Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration

  • Article

Authored By: Bill Mathers

A downloadable version of this document is available at Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration.

Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration allows for a manager to initiate a smart card request and then the domain user logs on to the FIM CM web portal to execute the request. In this model, only the manager can initiate the request. The user can only execute the request once the one-time password challenge has been satisfied. The user receives the one-time password via e-mail.

In this model, the following process is implemented:

  1. A user’s new manager initiates a smart card request on the user’s first day.

  2. An e-mail is sent to the user with a one-time secret password..

  3. The user receives the e-mail then logs on to the FIM CM web portal and executes the request.

  4. The user can now use their new smart card.

Delegated Smart Card Flow

This document will demonstrate how to enable this functionality in a test lab.

In This Guide

This guide contains instructions for setting up a test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration. This is achieved by configuring Forefront Identity Manager 2010 Certificate Management using the environment that was built out in the preceding test lab guides. This lab also requires a client machine, CLIENT2, with a smart card reader. For purposes of this guide, a stand-alone physical computer was used. This was required because Hyper-V does not allow for the use of USB devices and the smart card reader that was used is a USB smart card reader. The smart card reader that is used in this lab is a Gemalto GemPC Twin, but any smart card reader should work as long as the smart card reader is installed, has the correct drivers, and is working properly.

Important

This lab also requires a physical smart card. The smart cards that were used in this lab were Gemalto .NET v2+. However any smart card that is supported by FIM CM should work provided the appropriate mini-driver or middleware is installed. The following is a brief explanation on the use of the x86 FIM CM client on a x64 OS when a 64-bit FIM CM client is available. The reason we are installing the x86 version is because the default version of Internet Explorer on Windows 7 is the 32-bit version. There currently is not a way to designate the default browser for Windows 7. In the future, we will demonstrate manager initiated workflow and this will error out if we have are using the 64-bit version of the client. This is because when you click on the link that is sent via email it will launch the 32-bit version of IE which does not have the ActiveX control installed if you installed the 64-bit client. Attempting to adapt this Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment (https://go.microsoft.com/fwlink/?LinkId=210866).

Test Lab Overview

In this test lab, Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration is deployed with:

  • One new client running Windows® 7 Professional Edition x64 named CLIENT2.

  • One preexisting server running the FIM CM Portal named FIMCM1.

  • One preexisting server running SQL Server® 2008 Enterprise with Service Pack 2, named APP1.

  • One preexisting server running Windows Server® 2008 R2 Enterprise Edition, named DC1.

The Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration uses the following subnet:

  • The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).

Computers on each subnet connect using a hub or switch. See the following figure.

Smart Card Self-Service Architecture

This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration configuration process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service.

Hardware and Software Requirements

There following table provides a list of software used in this guide.

Software

Additional information

Forefront Identity Manager 2010 Certificate Management Client

Forefront Identity Manager 2010 (https://go.microsoft.com/fwlink/?LinkId=204577).

Forefront Identity Manager 2010 Certificate Management Client Update (KB978864)

This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. (https://go.microsoft.com/fwlink/?LinkId=20457)

Gemalto GemPC Twin Smart Card Reader Software

Gemalto GemPC Twin Smart Card Reader(https://support.gemalto.com/?id=46)

Gemalto .NET v2+ Smart Card Minidriver

Gemalto .NET v2+ Smart Card Minidriver(https://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto minidriver net)

There following table provides a list of hardware used in this guide.

Hardware

Additional information

Gemalto GemPC Twin Smart Card Reader

Gemalto GemPC Twin Smart Card Reader (https://support.gemalto.com/?id=46).

Gemalto .NET v2+ Smart Card

Gemalto .NET v2+ Smart Card (https://www.gemalto.com/products/dotnet_card/)

Physical computer for CLIENT2

This is to allow for the use of the USB smart card reader. Hyper-V does not support the use of USB devices.

Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration Test Lab

There are eight steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration.

  • Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.

  • Step 2: Set up the Exchange Server 2010 with Service Pack 1 TLG—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for FIM CM.

  • Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.

  • Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.

  • Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM TLG— The fourth step is to complete the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab guide. This provides FIM CM to the test lab environment.

  • Step 6: Configure CLIENT2—The sixth step walks you through configuring CLIENT2, joining the domain and installing the FIM CM client.

  • Step 7: Configure FIM CM for Delegated Smart Card Registration—The seventh step walks you through configuring FIM CM to enable delegated registration.

  • Step 8: Verify Delegated Smart Card Registration— The eighth step includes verifying that delegated registration is working successfully.

This guide provides steps for configuring the computers of Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration. The following sections provide details about how to perform these tasks.