[SUPPORT TIP]: FIM CM 2010 / MIM CM 2016 Admin Key Diversification and Certificate Renewal

~ Milan Milosavljevic | Senior Escalation Engineer

Hi everyone, Milan Milosavljevic here from the Microsoft Platform AD Identity support team with another support tip for you. This one is regarding an admin authentication problem when the CM smartcard profile template is configured to support Base CSP cards and the Diversify Admin Key option is enabled. In this scenario, after renewing the certificate utilized for admin key diversification, admin authentication to the previously issued cards fails with an incorrect/wrong PIN. Affected operations are usually Unblock and Retire card, although this can affect any that require admin PIN authentication.

Note that in the above scenario, the corresponding certificate must be stored in the clmAgent store, however it is not necessarily the same certificate used by the clmAgent account.

This problem occurs due to how the default admin key diversification provider calculates the admin key. This is known limitation when using the default smart card initialization provider.

To work around this problem, make sure to renew the certificate used for admin key diversification using the same key. Alternatively, consider using a custom smart card initialization provider.

Notes and Additional Information

1. BaseCSP cards use Admin Key Diversification, which means that admin PIN is never saved and it will be always recalculated, which means some kind of deterministic algorithm must be used (more about this below).

2. The default Admin key diversification relies on proper usage of a specific certificate. If the initialization data (Smart Card initialization provider data) is not specified, FIM CM/MIM CM will just use the certificate hash of the cmAgent certificate. This obviously becomes problematic when we change signing certificates. To mitigate this, we can simply specify the hash in “Smart Card initialization provider data” and it will always use that one. This certificate must be stored in the ClmAgent store.

3. There is a known problem with the default admin key diversification: After renewing the certificate (used for default admin key diversification), cards diversified with the old cert can no longer be accessed since FIMCM/MIMCM admin key diversification can operate with only one certificate. This is caused by the fact that the keys are changed. The workaround is to renew the certificate using the same key. This is not an ideal solution and the product group is aware of this limitation, however currently the default admin key diversification provider offers no out-of-box alternative. An alternative would be creating a custom key diversification provider and implementing an alternate algorithm and some sort of certificate fallback mechanism to the previous certificate/keys. This can be done by implementing the ICardInitialization interface and selecting the “Custom” option in the profile template.

4. Details of the default behavior:

The FIM CM default admin key diversification provider derives a 3DES key from the certificate and the cardID (a randomly generated GUID). And here lies the problem: Once you change the signing certificate your diversification will break. The algorithm does the following:

  • Hash (SHA256) the seed data.
  • Sign the hash using the RSA private key.
  • Derive 3DES using CryptDeriveKey from the signed hash.

On the other hand, if your cert is expired, you can’t continue to sign things with it so this forces us to get a new (non-expired) cert. However, because we’re restricted to the old key, we have to renew with the same key.

5. If the certificate thumbprint exists in the SC Profile Template setting “Smart Card initialization provider data”, it means that only that certificate and its key will be used for admin key diversification. It’s more explicit that way and good practice to do so at all times.

6. It is not possible to have more entries in “Smart Card initialization provider data”.

7. There is no concept of having a history of certificates/keys used for admin key diversification, and as already mentioned above, in order to retain access to the card whose admin PIN is diversified before the certificate renewal, the certificate must be renewed with the same key.

Summary

Default Admin Key diversification uses a certificate in cmAgent's store, but it doesn't have to be the same certificate as the one used by the cmAgent account for signing and encryption other non-admin key diversification relevant information.

After specifying the thumbprint of the signing certificate in Smart Card initialization provider data, only this certificate will be used. There is no fallback to other certificates in the cmAgent store. Usage of Smart Card initialization provider data is optional, and if Smart Card initialization provider data is empty then FIM CM/MIM CM will use the certificate specified in Clm.SigningCertificate.Hash of web.config. Smart Card initialization provider data accepts only one certificate thumbprint.

It is very important to renew the Admin Key Diversification certificate (whose thumbprint is specified in Smart Card initialization provider data or, if Smart Card initialization provider data is empty, Clm.SigningCertificate.Hash of web.config) using the same key.

Certificate renewal is required shortly before certificate expiration, otherwise signing and admin key diversification will fail. After renewal, Smart Card initialization provider data should be updated with the thumbprint of the new certificate (note that the key remains unchanged) in order to enforce immediate usage of new certificate. Since the keys remain the same, the admin PIN for the cards diversified before the certificate renewal will be, after certificate renewal, still known to FIM CM/MIM CM system and operations that require admin permissions. Operations such as Unblock or Retire card will continue to work.

If the certificate is expired, you can request a new one with the same key by following the steps below:

  1. Log on with the cmAgent account
  2. Starting certmgr.msc
  3. Right-click on the expired certificate, then choose All Tasks -> Advanced Operations -> Renew Certificate with Same Key.

Note that this information applies to FIM CM 2010 R2 SP1 and MIM CM 2016

Milan Milosavljevic | Senior Escalation Engineer | Microsoft

Comments

  • Anonymous
    August 05, 2016
    Shouldn't the article say "All Tasks -> Advanced Operations -> Renew Certificate with SAME Key" ??
    • Anonymous
      August 05, 2016
      The comment has been removed
  • Anonymous
    August 15, 2016
    I guess the step 3. should be:3.Right-click on the expired certificate, then choose All Tasks -> Advanced Operations -> Renew Certificate with the Same Key.