Introduction to FIM CM

  • Article

Applies To: Forefront Identity Manager 2010

Prerequisite Knowledge

This document assumes that you have a basic understanding of Microsoft® Forefront® Identity Manager (FIM) 2010, Active Directory, and Certificate Services.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy Microsoft® Forefront® Identity Manager (FIM) 2010 using Certificate Management.

Time Requirements

This the procedures in this document require 60 to 90 minutes for a new user to complete.

Note

These time estimates assume that the testing environment is already configured for the scenario and do not include the time required to set up the test environment.

Scenario Description

Fabrikam, a fictitious company, wants to evaluate Microsoft® Forefront Identity Manager Certificate Management (FIM CM).

The Testing Environment

The scenario outlined in this document has been developed and tested on a stand-alone computer running 64-bit Windows 2008 Server with Hyper-V. The server has a 2 x 3.0 GHz dual core processors and 4 GB of RAM. Using Hyper-V, the following 3 virtual machines were created on the host.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

Table 1 Virtual Machines and Roles

Name Memory Operating System Description

QS-DC.Fabrikam.com

512 MB

64-bit Windows 2008 Server

Domain Controller

QS-FIMCA.Fabrikam.com

2048 MB

64-bit Windows 2008 Server

FIM – Certificate Management, Certificate Services, SQL 2008, IIS 7.0

QS-Vista.Fabrikam.com

1024 MB

64-bit Vista Enterprise

Client

Hyper V is not a requirement to complete the steps outlined below. The steps below can be implemented on physical computers as long as they reflect the same roles as the table above.

Before You Begin

This document only covers the basic certificate functionality of FIM. It is designed to get you quickly up and running in a test environment so that the product can be evaluated. This document does not cover using FIM, Certificate Management with smart cards. For further information on smart cards, see Introduction to Certificate Management Smartcards in the FIM 2010 document set.

This document makes some assumptions and requires the following to be true, prior to completing the steps outlined below. It assumes that there is a fabrikam.com Active Directory forest already in place. That QS-DC is the domain controller for this forest and that the QS-FIMCM and QS-Vista are joined to this domain. Setting up an Active Directory forest is outside the scope of this document.

Software Requirements

The following table summarizes the software that is required to implement the procedures in this document.

Table 2 Software requirements for FIM CM

Software Description

Certification authority (CA)

FIM CMrequires at least one or more of the following: 32-bit Microsoft® Windows Server® 2003, Enterprise Edition CA, 32-bit Microsoft Windows® Server 2008 Enterprise Edition CA, or 64-bit Microsoft Windows® Server 2008 Enterprise Edition CA. The Certification Authority must be an Enterprise CA.

Microsoft® Forefront Identity Manager Certificate Management (FIM CM)

At least one instance of the software installed on a server that is running Microsoft Windows® 2008 Enterprise Edition.

Microsoft® SQL Server 2008

FIM CM supports Microsoft® SQL Server 2008 64-bit Enterprise, or Standard Edition.

Internet Information Services (IIS) 7.x

FIM CM uses IIS as its Web server to run the FIM CM Portal.

Microsoft® .NET Framework 3.5

FIM CM is a Microsoft .NET-connected application. You must install the Microsoft .NET Framework 3.5 on the server. If FIM CM is installed on the same server as SQL 2008 then .NET Framework 3.5 SP1 is required.

Microsoft Internet Explorer® 6.x or later

Because FIM CM requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x or later is required. In addition, FIM CM has advanced scripting features that are optimized for Internet Explorer.

Required Accounts

The following table summarizes the accounts and permissions required by those accounts to implement the procedures in this document.

Table 3   Required Accounts

Account Description and permissions

FIM CM Agent

Provides the following services:

  • Retrieves encrypted private keys from the CA.

  • Protects smart card PIN information in the FIM CM database.

  • Protects communication between FIM CM and the CA.

This user has the following access control settings:

  • Granted the Allow logon locally user right.

  • Granted the Issue and Manage Certificates user right.

  • Granted Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.

  • A digital signature and encryption certificate issued and installed in the user store.

FIM CM Key Recovery Agent

Recovers archived private keys from the CA.

This user has the following access control settings:

  • Granted the Allow logon locally user right.

  • Added as a member of the local Administrators group.

  • Granted Enroll permission on the KeyRecoveryAgent certificate template.

  • The Key Recovery Agent certificate is issued and installed in the user store. The certificate must be added to the list of the key recovery agents on the CA.

  • Granted Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.

FIM CM Authorization Agent

Determines user rights and permissions for users and groups.

This user has the following access control settings:

  • Added to the Pre-Windows 2000 Compatible Access domain group.

  • Granted the Generate security audits user right.

FIM CM CA Manager Agent

Performs CA management activities.

This user must be assigned the Manage CA permission.

FIM CM Web Pool Agent

Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32® application programming interface process that uses this user’s credentials.

This user has the following access control settings:

  • Added to the local IIS_WPG group.

  • Added to the local Administrators group.

  • Granted the Generate security audits user right.

  • Granted the Act as part of the operating system user right.

  • Granted the Replace process level token user right.

  • Assigned as the identity of the IIS application pool, CLMAppPool.

  • Granted Read permission on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser registry key.

  • This account must also be trusted for delegation.

FIM CM Enrollment Agent

Performs enrollment on behalf of a user. This user has the following access control settings:

  • An Enrollment Agent certificate that is issued and installed in the user store.

  • Granted the Allow logon locally user right.

  • Granted the Enroll permission on the Enrollment Agent certificate template (or the custom template, if one is used).

Britta Simon

Generic user who will be used to test our implementation.

Group Requirements

The following table summarizes the Active Directory groups that are required to implement the procedures in this document.

Table 4   Required Groups

Group Remark

FIM CM Subscribers

A group of all users that will access FIM CM for certificate services

Implementing the Procedures in this Document

To implement the procedures in this document, you complete the following steps in the order shown:

  1. Installing IIS 7.0

  2. Installing the .NET Framework 3.5 SP1

  3. Deploying Windows Server 2008 Certificate Services

  4. Publishing the Key Recovery Agent and Enrollment Agent certificate template at the Certification Authority

  5. Installing SQL 2008

  6. Extending the Active Directory Schema

  7. Create the FIMCMObjects container

  8. Create the Active Directory User Accounts

  9. Create and configure the FIM CM Subscribers group

  10. Add our test user to the FIM CM Subscribers group

  11. Installing Forefront Identity Manager – Certificate Management

  12. Configuring Forefront Identity Manager – Certificate Management

  13. Trust the FIMCMWebAgent Account for Delegation

  14. Disable Internet Explorer Enhanced Security for Administrators

  15. Disable Kernel-mode Authentication

  16. Create and configure the Fabrikam User Profile Template

  17. Assign FIM CM Subscribers permissions to the Service Connection Point

  18. Assign FIM CM Subscribers permissions to the Fabrikam User Profile Template

  19. Assign FIM CM Subscribers permissions to the User Certificate Template

  20. Add the Microsoft Forefront Identity Manager Certificate Management site to Trusted Sites in Internet Explorer

  21. Enable Initialize and script ActiveX controls not marked as safe for signing

  22. Test the implementation

Later topics provide more detail about these steps.

Install Internet Information Services 7.0

The following steps will show you how to setup a basic installation of IIS 7.0 for use with FIM CM. The following tables summarize the individual pieces of IIS 7.0 that need to be installed.

Table 5 Required IIS 7.0 Web Server Role Services

Role Service Required Features

Common HTTP Features
  • Static Content

  • Default Document

  • Directory Browsing

  • HTTP Errors

  • HTTP Redirection

Application Development
  • ASP .NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

Health and Diagnostics
  • HTTP Logging

  • Request Monitor

Security
  • Windows Authentication

  • Request Filtering

Performance
  • Static Content Compression

  • Dynamic Content Compression

Table 6 Required IIS 7.0 Management Tools Role Services

Role Service Required Features

IIS Management Console

To install Internet Information Services 7.0

  1. Log on to the QS-FIMCM Server as Administrator

  2. From the Start button, select Server Manager.

  3. From the Server Manager screen, right-click Roles, and then select Add Rolesfrom the drop-down.

  4. From the Add Roles Wizard, on the Before You Begin screen, click Next.

  5. From the Server Roles screen, place a check in Web Server (IIS). Click Next. .

    Note

    This will bring up a small pop-up box with the title of Add features required for Web Server (IIS). Click the Add Required Features button. This will add the Windows Process Activation Service.

  6. Click Next.

  7. From the Web Server (IIS) screen, click Next.

  8. From the Role Services screen, place a check in all of the items that are listed in tables 5 and 6 above if there is not one already present.

    Note

    When you select ASP.NET this will bring up a pop-up box with the title Add features required for Web Server (IIS). Click the Add Required Features button. This will automatically select ISAPI Extensions, ISAPI Filters, and .NET Extensibility. This will also add the .NET Environment to the Windows Process Activation Service.

  9. Click Next.

  10. From the Confirmation screen, review the information and click Install.

  11. When the installation is complete, from the Results screen, click Close.

  12. Close Server Manager.

Installing the .NET Framework 3.5 SP1

The following steps will show you how to setup the .NET Framework 3.5.

To install the .NET Framework 3.5 SP1

  1. Log on to the QS-FIMCM Server as Administrator

  2. On the QS-FIMCM server, download the .NET 3.5 Framework from the following location: https://go.microsoft.com/fwlink/?LinkID=185469.

  3. Once that is complete, double-click on the dotnetfx35.exe file.

  4. On the Welcome to Setup screen, after reading the License Agreement, select I have read and ACCEPT the terms in the License Agreement box and click Install.

  5. When the installation is complete, on the Setup Complete screen, click Exit.

  6. On the restart server screen, click restart now.

Deploying Microsoft Certificate Services

The following steps will show you how to setup Microsoft Certificate Services on the QS-FIMCM server.

To Install Microsoft Certificate Services

  1. Log on to the QS-FIMCM Server as Administrator

  2. From the Start button, select Server Manager.

  3. From the Server Manager screen, right-click Roles, and then select Add Roles from the drop-down.

  4. From the Add Roles Wizard, on the Before You Begin screen, click Next.

  5. From the Server Roles screen, place a check in Active Directory Certificate Services. Click Next.

  6. From the AD CS screen, click Next.

  7. From the Role Services screen, make sure there is a check in Certification Authority and click Next.

  8. From the Setup Type screen, make sure that Enterprise is selected and click Next.

  9. From the CA Type screen, make sure that Root CA is selected and click Next.

  10. From the Private Key screen, make sure that Create a new private key is selected and click Next.

  11. From the Cryptography screen, leave the defaults and click Next.

  12. From the CA Name screen, leave the defaults and click Next.

  13. From the Validity Period screen, leave the defaults and click Next.

  14. From the Certificate database screen, leave the defaults and click Next.

  15. From the Confirmation screen, review the information and click Install.

  16. When the installation is complete, from the Results screen, click Close.

  17. Close Server Manager.

Publishing the Key Recovery Agent and Enrollment Agent certificate template at the Certification Authority

This section lists the steps for publishing the certificate template at the Certification Authority.

To publish the certificate templates at the Certification Authority

  1. From the Start button, select Administrative Tools and Certification Authority.

  2. This will open the certsrv mmc. Expand fabrikam-QS-FIMCM-CA.

  3. Right-click Certificate Templates and select New and Certificate Template to Issue

  4. From the list, hold down the Ctrl key, and select Enrollement Agent and Key Recovery Agent. Click OK.

  5. Verify these are now in the list of Certificate Templates. Close the certsrv mmc.

Installing SQL 2008

The following steps will show you how to setup a basic installation of SQL 2008 for a lab environment. The following table summarizes the required SQL 2008 features.

Table 7 Required SQL 2008 Features

Feature Remarks

Database Engine Services
  • SQL Server Replication

  • Full-Text Search

Management Tools - Basic
  • Management Tools - Complete

To install SQL 2008

  1. Log on to the QS-FIMCM Server as Administrator.

  2. Place the SQL 2008 installation media in the CD drive.

  3. From the AutoPlay windows that pops up, select Run SETUP.EXE

  4. This will bring up another pop-up window that says the following. SQL Server 2008 setup requires Microsoft .NET Framework and an updated Windows Installer to be installed. To install these prerequisites and continue with Setup, click Ok. To exit Setup, click Cancel. Click OK.

  5. This will bring up the Windows Update Standalone Installer window and will ask to install a hotfix for Windows (KB942288). Click OK.

  6. When the installation is complete, click Restart Now.

  7. Once the QS-FIMCM server has rebooted, log on again as Administrator.

  8. From the Start button, select Computer.

  9. Double-click the CD Drive with the SQL 2008 installation media.

  10. From the SQL Server Installation Center screen, click Installation.

  11. From the right, select New SQL Server stand-alone installation or add features in an existing installation. This will bring up the SQL Server 2008 Setup wizard. This wizard will run some pre-requisite checks.

  12. Once the SQL Server 2008 Setup Wizard is done running the pre-requisite checks it should show Passed: 6. Click OK to continue. This wizard will close.

  13. A new setup wizard will open to the Product Key screen. Enter your product key and click Next.

  14. From the License Terms screen, after reading the License Agreement, select I accept the license terms box and click Next.

  15. From the Setup Support Files screen, click Install.

  16. Once this completes, a new wizard will appear. From the Setup Support Rules screen, click Next.

  17. From the Feature Selection screen, place a check in the items listed above in table 7 and click Next.

  18. From the Instance Configuration screen, leave the defaults and click Next.

  19. From the Disk Space Requirements screen, leave the defaults and click Next.

  20. From the Server Configuration screen, click the Use the same account for all SQL Server services button.

  21. From the Use the same account for all SQL Server services screen, next to Account Name, enter fabrikam\Administrator. Next to password, enter the Administrator’s password. Click Ok.

  22. Click Next.

  23. From the Database Engine Configuration screen, click the Add Current User button and then click Next.

  24. From the Error and Usage Reporting screen, leave the defaults and click Next.

  25. From the Installation Rules screen, leave the defaults and click Next.

  26. From the Ready to Install screen, click Install.

  27. When the installation is complete, from the Installation Progress screen, click Next.

  28. From the Complete screen, click Close.

Extending the Active Directory Schema

This section lists the steps for extending the Active Directory schema.
To simplify the process of extending the Active Directory schema, you use the Visual Basic script file that ships with Identity Lifecycle Manager 2007.

To extend the Active Directory Schema

  1. Log on to the QS-DC Server as Administrator.

  2. Place the FIM installation media in the CD drive.

  3. From the Start button, select Computer.

  4. Right-click the CD Drive with the FIM installation media and select Explore.

  5. In the Certificate Management installation folder, double-click the x64 folder, and open the Schema folder.

  6. In the Schema folder there are the following two files, CLM.LDIF and ModifySchema.vbs. To update the Active Directory schema, double-click the ModifySchema.vbs file.

  7. To finalize the schema extension process, click OK in the Success dialog box.

Create the FIMCMObjects container in Active Directory

This section lists the steps for creating the FIMCMObjects container in Active Directory. This organizational unit will be the container for the additional Active Directory objects that are required.

To create the FIMCMObjects container

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Right-click fabrikam.com, select New and then select Organizational Unit. This will bring up the New Object – Organizational Unit window.

  4. On the New Object – Organizational Unit screen, in the Name box, enter FIMCMObjects and click OK.

  5. Close Active Directory Users and Computers.

Create the Active Directory User Accounts

This section lists the steps for creating the Active Directory user accounts that are used in this scenario. 7 total accounts will be created for this scenario. FIM CM uses 6 accounts to perform its various operations. Detailed information on these accounts are provided in table 3 above. One account will also be used to simulate a regular user. Table 8, below, summarizes the accounts that will be created.

Note

You can allow the FIM CM Configuration Wizard to automatically create the 6 accounts that are required. However, since it is best practice in a production environment to manually create these accounts and ensure that they have replicated around prior to running the Configuration Wizard, this approach will be used.

Table 8 Account Summary

First Name Last Name User logon name Password

FIM CM Agent

FIMCMAgent

Pass1word!

FIM CM Key Recovery Agent

FIMCMKRAgent

Pass1word!

FIM CM Authorization Agent

FIMCMAuthAgent

Pass1word!

FIM CM CA Manager Agent

FIMCMManagerAgent

Pass1word!

FIM CM Web Pool Agent

FIMCMWebAgent

Pass1word!

FIM CM FIM CM Enrollement Agent

FIMCMEnrollAgent

Pass1word!

Britta

Simon

bsimon

Pass1word!

To create the Active Directory User Accounts

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Expand fabrikam.com, right-click FIMCMObjects, select New and then select User. This will bring up the New Object – User window.

  4. On the New Object – User screen, in the First Name box, enter FIM CM Agent.

  5. On the New Object – User screen, in the User logon box, enter FIMCMAgent and click Next.

  6. On the New Object – User screen, in the Password box, enter Pass1word!.

  7. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

  8. On the New Object – User screen, remove the check from User must change password at next logon.

  9. On the New Object – User screen, add a check to Password never expires and click Next.

  10. Click Finish.

  11. Repeat these steps for all of the accounts listed in table 8 above.

Create the Active Directory Group Accounts

This section lists the steps for creating the Active Directory group account that is used in this scenario. One group account will be created for this scenario.

Table 9 Group Account Summary

Group Name Group Scope Group Type

FIM CM Subscribers

Global

Security

To create the Active Directory Group Object

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Expand fabrikam.com, right-click FIMCMObjects, select New and then select Group. This will bring up the New Object – Group window.

  4. On the New Object – Group screen, in the Group Name box, enter FIM CM Subscribers.

  5. On the New Object – Group screen, make sure the Group Scope is Global.

  6. On the New Object – Group screen, make sure the Group Type is Security.

  7. Click OK.

Add our test user to the FIM CM Subscribers group

This section lists the steps for disabling Internet Explorer Enhanced Security

To add Britta Simon to the FIM CM Subscribers group

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Expand fabrikam.com, select FIMCMObjects, right-click FIM CM Subscribers and then select Properties. This will bring up the FIM CM Subscribers Properties window.

  4. Click the Members tab, and click the Add button. This will bring up the Select Users, Contacts, Computers, or Groups screen.

  5. In the Enter the object names to select box, enter Britta Simon, and then click Check Names. This should resolve with an account with an underline under it.

  6. Click OK.

  7. Click Apply.

  8. Click OK.

  9. Close Active Directory Users and Computers.

Installing Forefront Identity Manager – Certificate Management

The following will steps show you how to install the FIM CM binaries.

To install Forefront Identity Manager – Certificate Management

  1. Log on to the QS-FIMCM Server as Administrator.

  2. Place the FIM installation media in the CD drive.

  3. From the splash screen, under Forefront Identity Manager Certificate Management, select Install Certificate Management 64 bit

    Note

    You may receive a pop-up that says the following. Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer? For this scenario you can safely ignore this warning and click Yes.

  4. This will bring up the File Download – Security Warning screen that will as you Do you want to save this file? Click Run

  5. This will bring up the Internet Explorer – Security Warning screen that will as you Do you want to run this software? The software name will be Certificate Management.msi. Click Run.

  6. This will bring up the Forefront Identity Manager Certificate Management setup wizard. On the welcome screen, click Next.

  7. From the End-User License Agreement screen, after reading the License Agreement, select I accept the terms in the license agreement box and click Next.

  8. From the Custom Setup screen, leave the defaults and click Next.

  9. From the Virtual Web Folder screen, leave the default of CertificateManagement for the Virtual folder and click Next.

  10. From the Install Forefront Identity Manager Certificate Management screen, click Install.

  11. When the installation is complete, click Finish.

Run the Certificate Manager Config Wizard

The following steps will show you how to configure FIM CM.

To run the Certificate Manager Config Wizard

  1. Log on to the QS-FIMCM Server as Administrator

  2. On the QS-FIMCM server go to Start, select All Programs, click Microsoft Forefront Identity Manager and click Certificate Manager Config Wizard.

  3. From the Welcome screen, click Next.

  4. From the Certification Authority screen, leave the defaults and click Next.

  5. From the SQL Server screen, leave the defaults and click Next.

  6. From the Database screen, leave the defaults and click Next.

  7. From the Active Directory screen, leave the defaults and click Next.

  8. From the FIM CM Agent Accounts screen, take the check out of Use the FIM CM default settings and click Custom Accounts. This will bring up the Agents – FIM CM window.

  9. On the FIM CM Agent tab, enter FIMCMAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  10. On the Key Recovery Agent tab, enter FIMCMKRAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  11. On the Authorization Agent tab, enter FIMCMAuthAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  12. On the CA Manager Agent tab, enter FIMCMManagerAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  13. On the Web Pool Process Worker Agent tab, enter FIMCMWebAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  14. On the Enrollment Agent tab, enter FIMCMEnrollAgent for the User Name. In the Password and Confirm Password box enter Pass1word!. Place a check in the Use an existing user checkbox.

  15. Click OK and on the FIM CM Agent Accountsscreen, and click Next.

  16. From the Certificates screen, leave the defaults and click Next.

  17. From the E-mail screen, leave the defaults and click Next.

  18. From the Summary screen, review the configuration and click Configure.

    Note

    This will bring up a screen that says the following. FIM CM virtual IIS directory is currently not configured to require communication over a secure channel (SSL). It is strongly recommended to configure FIM CM virtual IIS directory to require secure channel (SSL). To perform the configuration, click OK. To return to the configuration wizard, click Cancel. This message can be safely ignored. Click OK.

  19. When the configuration is complete, click Finish.

Trust the FIMCMWebAgent Account for delegation.

This section lists the steps for disabling Internet Explorer Enhanced Security

To trust the FIMCMWebAgent Account for delegation.

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Expand fabrikam.com, select FIMCMObjects, right-click FIM CM Web Pool Agent and then select Properties. This will bring up the FIM CM Web Agent Properties window.

  4. Click the Delegation tab, and select Trust this user for delegation to any service (Kerberos).

  5. Click Apply.

  6. Click OK.

  7. Close Active Directory Users and Computers.

Disable Internet Explorer Enhanced Security for Administrators

This section lists the steps for disabling Internet Explorer Enhanced Security

To disable IE ESC

  1. Log on to the QS-FIMCM Server as Administrator.

  2. From the Start button, select Server Manager.

  3. From the Server Manager screen, on the right hand side, scroll down to Security Information, and then select Configure IE ESC.

  4. From the Internet Explorer Enhanced Security Configuration screen, under Administrators, select Off.

  5. Click OK.

  6. Close Server Manager.

Disable Kernel-Mode Authentication

In order to use FIM CM with IIS 7 you must disable Kernel-mode authentication.

To disable Kernel-mode Authentication

  1. Log on to the QS-FIMCM Server as Administrator

  2. On the QS-FIMCM server go to Start, select Administrative Tools and choose Internet Information Services Manager.

  3. On the left, expand Sites, expand Default Web Site, and then click CertificateManagement.

  4. In the center pane, scroll down and double click Authentication.

  5. Right-click Windows Authentication and select Advanced Settings…

  6. Take the check out of Enable Kernel-mode authentication.

  7. Click OK.

  8. Close Internet Information Services Manager.

Create the Fabrikam User profile template

This section lists the steps for creating the Fabrikam User profile template.

To create the Fabrikam User profile template

  1. Log on to the QS-FIMCM Server as Administrator.

  2. From the Start button, select Internet Explorer.

  3. From Internet Explorer, in the Address box, enter https://qs-fimcm/certificatemanagement and click the green arrow.

  4. From the Forefront Identity Manager screen, click click to enter.

  5. From the Forefront Identity Manager Certificate Management home screen, on the right, scroll down and under Administration, click Manage profile templates.

  6. From the Profile Template Management screen, place a check in FIM CM Sample Profile Template, then click Copy a selected profile template.

  7. From the Duplicate Profile screen, delete the contents of the New profile template name box and enter Fabrikam User Profile Template. Click OK.

  8. From the Edit Profile Template [FIM CM User Profile Template] screen, from the left, under Select a view, click Enroll Policy.

  9. From the Edit Profile Template [FIM CM User Profile Template] screen, scroll down, under Workflow: Initiate Enroll Request, click Add new principal for enroll request initiation.

  10. From the Edit Profile Template [FIM CM User Profile Template] screen, next to the Principal box, click Lookup….

  11. From the Search for Users and Groups screen, select Groups, and in the Name box, enter FIM CM Subscribers, click Search.

  12. Once the search completes, click fabrikam\FIM CM Subscribers under User Logon.

  13. Click OK.

  14. Close Internet Explorer.

Assign the FIM CM Subscribers group permissions to the Service Connection Point

This section lists the steps for assigning the FIM CM Subscribers group permissions to the Service Connection Point

To assign the FIM CM Subscribers group permissions to the Service Connection Point.

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Users and Computers.

  3. Expand fabrikam.com, expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click QS2-FIMCM and select Properties. This will bring up the QS2-FIMCM Properties window.

  4. Click the Security tab, and click Add.

  5. In the Enter the object names to select box, enter FIM CM Subscribers, and then click Check Names. This should resolve with an account with an underline under it.

  6. Click OK.

  7. Make sure the FIM CM Subscribers group is selected and place a check in the box under Allow for Read.

  8. Click Apply.

  9. Click OK.

  10. Close Active Directory Users and Computers.

Assign FIM CM Subscribers permissions to the Fabrikam User Profile Template

This section lists the steps for granting access to the FIM CM User Profile. This must be done before our user, Britta Simon, can use the template.

To assign permissions to the Fabrikam User Profile Template

  1. Log on to the QS-DC Server as Administrator.

  2. From the Start button, select Administrative tools, then Active Directory Sites and Services.

  3. At the top click View and select Show services Node.

  4. Expand Services, expand Public Key Services and then select Profile Templates.

  5. On the right, right-click Fabrikam User Profile Template and select Properties.

  6. Select the Security tab and click Add.

  7. In the Enter the object names to select box, enter FIM CM Subscribers, and then click Check Names. This should resolve with an account with an underline under it.

  8. Click OK.

  9. Make sure the FIM CM Subscribers group is selected and place a check in the box under Allow for Read and FIM CM Enroll.

  10. Click Apply.

  11. Click OK.

  12. Close Active Directory Sites and Services.

Assign the FIM CM Subscribers group permissions to the Users Certificate Template

This section lists the steps for assigning the FIM CM Subscribers group permissions to the Users Certificate Template.

To assign the FIM CM Subscribers group permissions to the Users Certificate Template.

  1. Log on to the QS-FIMCM Server as Administrator.

  2. From the Start button, select Run…, then enter mmc. Click OK.

  3. Select File and click Add/Remove Snap-in… This will bring up the Add or Remove Snap-ins window.

  4. From the left, scroll down and select Certificate Templates and click Add>.

  5. Click OK.

  6. From the Console1 window, click Certificate Templates (QS-FIMCM). This will populate the center pane with a list of certificate templates.

  7. From the center, scroll down, right-click User and select Properties. This will bring up the User properties window.

  8. Select the Security tab and click the Add button.

  9. In the Enter the object names to select box, enter FIM CM Subscribers, and then click Check Names. This should resolve with an account with an underline under it.

  10. Click OK.

  11. Make sure the FIM CM Subscribers group is selected and place a check in the box under Allow for Read and Enroll.

  12. Click Apply.

  13. Click OK.

  14. Close Console1.

Add the Microsoft Forefront Identity Manager Certificate Management site to Trusted Sites in Internet Explorer

This section lists the steps for adding the FIM CM site to Trusted Sites in Internet Explorer.

To add the Microsoft Forefront Identity Manager Certificate Management site to Trusted Sites in Internet Explorer

  1. Log on to the QS-Vista as Britta Simon.

  2. From the Start button, select Internet Explorer.

  3. From Internet Explorer, in the Address box, enter https://qs-fimcm/certificatemanagement and click the green arrow.

  4. At the top of Internet Explorer, select Tools, and click Internet Options.

  5. Click the Security tab, and select Trusted Sites from the Select a zone to view or change security settings box.

  6. Click the Sites button. This will bring up a Trusted Sites window.

  7. In the Add this Website to the zone: box, type http:qs-fimcm, remove the check from Require server verification (https:) for all sites in this zone, and click Add.

  8. Click Close.

  9. From the Internet Options screen, click OK.

  10. Close Internet Explorer.

Enable Initialize and script ActiveX controls not marked as safe for signing

This section lists the steps for enabling Initialize and script ActiveX controls not marked as safe for signing in Internet Explorer. This is required because we are not using SSL in our lab environment. By default, with Vista SP1 the web control that we are using to request a certificate is only marked as safe if it is hosted in SSL.

To Enable Initialize and script ActiveX controls not marked as safe for signing

  1. Log on to the QS-Vista as Britta Simon.

  2. From the Start button, select Internet Explorer.

  3. At the top of Internet Explorer, select Tools, and click Internet Options.

  4. Click the Security tab, and select Trusted Sites from the Select a zone to view or change security settings box.

  5. Click the Custom level… button. This will bring up a Security Settings – Trusted Sites Zone window.

  6. Under Settings scroll down and click Enable for Initialize and script ActiveX controls not marked as safe for signing.

  7. Click OK.

  8. From the Internet Options screen, click OK.

  9. Close Internet Explorer.

Test the Implementation

This section lists the steps for testing the implementation. In order to test this, you will log on to the QS-Vista computer as Britta Simon and request a user certificate.

To test the implementation

  1. Log on to the QS-Vista as Britta Simon.

  2. From the Start button, select Internet Explorer.

  3. From Internet Explorer, in the Address box, enter https://qs-fimcm/certificatemanagement and click the green arrow.

  4. From the Forefront Identity Manager screen, click click to enter.

  5. From the Forefront Identity Manager Certificate Management home screen, click Request a new set of certificates.

    Note

    This will take you directly to the Enrollment Request Initiation screen. If the FIM CM Subscribers group had more than one profile template to choose from, this option would appear.

  6. From the Enrollement Request Initiation screen, type Sample Data Item in the Sample Data Item box.

  7. Click Next.

  8. From the Installing Certificates screen, verify there is a check mark under Success, and click Next.

  9. From the Request Complete screen, click Main Menu.

  10. Close Internet Explorer.