How to Set Up FIM CM Behind a Network Load Balancing (NLB) cluster

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

Forefront Identity Manager Certificate Management (FIM CM) Network Load Balancing Setup Overview

What This Document Covers

This document describes a process for configuring Network Load Balancing (NLB) and for setting up Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) to work behind NLB.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

For completion of this tutorial, understand and be familiar with the following:

• NLB

• Active Directory® Domain Services (AD DS)

• Active Directory permissions concepts

• Active Directory users and groups concepts

• Active Directory Users and Computers

• Active Directory Sites and Services

Audience

This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

Time requirements

The amount of time required to implement the procedures in this document depends on how much of your setup is already in place. To set up your configuration from start to finish takes about three hours. If some of the components are already in place, setup can take 45 to 90 minutes.

Requirements

For an NLB configuration, you must have a fully configured FIM CM environment with the AD DS, Active Directory Certificate Services (AD CS), and Microsoft SQL Server®.

Note

In Windows Server 2003, the service name is Certificate Authorities rather than AD CS as stated above for Windows Server 2008.

Scenario Roadmap

FIM CM is tightly integrated with AD DS for authentication and authorization.

This document describes a process for configuring NLB and for setting up FIM CM to work behind NLB.

The high-level steps are:

1. Set up NLB on both servers where you want to install FIM CM.

2. Install FIM CM server.

3. Run the FIM CM Configuration wizard on the first server, FIM CM Portal 1.

4. Run the Configuration wizard on the second server, FIM CM Portal 2.

5. Install agent certificates on FIM CM Portal 2.

6. Create identical user authorization cookies for both FIM CM Portal servers.

Walkthrough

You will be guided through the process of setting up the NLB by TechNet topics outside the FIM documentation set, after which you will configure FIM portal servers and set up the agent account certificates.

To set up NLB

• For information about setting up and configuring NLB, see:

  Installing Network Load Balancing (https://go.microsoft.com/fwlink/?LinkId=186924)

  Create a New Network Load Balancing Cluster (https://go.microsoft.com/fwlink/?LinkId=186925)

  Add a Host to the Network Load Balancing Cluster (https://go.microsoft.com/fwlink/?LinkId=186926)

After you complete these steps, your NLB environment will be configured.

To build two FIM CM Portal servers

1. Install FIM CM Server on both the computers.

   Important

   Ensure that you have the same product version installed on both servers. You must configure the network adapters on both servers on the same switch box.

   Note

   For information about installing FIM CM, see Installing and Configuring FIM CM Infrastructure

2. During the installation, ensure that you set the Portal page name to Certificate Management or a page name that is identical for both servers.

3. To make the certificates exportable, duplicate the User and Enrollment Agent certificate templates.

   For information about duplicating certificate templates, see Installing and Configuring FIM CM Infrastructure

To run the Configuration wizard on FIM CM Portal 1

1. Run the Configuration wizard as the local computer administrator in an elevated command prompt.

2. On the Active Directory tab, copy the Container Path and the Entry Name because you must reuse the same Service Control Point (SCP) for the additional servers in the NLB cluster.

   Note

   All servers in the FIM CM NLB cluster must use the same SCP name. The configuration wizard, by default, populates the SCP Entry Name with the NetBIOS name of the computer on which the wizard is being run. It is recommended that you edit the SCP Entry Name to make it server independent while keeping the displayed value of the Container Path. For example, you can edit the server name to a value such as FIMCMSCP. A value such as this can be easily remembered and reused during the configuration of the additional server (s) in the NLB cluster.

3. For the FIM CM agent accounts, clear the default settings and reenter the passwords for all six accounts.

   Important

   You must have the passwords for all these six accounts for the second server as well; be sure to note them for use later in this process.

4. For the Agent certificates, ensure that you select the certificate templates that are marked Exportable.

5. Run the Configuration wizard with all other settings at the default settings.

To run the Configuration wizard on FIM CM Portal 2

1. Run the Configuration wizard as the local computer administrator in an elevated command prompt.

2. On the SQL Settings tab, ensure that you select the same database name as in the first procedure.

3. On the Active Directory tab, type the Entry Name of the SCP that was provided when running the configuration wizard on FIM CM Portal 1. For example, if you used the name FIMCMSCP for the SCP when configuring FIM CM Portal 1, you must reuse that name as the Entry Name for every server participating in the NLB cluster (including this server).

4. In the FIM CM agent accounts, click Customer Accounts, and for each tab in Agent-FIM CM, click Use an existing user. Use the same password that you used in the first procedure. Select the Use Existing Account check box.

5. In Certificates, click Create and Configure Certificates manually.

6. Run the Configuration wizard with all other settings at the default settings.

7. During the configuration, the wizard notifies you that the specified database already exists. Click Yes to use the current database with no changes.

To install Agent certificates on FIM CM Portal 2

1. Log on to the first server as the FIM CM Agent.

2. Export the FIM CM Agent certificate:

   1. Be sure to select the Export Private Key Option.

   2. Save the .pfx file in a location that can be accessed by the second server.

3. Perform the same operations for the FIM CM EnrollAgent account.

   Note

   The certificates for the Agent, Enroll Agent, and Key Recovery Agent should all be handled identically.

4. Log on to the second FIM CM server as the FIM CM Agent (\FIM CM Enroll Agent), and import the certificates.

5. Update the CLM Web.config file with the certificate hash of the FIM CM Agent and the FIM CM Enroll Agent.

6. Obtain the certificate hashes of the agent certificate, and the enrollment agent certificate (using Microsoft Management Console (MMC) or an exported certificate file).

7. Edit the web.config file, located in C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web.

8. For the agent certificate hash, update the following web.config keys to include the hash:

   Note

   Make sure there are no spaces in the certificate hash. A hash that you view in the certificate MMC snap-in will appear as 93 d7 24 28 ab 11 36 b6 f4 f2 a2 c3 5c 19 fa 42 53 11 d0 99 but, in the web.config file it must be entered between the quotes with no spaces as follows: <add key="Clm.SigningCertificate.Hash" value="93D72428AB1136B6F4F2A2C35C19FA425311D099" />

   1. Clm.SigningCertificate.Hash

   2. Clm.ValidSigningCertificates.Hashes

   3. Clm.SmartCard.ExchangeCertificate.Hash

9. For the enrollment agent certificate hash, update Clm.EnrollAgent.Certificate.Hash.

To use the same authorization cookie key for both FIM CM Portal servers

1. To generate an authorization key, at an elevated command prompt, run clmutil.exe –genkey.

2. In the Web configuration file, located in <drive>;Program Files\Forefront Identity Manager\2010\<folder>, for both the servers, update the following with the generated key:

   <ticket>
       <key>Insert key here</key>
       <name>.clmAuthCookie</name>
   </ticket>
   

   Important

   This ensures that all the cookies that are stored on the clients are usable by both CLM servers.

To set the service principal name (SPN) on the domain controller

1. Log on to the domain controller as an administrator.

2. Run setSPN to register the cluster head.

Example:

In this example, the domain is B107X64CLMAD and the cluster head is CLMNLB.

C:\Users\Administrator>setSPN -L B107X64CLMAD\clmwebpool
Registered ServicePrincipalNames for CN=clmWebPool,CN=Users,DC=B107X64CLMAD,DC=COM:
        HTTP/B116X64CLM.B107X64CLMAD.COM
        HTTP/B116X64CLM
        HTTP/B110X64CLM.B107X64CLMAD.COM
        HTTP/B110X64CLM

C:\Users\Administrator>setSPN -S HTTP/CLMNLB B107X64CLMAD\clmwebpool

Registering ServicePrincipalNames for CN=clmWebPool,CN=Users,DC=B107X64CLMAD,DC=COM
        HTTP/CLMNLB
Updated object

C:\Users\Administrator>setSPN -S HTTP/CLMNLB.B107X64CLMAD.COM B107X64CLMAD\clmwebpool

Registering ServicePrincipalNames for CN=clmWebPool,CN=Users,DC=B107X64CLMAD,DC=COM
        HTTP/CLMNLB.B107X64CLMAD.COM
Updated object

C:\Users\Administrator>setSPN -L B107X64CLMAD\clmwebpool
Registered ServicePrincipalNames for CN=clmWebPool,CN=Users,DC=B107X64CLMAD,DC=COM:
        HTTP/CLMNLB.B107X64CLMAD.COM
        HTTP/CLMNLB
        HTTP/B116X64CLM.B107X64CLMAD.COM
        HTTP/B116X64CLM
        HTTP/B110X64CLM.B107X64CLMAD.COM
        HTTP/B110X64CLM