Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration
Authored By: Bill Mathers
A downloadable version of this document is available at Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Smart Card Centralized Registration.
Forefront Identity Manager 2010 Certificate Management smart card centralized registration allows demonstrates how to setup FIM CM to issue smart cards for only a select group of issuers. In this model, a smart card will only be issued when the user has physically presented themselves to the smart card issuer and two forms of identification have been provided to the smart card issuer.
In this model, the following process is implemented:
A user arrives at the smart card issuance office.
The user provides to forms of identification which are verified by the smart card issuer.
The smart card issuer executes the request. The user enters a PIN when asked.
The user is handed their new smart card and may begin using it.
.png "Smart Card Flow")
This document will demonstrate how to enable this functionality in a test lab.
In This Guide
This guide contains instructions for setting up a test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration. This is achieved by configuring Forefront Identity Manager 2010 Certificate Management using the environment that was built out in the preceding test lab guides. This lab also requires a client machine, CLIENT2, with a smart card reader. For purposes of this guide, a stand-alone physical computer was used. This was required because Hyper-V does not allow for the use of USB devices and the smart card reader that was used is a USB smart card reader. The smart card reader that is used in this lab is a Gemalto GemPC Twin, but any smart card reader should work as long as the smart card reader is installed, has the correct drivers, and is working properly.
Important
This lab also requires a physical smart card. The smart cards that were used in this lab were Gemalto .NET v2+. However any smart card that is supported by FIM CM should work provided the appropriate mini-driver or middleware is installed. The following is a brief explanation on the use of the x86 FIM CM client on a x64 OS when a 64-bit FIM CM client is available. The reason we are installing the x86 version is because the default version of Internet Explorer on Windows 7 is the 32-bit version. There currently is not a way to designate the default browser for Windows 7. In the future, we will demonstrate manager initiated workflow and this will error out if we have are using the 64-bit version of the client. This is because when you click on the link that is sent via email it will launch the 32-bit version of IE which does not have the ActiveX control installed if you installed the 64-bit client. Attempting to adapt Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment (https://go.microsoft.com/fwlink/?LinkId=210866).
Test Lab Overview
In this test lab, Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration is deployed with:
One new client running Windows® 7 Professional Edition x64 named CLIENT2.
One preexisting server running the FIM CM Portal named FIMCM1.
One preexisting server running SQL Server® 2008 Enterprise with Service Pack 2, named APP1.
One preexisting server running Windows Server® 2008 R2 Enterprise Edition, named DC1.
Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration uses the following subnet:
- The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).
Computers on each subnet connect using a hub or switch. See the following figure.
.png "Smart Card Self-Service Architecture")
This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration configuration process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration.
Hardware and Software Requirements
There following table provides a list of software used in this guide.
Software |
Additional information |
Forefront Identity Manager 2010 Certificate Management Client |
Forefront Identity Manager 2010 (https://go.microsoft.com/fwlink/?LinkId=204577). |
Forefront Identity Manager 2010 Certificate Management Client Update (KB978864) |
This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. (https://go.microsoft.com/fwlink/?LinkId=20457) |
Gemalto GemPC Twin Smart Card Reader Software |
Gemalto GemPC Twin Smart Card Reader (https://support.gemalto.com/?id=46). |
Gemalto .NET v2+ Smart Card Minidriver |
Gemalto .NET v2+ Smart Card Minidriver(https://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto minidriver net) |
There following table provides a list of hardware used in this guide.
Hardware |
Additional information |
Gemalto GemPC Twin Smart Card Reader |
Gemalto GemPC Twin Smart Card Reader (https://support.gemalto.com/?id=46). |
Gemalto .NET v2+ Smart Card |
Gemalto .NET v2+ Smart Card (https://www.gemalto.com/products/dotnet_card/) |
Physical computer for CLIENT2 |
This is to allow for the use of the USB smart card reader. Hyper-V does not support the use of USB devices. |
Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration Test Lab
There are eight steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service.
Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.
Step 2: Set up the Exchange Server 2010 with Service Pack 1 TLG—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for FIM CM.
Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.
Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.
Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM TLG— The fourth step is to complete the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab guide. This provides FIM CM to the test lab environment.
Step 6: Configure CLIENT2—The sixth step walks you through configuring CLIENT2, joining the domain and installing the FIM CM client.
Step 7: Configure FIM CM for Centralized Smart Card Registration—The seventh step walks you through configuring FIM CM to enable centralized smart card registration.
Step 8: Verify Centralized Smart Card Registration— The eight step includes verifying that centralized smart card registraion is working successfully.
This guide provides steps for configuring the computers Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration. The following sections provide details about how to perform these tasks.