extended permissions that are required for FIM CM functions and management policies:

• Configure FIM CM for Renewal Requests

• Configure FIM CM to Use the External API

• Configure FIM CM for Online Updates

Configure FIM CM for Renewal Requests

You can configure FIM CM to automatically issue a renewal request for certificates that are within the renewal time specified in a certificate template. When you configure FIM CM to distribute one-time passwords, users automatically receive email messages to remind them to renew their certificates. In addition, users receive one-time passwords to use to complete additional authentication.

Important

Before you configure renewal requests, you must perform the configuration steps in Configuring FIM CM.

To configure FIM CM for renewal requests

1. Perform the initial configuration of FIM CM.

2. For information about performing the initial configuration, see Configuring FIM CM.

3. Assign the FIM CM Request Renew extended permission to the user account that you created in Configuring FIM CM.

4. To verify the renewal requests configuration, perform the following actions:

   1. Verify that the external user account is given Enroll Initiate permissions within the desired FIM CM profile templates.

   2. Change the cert_renew date of an active certificate in the Certificates table to some time in the past.

      To determine the desired certificate, examine the value that is contained in the cert_request_request_id column. This value corresponds to the certificate ID in the certification authority (CA).

   3. Restart FIM CM to trigger immediate request processing.

      FIM CM then places the renewal request based on the policy configuration of the profile template.

Configure FIM CM to Use the External API

You can configure FIM CM to use the external application programming interface (API). The external API enables custom applications to request certificates and to insert certificate data into the FIM CM database. FIM CM uses the external API to gather the incoming requests for the External database table.

FIM CM processes external requests periodically—instead of immediately—based on the time specified in the configuration file for FIM CM.

Important

If you configure the renewal requests function of FIM CM, you can use the same account for both the renewal requests and the external API.

To configure FIM CM to use the external API

1. Perform the initial configuration of FIM CM, which is described in Configuring FIM CM.

2. Assign FIM CM extended permissions to the user account that you created in Configuring FIM CM.

   Table 1 shows the required FIM CM extended permissions.

3. Edit the Microsoft.CLM.Service.Interval value in the configuration file for FIM CM.

   The location for the configuration file is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\Microsoft.CLM.Service.exe.config.

   The default request process value is five hours, which is 18,000,000 milliseconds. The minimum interval for the service to run is one hour, which is 3,600,000 milliseconds.

   Note

   If you try to set the request process value to less than one hour, FIM CM enforces the one-hour minimum interval.

Table 1: Required permissions for external API processing

Permission	Description
Read	You must grant the user Read permission to the affected profile templates in Active Directory Domain Services (AD DS).
CLM Enroll	You must grant the user CLM Enroll permission to the affected profile templates in AD DS. You must set this extended permission on profile templates in Active Directory Sites and Services.
Enroll Initiate	You must grant the user Enroll Initiate permission. This permission is set in profile templates and managed on the FIM CM Portal.

Configure FIM CM for Online Updates

You can configure FIM CM to update each profile template or smart card that you create from a profile template that is no longer current. For example, if the profile template that you used to create the profile template or smart card has fewer certificate templates than the current profile template has, FIM CM creates an online update request.

Table 2 shows the conditions in which FIM CM creates an online update request.

Table 2: Conditions in which FIM CM creates an online update request

Condition	Result
If the profile templates have different certificate templates	FIM CM creates an online update request. The reason given is a certificate template list change.
If the profile templates have the same certificate templates	FIM CM does not create an online update request.
If an online update request already exists for a profile or smart card	FIM CM does not create a new online update request.

To allow FIM CM to initiate a Renew or Online Update, the service account needs the following permissions:

1. Add the FIM CM Service Account to the profile template setting Workflows: Initiate Online Update Requests.

2. Add the CLM Request Renew permission to all Target Users.

3. Give the FIM CM Service Account Read and CLM Request Renew permissions on the Connection Service Point.

To issue an online update request instead of a renewal request, when the certificate is within the expiry period, you must modify the FIM CM Service configuration file, Microsoft.CLM.Service.exe.config.

To configure FIM CM to process the external API

1. Perform the initial configuration of FIM CM.

   For information about performing the initial configuration, see Configuring FIM CM.

2. Add the following key to the configuration file for FIM CM: <add key=”CLM.Service.RenewalService.OnlineUpdateProfileTemplates” value=”template”/>

   The default location for the configuration file is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\Microsoft.Clm.Service.exe.config.

   Note

   The template value represents the name of a valid profile template. Be sure that you replace this placeholder value with the value for an existing profile template. When you specify multiple templates, separate their names with semicolons.

3. Use a text editor to edit the Microsoft.CLM.Service.Interval value in the configuration file for FIM CM.

   The location for the configuration file is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\Microsoft.CLM.Service.exe.config.

   The default request process value is five hours (key="Microsoft.CLM.Service.Interval" value="18000000"). The minimum interval for the service to run is one hour, which is 3,600,000 milliseconds.

   Note

   If you try to set the request process value to less than one hour, FIM CM enforces the one-hour minimum interval.

4. Remove the comments from the following section in Web.config.

   Note

   The default location for Web.config is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\web\Web.config. <!-- <ClmNotifications> <add event="ApproveRequest" class="Microsoft.Clm.NotificationSinks.OnApproveRequest,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/> <add event="OnlineUpdateProfileComplete" class="Microsoft.Clm.NotificationSinks.OnOnlineUpdateProfileComplete,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/> <add event="MarkRequestAsFailed" class="Microsoft.Clm.NotificationSinks.OnMarkRequestAsFailed,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/> </ClmNotifications> -->

   Replace the multivalue attribute values in the initializationData sections of Web.config with a multistring value Active Directory attribute.

   Note

   To update the value of this Active Directory attribute, the FIMCM Agent account requires Write permission to it.

5. To add the required client registry key and values, at the command prompt on each computer running the FIM CM client, type clmProfileUpdate.exe /u /url <FIMCMServerURL> /a <Attribute> .

   You do not have to edit the registry directly. Table 3 shows these registry values. Table 4 shows the parameters for ClmProfileUpdate.exe.

   ClmProfileUpdate.exe is the Profile Template Update Control, which is a FIM CM client component. The default location for ClmProfileUpdate.exe is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\bin\.

In FIM CM client, you must use ClmProfileUpdate.exe to configure the registry keys for the multistring value Active Directory attribute specified in the initializationData sections of Web.config and for the FIM CM Portal. ClmProfileUpdate.exe edits the Windows registry and adds the following registry key to the FIM CM client: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Agent. Table 3 shows the registry values that ClmProfileUpdate.exe adds when you perform step 5 in the previous procedure.

Table 3: FIM CM client registry key values

Registry key value	Description
Attribute	Displays the Active Directory attribute. This value is a string value (REG_SZ).
URL	Displays the URL for the FIM CM server. This value is a string value (REG_SZ).

Table 4: Parameters for ClmProfileUpdate.exe

Parameter	Description
/?	Displays Help.
/u	Updates the registry with the data that you specify following this parameter, and then exits the command-line.
/url	Specifies the URL for the FIM CM Portal. The URL must have a trailing forward slash. For example, https://www.contoso.com/clm/.
/a	Specifies an Active Directory attribute. This value should be the same value that you configured as the multivalue attribute in the initializationData sections of Web.config. Step 4 in the preceding procedure describes this process.

Previous topic

Configuring FIM CM Groups, Templates, and Permissions

Next topic

Installing and Configuring FIM CM for Smart Cards

See Also

Concepts

Installing and Configuring FIM CM Infrastructure