Introduction to FIM CM Smart Cards
Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management
This document assumes that you have a basic understanding of Microsoft® Forefront® Identity Manager (FIM) 2010, Active Directory® Domain Services (AD DS), and Active Directory Certificate Services (AD CS).
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This guide is intended for information technology (IT) planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010 by using Certificate Management.
The procedures in this document require 60 to 90 minutes for a new user to complete.
Note
These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.
Fabrikam, a fictitious company, wants to evaluate the use of smart cards with Forefront Identity Manager Certificate Management (FIM CM).
The scenario outlined in this document has been developed using two physical computers. The first is a computer running Windows Server® 2008 with Hyper-V™ technology. The server has a 2 × 3.0 gigahertz (GHz) dual-core processor and 4 gigabytes (GB) of random access memory (RAM). This server hosts two virtual machines, shown in Table 1 below. The second physical computer is a portable computer with a GemPlus Gem PC Twin smart card reader.
Name | Memory | Operating system | Type | Description |
---|---|---|---|---|
QS-DC.Fabrikam.com |
512 MB |
Windows Server 2008 |
Virtual |
Domain controller |
QS-FIMCA.Fabrikam.com |
2,048 MB |
Windows Server 2008 |
Virtual |
FIM CM, AD CS, Microsoft SQL Server® 2008, Internet Information Services (IIS) 7.0 |
QS-Vista.Fabrikam.com |
1,024 MB |
Windows Vista® 64-bit Edition |
Physical |
Client |
Note
Hyper-V is not a requirement to complete the steps outlined in this document. The steps can be implemented on physical computers as long as they reflect the same roles as in Table 1.
This document covers only the basic smart card functionality of FIM CM. It is designed to get you started quickly in a test environment so that the product can be evaluated. This document does not cover using FIM CM with software certificates. For further information about software certificates, see Introduction to Certificate Management in the FIM 2010 document.
This document makes some assumptions and requires the following to be true before you complete the steps outlined in this document. It assumes that:
A fabrikam.com Active Directory forest is already in place.
QS-DC is the domain controller for this forest.
QS-FIMCM and QS-Vista are joined to this domain.
Setting up an Active Directory forest is outside the scope of this document.
The following table summarizes the software that is required to implement the procedures in this document.
Software | Description |
---|---|
AD DS |
An Active Directory infrastructure with a domain controller running Windows Server 2008. |
Certification authority (CA) |
FIM CM requires at least one or more of the following: 32-bit Windows Server 2003 CA, 32-bit Windows Server 2008 Enterprise CA, or 64-bit Windows Server 2008 Enterprise CA. The certification authority must be an Enterprise CA. |
FIM CM |
At least one instance of the software installed on a server that is running Windows Server 2008 Enterprise 64-bit edition or Windows Server 2008 R2 Enterprise. |
SQL Server 2008 |
FIM CM supports the 64-bit edition of SQL Server 2008 Enterprise or SQL Server 2008 Standard. |
IIS 7.x |
FIM CM uses IIS as its Web server to run the FIM CM Portal. |
Microsoft .NET Framework 3.5 |
FIM CM is a Microsoft .NET–connected application. You must install .NET Framework 3.5 on the server. If FIM CM is installed on the same server as SQL Server 2008, then .NET Framework 3.5 Service Pack 1 (SP1) is required. |
Microsoft Internet Explorer® 6.x or later |
Because FIM CM requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x or later is required. In addition, FIM CM has advanced scripting features that are optimized for Internet Explorer. |
The following table summarizes the accounts—and the permissions required by those accounts—necessary to implement the procedures in this document.
Account | Description and permissions |
---|---|
FIM CM Agent |
Provides the following services:
This user has the following access control settings:
|
FIM CM Key Recovery Agent |
Recovers archived private keys from the CA. This user has the following access control settings:
|
FIM CM Authorization Agent |
Determines user rights and permissions for users and groups. This user has the following access control settings:
|
FIM CM CA Manager Agent |
Performs CA management activities. This user must be assigned the Manage CA permission. |
FIM CM Web Pool Agent |
Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32 application programming interface (API) process that uses this user’s credentials. This user has the following access control settings:
This account must also be trusted for delegation. |
FIM CM Enrollment Agent |
Performs enrollment on behalf of a user. This user has the following access control settings:
|
Britta Simon |
A generic user who is used to test our implementation. |
The following table summarizes the Active Directory groups that are required to implement the procedures in this document.
Group | Remark |
---|---|
FIM CM Subscribers |
A group of all users who access FIM CM for AD CS |
To implement the procedures in this document, you complete the following steps in the order shown:
Installing IIS 7.0
Installing .NET Framework 3.5 SP1
Deploying Active Directory Certificate Services
Publishing the Key Recovery Agent, Enrollment Agent, and SmartCardLogon certificate template at the CA
Installing SQL Server 2008
Extending the Active Directory schema
Creating the FIMCMObjects container in AD DS
Creating the Active Directory user accounts
Creating the Active Directory group account
Adding the test user to the FIM CM Subscribers group
Installing FIM CM
Running the Certificate Manager Configuration Wizard
Trusting the FIMCMWebAgent account for delegation
Disabling Internet Explorer Enhanced Security for administrators
Disabling kernel-mode authentication
Creating the Fabrikam smart card profile template
Assigning the FIM CM Subscribers group permissions to the service connection point
Assigning FIM CM Subscribers group permissions to the Fabrikam user profile template
Assigning the FIM CM Subscribers group permissions to the users certificate template
Installing .NET Framework 3.5 SP1 on QS-Vista
Installing the Gemalto smart card drivers
Installing the CM client
Adding the CM Web Portal to SiteLock
Adding the FIM CM site to Trusted Sites in Internet Explorer
Activating Initialize and script ActiveX controls not marked as safe for signing
Downloading and installing hotfix 959887
Activating and testing the smart card
Retiring and testing the smart card
Reissuing and testing the smart card
Later topics provide more detail about these steps.
Complete the following procedures to set up a basic installation of IIS 7.0 for use with FIM CM. Tables 5 and Table 6 summarize the individual pieces of IIS 7.0 that must be installed.
Role service | Required features |
---|---|
Common HTTP features |
|
Application development |
|
Health and diagnostics |
|
Security |
|
Performance |
|
Role service | Required features |
---|---|
IIS Management Console |
N/A |
IIS 6.0 Management Capability feature |
N/A |
Log on to the QS-FIMCM server as the administrator.
Click Start, and then click Server Manager.
On the Server Manager page, right-click Roles, and then click Add Roles.
In the Add Roles Wizard, on the Before You Begin page, click Next.
On the Server Roles page, select the Web Server (IIS) check box, and then click Next.
Note
To add the Windows Process Activation Service, in the Add features required for Web Server (IIS) box, click the Add Required Features button.
Click Next.
On the Web Server (IIS) page, click Next.
On the Role Services page, select the check boxes for all of the items that are listed in Tables 5 and 6, if they are not already selected.
Note
When you select ASP.NET, the Add features required for Web Server (IIS) box appears. Click the Add Required Features button to automatically select ISAPI extensions, ISAPI filters, and .NET extensibility. This also adds the .NET environment to the Windows Process Activation Service.
Click Next.
On the Confirmation page, review the information, and then click Install.
When the installation is complete, on the Results page, click Close.
Close Server Manager.
The following steps show you how to install the .NET Framework 3.5.
Log on to the QS-FIMCM server as the administrator.
On the QS-FIMCM server, download .NET Framework 3.5 (https://go.microsoft.com/fwlink/?LinkID=129538).
To install .NET Framework 3.5, double-click the dotnetfx35.exe file.
On the Welcome to Setup page, read the Microsoft Software License Terms, select the I have read and ACCEPT the terms in the License Agreement check box, and then click Install.
When the installation is complete, on the Setup Complete page, click Exit.
On the Restart Server page, click Restart now.
The following steps show you how to set up AD CS on the QS-FIMCM server.
Log on to the QS-FIMCM server as the administrator.
Click Start, and then click Server Manager.
On the Server Manager page, right-click Roles, and then click Add Roles.
In the Add Roles Wizard, on the Before You Begin page, click Next.
On the Server Roles page, select the Active Directory Certificate Services check box, and then click Next.
On the AD CS page, click Next.
On the Role Services page, ensure that the Certification Authority check box is selected, and then click Next.
On the Setup Type page, ensure that Enterprise is selected, and then click Next.
On the CA Type page, ensure that Root CA is selected, and then click Next.
On the Private Key page, ensure that Create a new private key is selected, and then click Next.
On the Cryptography page, leave the default values unchanged, and then click Next.
On the CA Name page, leave the default values unchanged, and then click Next.
On the Validity Period page, leave the default values unchanged, and then click Next.
On the Certificate database page, leave the default values unchanged, and then click Next.
On the Confirmation page, review the information, and then click Install.
When the installation is finished, on the Results page, click Close.
Close Server Manager.
Publishing the Key Recovery Agent, Enrollment Agent, and SmartCardLogon certificate template at the CA
In this section, you publish the certificate template at the CA.
Click Start, click Administrative Tools, and then click Certification Authority.
In the certsrv Microsoft Management Console (MMC), expand fabrikam-QS-FIMCM-CA.
Right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the list, press the CTRL key, and then select Enrollment Agent, Key Recovery Agent, and SmartCardLogon. Click OK.
Verify that Enrollment Agent, Key Recovery Agent, and SmartCardLogon are now part of the list of Certificate Templates. Close the certsrv MMC.
The following steps show you how to set up a basic installation of SQL Server 2008 for a lab environment. Table 7 summarizes the required SQL Server 2008 features.
Feature | Remarks |
---|---|
Database Engine Services |
|
Management Tools - basic |
|
Log on to the QS-FIMCM server as the administrator.
Place the SQL Server 2008 installation medium into the CD drive.
On the AutoPlay page, select Run SETUP.EXE.
A message appears prompting you to install the .NET Framework and an updated version of Windows Installer. Click OK.
To install the hotfix for Windows (KB942288), in the Windows Update Stand-alone Installer dialog box, click OK.
When the installation is complete, click Restart Now.
When the QS-FIMCM server has restarted, log on again as the administrator.
Click Start, and then click Computer.
Double-click the drive containing the SQL Server 2008 installation medium.
On the SQL Server Installation Center page, click Installation.
To start the SQL Server 2008 Setup Wizard, select New SQL Server stand-alone installation or add features in an existing installation.
When the SQL Server 2008 Setup Wizard is finished running the prerequisite checks, it displays Passed: 6. Click OK to continue and close the wizard.
In the new Setup wizard, open the Product Key page. Type your product key number, and then click Next.
On the License Terms page, after reading the Microsoft Software License Terms, select the I accept the license terms check box, and then click Next.
On the Setup Support Files page, click Install.
When the installation is finished, a new wizard appears. On the Setup Support Rules page, click Next.
On the Feature Selection page, select the items listed in Table 7, and then click Next.
On the Instance Configuration page, leave the default values unchanged, and then click Next.
On the Disk Space Requirements page, leave the default values unchanged, and then click Next.
On the Server Configuration page, click the Use the same account for all SQL Server services button.
On the Use the same account for all SQL Server services page, next to Account Name, type fabrikam\Administrator. Next to the password, type the administrator’s password. Click OK.
Click Next.
On the Database Engine Configuration page, click the Add Current User button, and then click Next.
On the Error and Usage Reporting page, leave the default values unchanged, and then click Next.
On the Installation Rules page, leave the default values unchanged, and then click Next.
On the Ready to Install page, click Install.
When the installation is completed, on the Installation Progress page, click Next.
On the Complete page, click Close.
In this section, you extend the Active Directory schema. To simplify the process of extending the Active Directory schema, you use the Microsoft Visual Basic® script file that ships with Microsoft Identity Lifecycle Manager 2007 (ILM 2007).
Log on to the QS-DC server as Administrator.
Place the FIM 2010 installation medium in the server CD drive.
Click Start, and then click Computer.
Right-click the CD drive that contains the FIM 2010 installation medium, and then click Explore.
In the Certificate Management installation folder, double-click the x64 folder, and then open the Schema folder.
To update the Active Directory schema, in the Schema folder, double-click the ModifySchema.vbs file.
To finalize the schema extension process, in the Success dialog box, click OK.
In this section, you create the FIMCMObjects container in AD DS. This organizational unit (OU) will be the container for the additional Active Directory objects that are required.
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
Right-click fabrikam.com, click New, and then click Organizational Unit.
On the New Object – Organizational Unit page, in the Name text box, type FIMCMObjects, and then click OK.
Close Active Directory Users and Computers.
In this section, you create the Active Directory user accounts that are used in this scenario. Seven total accounts will be created for this scenario. FIM CM uses six accounts to perform its various operations. Detailed information about these accounts are provided in Table 3. One account will also be used to simulate a regular user. Table 8 summarizes the accounts that will be created.
Note
You can allow the FIM CM Configuration Wizard to automatically create the six accounts that are required. However, since it is a best practice in a production environment to manually create these accounts and ensure that they have replicated prior to running the FIM CM Configuration Wizard, this approach will be used.
First name | Last name | User logon name | Password |
---|---|---|---|
FIM CM Agent |
FIMCMAgent |
Pass1word! |
|
FIM CM Key Recovery Agent |
FIMCMKRAgent |
Pass1word! |
|
FIM CM Authorization Agent |
FIMCMAuthAgent |
Pass1word! |
|
FIM CM CA Manager Agent |
FIMCMManagerAgent |
Pass1word! |
|
FIM CM Web Pool Agent |
FIMCMWebAgent |
Pass1word! |
|
FIM CM Enrollment Agent |
FIMCMEnrollAgent |
Pass1word! |
|
Britta |
Simon |
bsimon |
Pass1word! |
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
In the console tree, expand fabrikam.com, right-click FIMCMObjects, click New, and then click User.
On the New Object – User page, in the First Name text box, type FIM CM Agent.
In the User logon text box, type FIMCMAgent, and then click Next.
In the Password text box, type Pass1word!.
In the Confirm Password text box, type Pass1word!.
Clear the User must change password at next logon check box.
Select the Password never expires check box, and then click Next.
Click Finish.
Repeat these steps for all the accounts that are listed in Table 8.
In this section, you create the one Active Directory group account that is used in this scenario.
Group name | Group scope | Group type |
---|---|---|
FIM CM Subscribers |
Global |
Security |
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
In the console tree, expand fabrikam.com, right-click FIMCMObjects, click New, and then click Group.
On the New Object – Group page, in the Group Name text box, type FIM CM Subscribers.
Ensure that the Group Scope is Global and that the Group Type is Security.
Click OK.
In this section, you add the test user to the FIM CM Subscribers group.
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
In the console tree, expand fabrikam.com, select FIMCMObjects, right-click FIM CM Subscribers, and then click Properties.
On the FIM CM Subscribers Properties page, on the Members tab, click the Add button.
On the Select Users, Contacts, Computers, or Groups page, in the Enter the object names to select text box, type Britta Simon, and then click Check Names.
When the account resolves successfully, the name is underlined.
Click OK.
Click Apply, and then click OK.
Close Active Directory Users and Computers.
The following steps show you how to install the FIM CM binaries.
Log on to the QS-FIMCM server as the administrator.
Place the FIM 2010 installation medium into the CD drive.
On the startup screen, under Identity Manager Certificate Management, select Install Certificate Management 64 bit.
Note
You may be prompted by the following message: Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer? For this scenario, you can safely ignore this warning and click Yes.
On the File Download – Security Warning page, click Run.
On the Internet Explorer – Security Warning page, click Run.
In the Forefront Identity Manager Certificate Management Setup Wizard, on the Welcome page, click Next.
On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the license agreement check box, and then click Next.
On the Custom Setup page, leave the default values unchanged, and then click Next.
On the Virtual Web Folder page, ensure that the Virtual folder is set at the default value of CertificateManagement, and then click Next.
On the Install Forefront Identity Manager Certificate Management page, click Install.
When the installation is complete, click Finish.
The following steps will show you how to configure FIM CM.
Log on to the QS-FIMCM server as the administrator.
On the QS-FIMCM server, click Start, select All Programs, click Microsoft Forefront Identity Manager, and then click Certificate Manager Config Wizard.
On the Welcome page, click Next.
On the Certification Authority page, leave the default values unchanged, and then click Next.
On the SQL Server page, leave the default values unchanged, and then click Next.
On the Database page, leave the default values unchanged, and then click Next.
On the Active Directory page, leave the default values unchanged, and then click Next.
On the FIM CM Agent Accounts page, clear the Use the FIM CM default settings check box, and then click Custom Accounts.
On the Agents – FIM CM page, on the FIM CM Agent tab, in the User Name text box, type FIMCMAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
On the Key Recovery Agent tab, in the User Name text box, type FIMCMKRAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
On the Authorization Agent tab, in the User Name text box, type FIMCMAuthAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
On the CA Manager Agent tab, in the User Name text box, type FIMCMManagerAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
On the Web Pool Process Worker Agent tab, in the User Name text box, type FIMCMWebAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
On the Enrollment Agent tab, in the User Name text box, type FIMCMEnrollAgent. In the Password and Confirm Password text boxes, type Pass1word!. Select the Use an existing user check box.
Click OK and, on the FIM CM Agent Accounts page, click Next.
On the Certificates page, leave the default values unchanged, and then click Next.
On the E-mail page, leave the default values unchanged, and then click Next.
On the Summary page, review the configuration, and then click Configure.
Note
A message appears prompting you to configure the FIM CM virtual IIS directory to require a secure channel (SSL). This message can be safely ignored. Click OK.
When the configuration completes, click Finish.
In this section, you trust the FIMCMWebAgent account.
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
In the console tree, expand fabrikam.com, select FIMCMObjects, right-click FIM CM Web Pool Agent, and then click Properties.
On the FIM CM Web Agent Properties page, on the Delegation tab, select Trust this user for delegation to any service (Kerberos).
Click Apply, and then click OK.
Close Active Directory Users and Computers.
In this section, you will disable the Internet Explorer Enhanced Security Configuration.
Log on to the QS-FIMCM server as the administrator.
Click Start, and then click Server Manager.
On the Server Manager page, scroll down to Security Information, and then select Configure IE ESC.
On the Internet Explorer Enhanced Security Configuration page, under Administrators, select Off.
Click OK.
Close Server Manager.
To use FIM CM with IIS 7.0, you must disable kernel-mode authentication.
Log on to the QS-FIMCM server as the administrator.
On the QS-FIMCM server, click Start, click Administrative Tools, and open the Internet Information Services Manager.
In the console tree, expand Sites, expand Default Web Site, and then click CertificateManagement.
In the center pane, scroll down and double-click Authentication.
Right-click Windows Authentication, and then click Advanced Settings.
Clear the Enable kernel-mode authentication check box.
Click OK.
Close Internet Information Services Manager.
In this section, you create the Fabrikam smart card profile template.
Log on to the QS-FIMCM server as the administrator.
In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.
On the Forefront Identity Manager page, click Click to enter.
On the Forefront Identity Manager Certificate Management home page, under Administration, click Manage profile templates.
On the Profile Template Management page, select the FIM CM Sample Smart Card Logon Profile Template check box, and then click Copy a selected profile template.
On the Duplicate Profile page, clear the New profile template name text box, and then type Fabrikam Smart Card Profile Template. Click OK.
On the Edit Profile Template [FIM CM User Profile Template] page, scroll down to Smart Card Configuration, and then click Change Settings.
In the User PINs section, under User PIN policy, select User Provided, and then click OK.
On the Edit Profile Template [FIM CM User Profile Template] page, under Select a view, click Enroll Policy.
On the Edit Profile Template [FIM CM User Profile Template] page, under Workflow: Initiate Enroll Request, click Add new principal for enroll request initiation.
On the Edit Profile Template [FIM CM User Profile Template] page, next to the Principal box, click Lookup.
On the Search for Users and Groups page, select Groups, and in the Name text box, type FIM CM Subscribers. Click Search.
When the search is completed, under User Logon, click fabrikam\FIM CM Subscribers.
Click OK.
On the Edit Profile Template [FIM CM User Profile Template] page, under Select a view, click Retire Policy.
On the Edit Profile Template [FIM CM User Profile Template] page, under Workflow: Initiate Enroll Request, click Add new principal for enroll request initiation.
On the Edit Profile Template [FIM CM User Profile Template] page, next to the Principal box, click Lookup.
On the Search for Users and Groups page, select Groups, and in the Name text box, type FIM CM Subscribers, and then click Search.
When the search is finished, under User Logon, click fabrikam\FIM CM Subscribers.
Click OK.
Close Internet Explorer.
In this section, you assign the FIM CM Subscribers group permissions to the service connection point.
Log on to the QS-DC server as Administrator.
Click Start, click Administrative tools, and then click Active Directory Users and Computers.
In the console tree, expand fabrikam.com, expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click QS2-FIMCM, and then click Properties.
On the QS2-FIMCM Properties page, click the Security tab, and then click Add.
In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.
When the account successfully resolves, the name is underlined.
Click OK.
Ensure that the FIM CM Subscribers group is selected, and then under Allow, select Read.
Click Apply, and then click OK.
Close Active Directory Users and Computers.
In this section, you grant access to the FIM CM user profile template. This must be done before your user, Britta Simon, can use the template.
Log on to the QS-DC server as the administrator.
Click Start, click Administrative tools, and then click Active Directory Sites and Services.
Click View, and then click Show services node.
Expand Services, expand Public Key Services, and then select Profile Templates.
Right-click Fabrikam User Profile Template, and then click Properties.
On the Security tab, click the Add button.
In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.
When the account successfully resolves, the name is underlined.
Click OK.
Ensure that the FIM CM Subscribers group is selected, and under Allow, select Read and FIM CM Enroll.
Click Apply, and then click OK.
Close Active Directory Sites and Services.
In this section, you assign the FIM CM Subscribers group permissions to the users certificate template.
Log on to the QS-FIMCM server as the administrator.
Click Start, click Run, and then in the text box, type mmc. Click OK.
Select File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins page, select Certificate Templates, and then click Add.
Click OK.
On the Console1 page, click Certificate Templates (QS-FIMCM).This populates the center pane with a list of certificate templates.
Right-click User, and then click Properties.
In the User Properties page, on the Security tab, click the Add button.
In the Enter the object names to select text box, type FIM CM Subscribers, and then click Check Names.
When the account successfully resolves, the name is underlined.
Click OK.
Ensure that the FIM CM Subscribers group is selected, and, under Allow, select the Read and Enroll check boxes.
Click Apply, and then click OK.
Close Console1.
The following steps will show you how to set up .NET Framework 3.5 on the QS-Vista client. This is a requirement prior to installing the FIM CM client.
Log on to the QS-Vista client as the administrator.
On the QS-Vista client, download .NET Framework 3.5 (https://go.microsoft.com/fwlink/?LinkID=129538).
When the download is completed, double-click the dotnetfx35.exe file.
On the Welcome to Setup page, after reading the Microsoft Software License Terms, select the I have read and ACCEPT the terms in the License Agreement check box, and then click Install.
When the installation is completed, on the Setup Complete page, click Exit.
On the Restart page, click Restart now.
The following steps will show you how to install the Gemalto smart card drivers.
Log on to the QS-Vista client as the administrator.
On the QS-Vista client, download the Gemalto drivers (https://go.microsoft.com/fwlink/?LinkId=186367).
When the download is finished, double-click the GemCCIDen-us_32.msi file.
On the Welcome to the PC CCID Setup Wizard page, click Next.
On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the License Agreement check box, and then click Next.
On the Ready to install PC CCID page, click Install.
When the installation is completed, click Finish.
Plug the Gem PC Twin smart card reader into a USB port on QS-Vista and verify that it is detected.
The following steps will show you how to install the CM client
Log on to the QS-Vista client as the administrator.
On the startup screen, under Identity Manager Clients, Add-ins and Extensions, select Install CM Client 32 bit.
Note
You may be prompted by the following message: Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer? For this scenario, you can safely ignore this warning and click Yes.
On the File Download – Security Warning page, click Run.
On the Internet Explorer – Security Warning page, click Run.
In the Forefront Identity Manager CM Client Setup wizard, on the Welcome page, click Next.
On the End-User License Agreement page, after reading the Microsoft Software License Terms, select the I accept the terms in the license agreement check box, and then click Next.
On the Custom Setup page, leave the default values unchanged, and then click Next.
On the Install Forefront Identity Manager CM Client page, click Install.
When the installation is completed, click Finish.
The following steps show you how to add the CM Web Portal to SiteLock.
Log on to the QS-Vista client as the administrator.
Click Start, and then click Run.
In the Open text box, type regedit, and then click OK.
In Registry Editor, navigate to the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient, right-click SiteLock, and then click Modify.
On the Edit String page, in the Value data text box, type fabrikam.com, and then click OK.
Tip
The value for SiteLock takes a delimited list of allowable domains. Items in this list are separated by a “;”. Both http and https are allowed. The record is considered a match if the domain matches the domain of the URL exactly, or if the URL is a subdomain of an exact match. For additional information, see Release Notes for Forefront Identity Manager Certificate Manager (FIM CM) (https://go.microsoft.com/fwlink/?LinkId=206114)
Close the Registry Editor.
In this section, you add the FIM CM site to Trusted Sites in Internet Explorer.
Log on to the QS-Vista client as Britta Simon.
In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.
In the Tools menu, click Internet Options.
On the Security tab, in the Select a zone to view or change security settings box, click Trusted sites.
Click the Sites button.
On the Trusted sites page, in the Add this website to the zone box, type http:qs-fimcm, clear the Require server verification (https:) for all sites in this zone check box, and then click Add.
Click Close.
On the Internet Options page, click OK.
Close Internet Explorer.
In this section, you activate Initialize and script ActiveX controls not marked as safe for signing in Internet Explorer. This is required because you do not use SSL in our lab environment. By default, in Windows Vista SP1, the Web control that you use to request a certificate is only marked as safe if it is hosted in SSL.
Log on to the QS-Vista client as Britta Simon.
In Internet Explorer, click the Tools menu, and then click Internet Options.
On the Security tab, in the Select a zone to view or change security settings box, click Trusted sites.
Click the Custom level button.
On the Security Settings – Trusted Sites Zone page, in the Settings box, under Initialize and script ActiveX controls not marked as safe for signing, click Enable.
Click OK.
On the Internet Options page, click OK.
Close Internet Explorer.
The following steps will show you how to download and install hotfix 959887. This is a hotfix for Windows Server 2008 SP1 and RTM designed to correct an issue with using smart cards to log on to a Windows Server 2008 forest.
Log on to the QS-DC server as the administrator.
On the QS-DC server, download the hotfix from You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer (https://go.microsoft.com/fwlink/?LinkID=160495).
Note
When you download this hotfix, the product description is about Windows Vista. This is also intended for Windows Server 2008.
When the download finishes, double-click the 365203_intl_x64_zip.exe file.
On the Open File – Security Warning page, click Run.
On the Microsoft Self-Extractor page, click Continue.
Specify a location to unzip the files, and then click OK.
In the password text box, type the password that was provided in the e-mail message for the hotfix, and then click OK.
On the All files were successfully unzipped page, click OK.
Navigate to the location where the files were extracted, and double-click the Windows6.0-KB959887-x64.msu file.
To install the hotfix, on the Windows Update Standalone Installer page, click OK.
When the installation is finished, click Restart Now.
In this section, you test the implementation. To test this, you log on to the QS-Vista client as Britta Simon and request a user certificate.
Log on to the QS-Vista client as Britta Simon.
In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.
On the Forefront Identity Manager page, click Click to enter.
On the Forefront Identity Manager Certificate Management home page, click Request a permanent smart card.
On the Profile Selection: Permanent Smart Card page, select the Fabrikam Smart Card profile template, and then click Next.
On the Enrollment Request Initiation page, in the Sample Data Item text box, type Sample Data Item.
To begin the activation process, click Next.
On the FIM CM Smart Card Client PIN Entry page, in the New PIN and the Confirm PIN text boxes, type 12345, and then click OK.
On the Request Complete page, verify the information, and then click Main Menu.
Close Internet Explorer.
Log off QS-Vista.
Press CTRL+ALT+DELETE, and then click Switch User.
Select Britta Simon Smart card logon, type 12345 for the PIN, and then click the arrow. You are now successfully logged on.
In this section, you retire a smart card in FIM 2010 R2. A retired smart card can be reused. If you do not plan to reuse your smart cards, you can disable them instead.
Log on to the QS-Vista client as Britta Simon.
In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.
On the Forefront Identity Manager page, click Click to enter.
On the Forefront Identity Manager Certificate Management home page, click Show details of my smart card.
On the Now Insert Your Smart Card page, insert the smart card into the smart card reader, and then click OK.
On the Review Details of a Smart Card Profile page, click Retire this smart card.
On the Retire Smart Card page, in the Sample Data Item text box, type Sample Data Item, and click Next.
To begin the retiring process, on the Retiring Smart Card page, verify the information, and then click Next.
On the Request Compete page, click Main Menu.
Close Internet Explorer.
Log off QS-Vista.
Press CTRL+ALT+DELETE. A No valid certificates found message appears.
In this section, you reissue a smart card for logging on. To test this procedure, you log on to the QS-Vista client as Britta Simon and request a user certificate.
Log back on the QS-Vista client as Britta Simon. Do this by selecting Switch User, and then selecting Other User. Type Britta’s credential information in the boxes.
In Internet Explorer, browse to https://qs-fimcm/certificatemanagement.
On the Forefront Identity Manager page, click Click to enter.
On the Forefront Identity Manager Certificate Management home page, click Request a permanent smart card.
On the Profile Selection: Permanent Smart Card page, select the Fabrikam Smart Card profile template, and then click Next.
On the Enrollment Request Initiation page, in the Sample Data Item text box, type Sample Data Item.
To begin the reissue process, click Next.
On the FIM CM Smart Card Client PIN Entry page, in the New PIN and the Confirm PIN text boxes, type 67890. Click OK.
On the Request Complete page, verify the information, and then click Main Menu.
Close Internet Explorer.
Log off QS-Vista.
Press CTRL+ALT+DELETE, and then click Switch User.
Select Britta Simon Smart card logon, type 67890 for the PIN, and then click the arrow. You are now successfully logged on.