Step 9: Perform FIM CM Post-Installation Tasks

Performing the FIM CM Post-Installation tasks consists of the following:

• Configure the FIM CM Server for delegation

• Configure the FIM CM Web Pool Agent for delegation

• Configure IIS for Kerberos Delegation

• Verify the SPNs on the FIM CM Web Pool Agent Account

• Allow DC1 to access the FIM CM database on APP1

• Obtain the FIM CM Agent account hash.

• Configure FIM CM Exit Module on DC1

• Configure FIM CM Policy Module on DC1

• Add the FIM CM Portal URL to Local Intranet Sites for CORP\Administrator

Configure the FIM CM Server for delegation

To Configure the FIM CM Server for delegation

1. Log on to DC1 as CORP\Administrator.

2. Click Start, select Administrative Tools, and click Active Directory Users and Computers.

3. At the top, select View and choose Advanced Features from the drop-down.

4. On the left, expand corp.contoso.com, click Computers and on the right, right-click the FIMCM1 and choose Properties.

5. At the top, select the Delegation tab.

   Warning

   If for some reason you do not see the delegation tab, then check and make sure that this object has the correct SPNs set. The reason you do not see a delegation tab is because the object does not have a value for the servicePrincipalName attribute.

6. Select Trust this computer for delegation for specified services only and the select Use any authentication protocol.

7. Click Add. This will bring up the Add Services window.

   

8. Click Users or Computers. This will bring up a Select Users or Computers window. Enter DC1 and click Check Names. It should resolve with an underline. Then click OK.

9. You should now see services populated on the Add Services window. Scroll down and select rpcss and click OK.

   

10. Click Apply. Click OK.

Configure the FIM CM Web Pool Agent for delegation

To Configure the FIM CM Web Pool Agent for delegation

1. In Active Directory Users and Computers, on the left, expand corp.contoso.com, click ServiceAccounts. Right-click the FIM CM Web Pool Agent and choose Properties.

2. At the top, select the Delegation tab.

   Warning

   If for some reason you do not see the delegation tab, then check and make sure that this object has the correct SPNs set. The reason you do not see a delegation tab is because the object does not have a value for the servicePrincipalName attribute.

3. Select Trust this computer for delegation for specified services only and the select Use Kerberos only.

4. Click Add. This will bring up the Add Services window.

5. Click Users or Computers. This will bring up a Select Users or Computers window. Enter DC1 and click Check Names. It should resolve with an underline. Then click OK.

6. You should now see services populated on the Add Services window. Scroll down and select HOST and click OK.

   

7. Click Apply. Click OK.

8. Close Active Directory Users and Computers.

Configure IIS for Kerberos Delegation

By default an application pool running under a specific service account will not use the service account for Kerberos. This section will configure IIS to force use of Kerberos.

To configure IIS for Kerberos Delegation

1. Log on to FIMCM1 as CORP\Administrator.

2. Navigate to the following directory: C:\Windows\System32\inetsrv\config.

   

3. Locate the ApplicationHost.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program and click OK.

4. Select Notepad and click OK. This will open the config file in notepad.

5. At the top, select Edit, Find, and enter windowsAuthentication enabled=”true” in the box. Click Find Next.

   

6. If this is a vanilla install of FIM CM there will be only one instance of this. Insert useKernelMode=”true” useAppPoolCredentials=”true” in the line so it looks like the after image.

   

7. On the Find box, click Cancel.

8. At the top of Notepad, select Save. Close Notepad.

9. Click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

10. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.

    

Verify the SPNs on the FIM CM Web Pool Agent Account

To Verify the SPNs on the FIM CM Web Pool Agent Account rvice

1. Log on to DC1 as CORP\Administrator.

2. Click Start, select Administrative Tools and click ADSI Edit. This will bring up ADSI Edit.

3. At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections Settings box. Leave the defaults and click OK.

4. On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com and select OU=ServiceAccounts.

5. In the center, right-click CN=FIM CM Web Pool Agent. This will bring up CN=FIM CM Web Pool Agent Properties.

6. Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.

7. In the box, verify the value HTTP/FIMCM1 is

8. In the box, verify the value HTTP/FIMCM1.corp.contoso.com.

   

9. Click OK.

10. Click OK.

Allow DC1 to access the FIM CM database on APP1

The certificate authority is not automatically granted access to the FIM CM database. In order to allow access we will now add it manually.

To allow DC1 to access the FIM CM database on APP1

1. Log on to APP1 as corp\Administrator.

2. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

3. On the Connect to Server dialog box, under Server Type select Database Engine.

4. On the Connect to Server dialog box, under Server name select APP1.

5. On the Connect to Server dialog box, under Authentication select Windows Authentication.

6. Click Connect. This should be successful and the database information will be displayed on the left. The SQL Server Agent should have a green arrow.

7. On the left, expand Security, right-click Logins, and then select New Login. This will bring up the Login - New screen.

8. On the right, in the box next to Login name, enter CORP\DC1$.

   

9. On the left, click User Mapping. Under Users mapped to this login: place a check in FIMCertificateManagement.

10. At the bottom, under Database role for FIMCertificateManagement add a check to clmApp

    

11. At the bottom click OK. Close SQL Server Management Studio.

Obtain the FIM CM Agent account hash

The certificate authority does not automatically have the FIM CM Agent account hash added to the Policy Module. This must be done manually. In order to accomplish this we will acquire the FIM CM Agent’s certificate hash.

To Obtain the FIM CM Agent account hash

1. Log on to FIMCM1 as corp\Administrator.

2. Navigate to the following directory C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web.

   

3. Locate the web.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed programs and click OK.

4. Select Notepad and click OK. This will open the config file in notepad.

5. At the top, select Edit, Find, and enter Clm.SigningCertificate.Hash in the box. Click Find Next.

   

6. When this stops you will see the Clm.SigningCertificate.Hash and a Value next to it. Highlight the hash value, right-click and select copy.

   

7. Now click the Start, select All Programs, select Accessories and select Notepad. This will open up notepad.

8. Paste the hash value into notepad. Then at the top select File and Save. This will bring up the Save As dialog box.

   

9. At the top of the Save As dialog box, remove Libraries\Documents and replace it with \\DC1\C$.

10. In the File name: box, enter fimcmagenthash and click Save. This will save the notepad file to the C:\ drive on DC1.

    

11. Close the web.config file.

    Important

    Be aware that the value of your certificate hash will differ from the one in the screenshots.

Configure FIM CM Exit Module on DC1

Now we need to configure the Certificate Authority Exit Module. This is done by adding a SQL connection string and will allow the CA and the FIM CM database to communicate.

To Configure FIM CM Exit Module on DC1

1. Log on to DC1 as corp\Administrator.

2. Click Start, click Administrative Tools, and then click Server Manager.

3. In Server Manager, expand Roles, expand Active Directory Certificate Services, right-click corp-DC1-CA and select Properties. This will bring up the corp-DC1-CA properties.

4. At the top, click the Exit Module tab. This may take a second or two to refresh.

   

5. On the Exit Module tab, click on FIM CM Exit Module so that it is selected and then click the Properties button. This will bring up a Configuration Properties dialog box.

6. In the box under Specifiy FIM CM database connection string, enter: Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=APP1

   

7. Click Apply. This will bring up a box that says the CA needs to be restarted for the changes to take effect. Click OK.

8. Click OK to close the Configuration Properties

Configure FIM CM Policy Module on DC1

Now we need to configure the Certificate Authority Policy Module. This is done by adding the FIM CM certificate hash to .

To Configure FIM CM Policy Module on DC1

1. Navigate to the C:\ drive and open the fimcmagenthash.txt file. Highlight the hash, right-click and select copy.

2. Back in the properties of corp-DC1-CA, click the Policy Module tab. This may take a moment to refresh.

   

3. Click the Properties button. This will bring up the Configuration Properties dialog box.

4. At the top, click the Signing Certificates tab. Click Add. This will bring up a Certificate dialog box.

5. In the box under Please specify hex-encoded certificate hash:, paste the value you just copied from the notepad. Click OK. This may take a moment

   

6. You should now see the value of the hash under Valid Signing Certificates: Click Apply. This will bring up a box that says the CA needs to be restarted for the changes to take effect. Click OK.

   

7. Click OK to close the Configuration Properties.

8. Click OK to close the corp-DC1-CA properties.

9. Back in Server Manager, right-click corp-DC1-CA, select All Tasks and Stop Service.

   

10. Once the service has stopped, right-click corp-DC1-CA, select All Tasks and Start Service.

11. Once the service has started close Server Manager.

Add the FIM CM Web Portal URL to Local Intranet Sites for CORP\Administrator

In this step you will add the FIM CM Web Portal URL to the local intranet sites.

To add the FIM Portal URL to Local Intranet Sites

1. Log on to FIMCM1 as CORP\Administrator.

2. Click Start, click All Programs, and then click Internet Explorer (64-bit).

3. At the top of Internet Explorer, under Tools, click Internet Options.

4. Click the Security tab and select Local intranet from the Select a zone to view or change security settings box.

5. Click Sites to show a Local intranet window. Click Advanced.

6. In the Add this website to the zone: box, type https://fimcm1. Click Add.

7. Place a check in Require server verification (https:) for all sites in this zone and click Close. Click Ok.

8. Click OK to close the Internet Options dialog box.