Step 7: Configure FIM CM for Smart Card Self-Service

  • Article

CLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service test lab consists of the following:

  • Create the FIM CM Smart Card Subscribers group

  • Add members to the FIM CM Smart Card Subscribers group

  • Create a GPO to add https://fimcm1 to Local Intranet

  • Publish the Smartcard Logon Certificate Template

  • Set the CNG Key Isolation Service to Automatic and Start the Service

  • Create and Configure the FIM CM Profile template

  • Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon Certificate Template

  • Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Self-Service Profile Template

Create the FIM CM Smart Card Subscribers group

Create an Active Directory group. This group will contain all of the users that are allowed to participate in self-service.

To create the FIM CM Smart Card Subscribers group

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  4. Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.

  5. On the New Object – Group screen, in the Group name: box, type the following text:
    FIM CM Smart Card Subscribers

  6. Click OK.

    FIM CM Smart Card Subscribers

Add members to the FIM CM Smart Card Subscribers group

Now we will add users to the FIM CM Smart Card Subscribers group.

To add users to the FIM CM Smart Card Subscribers group

  1. In Active Directory Users and Computers, double-click on the newly created FIM CM Smart Card Subscribers group. This will bring up FIM CM Smart Card Subscribers Properties

  2. In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.

  3. Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  4. In the box below Enter the object names to select (examples): enter Britta Simon and click Check Names. This should resolve with an underline. Click OK.

  5. Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  6. In the box below Enter the object names to select (examples): enter Lola Jacobson and click Check Names. This should resolve with an underline. Click OK.

    FIM CM Smart Card Subscribers Members

  7. On the FIM CM Smart Card Subscribers Properties click Apply. Click OK.

  8. Close Active Directory Users and Computers.

Create a GPO to add https://fimcm1 to Local Intranet

Now we will create a Group Policy Object that will automatically add https://fimcm1 to the local intranet settings of Internet Explorer. This will make it easier for our users as they will not have to do this task manually. Otherwise, they will be prompted for credentials when attempting to access the FIM CM web portal.

To create a GPO to add https://fimcm1 to Local Intranet

  1. Click Start, select Administrative Tools, and then click Group Policy Management. This will open the Group Policy Management MMC.

  2. At the top, expand Forest:corp.contoso.com, expand Domains, expand corp.contoso.com, right-click Default Domain Policy and select Edit. This will bring up the Group Policy Management Editor

  3. On the left, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.

    Create GPO

  4. On the right, double-click Security Zones and Content Ratings. This will bring up the Security Zones and Content Ratings dialog box.

  5. In the top portion, under Security Zones and Privacy, select Import the current security zones and privacy settings. This will bring up a box that says that these settings will be ignored if Internet Explorer Enhanced Security is disabled. Click Continue.

    Create GPO

  6. Click Modify Settings. This will bring up the Internet Properties dialog box.

    Create GPO

  7. Click on the Local Intranet icon and click the Sites button. This will bring up the Local intranet dialog box.

  8. In the box under add this website to the zone: enter https://fimcm1 and click Add. Click Close. This will close the Local intranet dialog box.

    Create GPO

  9. Click Ok. This will close the Internet Properties dialog box.

  10. Click Apply and click OK. This will close the Security Zones and Content Ratings dialog box.

  11. Close Group Policy Management Editor.

  12. Close Group Policy Management.

Publish the Smartcard Logon Certificate Template

First we need to publish the Smartcard Logon certificate template so our certificate authority can issue certificates based on this template.

To publish the Smartcard Logon Certificate Template

  1. Log on to DC1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click Server Manager.

  3. In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.

  4. This will bring up an Enable Certificate Templates dialog box.

  5. Scroll down until you see Smartcard Logon. Select Smartcard Logon and click OK.

    Publish the Smartcard Logon Certificate Template

  6. Close Server Manager.

Set the CNG Key Isolation Service to Automatic and Start the Service

Now we need to start the CNG Key Isolation Service.

To set the CNG Key Isolation Service to automatic and start the service

  1. Log on to FIMCM1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Services.

  3. Scroll down to CNG Key Isolation and double-click it. This will bring up the CNG Key Isolation Properties.

  4. In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.

  5. In Services, right-click CNG Key Isolation, and then click Start. This will start the CNG Key Isolation service.

  6. When this completes, verify that the CNG Key Isolation has a status of Started.

    CNG Key Isolation Service

  7. Close Services.

Create and Configure the FIM CM Profile template

Now we will create and configure the FIM CM Profile template.

To create and configure the FIM CM Profile template

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit).

  2. In Internet Explorer, in the address bar at the top, enter https://fimcm1/certificatemanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.

  3. Scroll down and under Administration click Manager profile templates. This will bring up Profile Template Management.

    Configure Profile Template

  4. On Profile Template Management, place a check in the box next to FIM CM Sample Smart Card Logon Profile Template and click Copy a selected profile template.

    Configure Profile Template

  5. Clear what is in the box under New profile template name: and enter Constoso Smart Card Self-Service Profile Template. Click OK.

    Configure Profile Template

  6. On the Edit Profile Template screen, scroll down to Smart Card Configuration and click on Change Settings.

  7. On the right, place a check in Reuse retired card.

  8. On the right, place a check in Initialize new card prior to use.

    Configure Profile Template

  9. Scroll down to User PIN policy: and using the drop-down select User Provided. At the bottom, click OK.

    Configure Profile Template

  10. The smart card configuration should now look like the screenshot below.

    Configure Profile Template

  11. On the Edit Profile Template screen, on the left, click Enroll Policy.

  12. Now scroll down under Workflow: Initiate Enroll Requests and select Add new principal for enroll request. This will bring up a screen that says you can set up permissions for users or groups.

  13. Click the Lookup button. This will bring up a Search for Users and Groups screen.

  14. Select Groups and in the box under Name: enter FIM CM Smart Card Subscribers. Click Search.

  15. At the bottom of the screen, under User Logon you should see CORP\FIM CM Smart Card Subscribers. Click on this.

  16. You should now return the previous screen and under Principal: you should see CORP\FIM CM Smart Card Subscribers. Click OK.

  17. This will return you the Edit Profile Template screen and you should see that FIM CM Smart Card Subscribers has been added under Workflow: Initiate Enroll Requests.

    Configure Profile Template

  18. Now scroll down under Data Collection and place a check next to Sample Data Item. Click Delete data collection item. This will bring up a box that says OK to delete selected items? Click OK.

  19. On the left, click Retire Policy.

  20. Now scroll down under Data Collection and place a check next to Sample Data Item. Click Delete data collection item. This will bring up a box that says OK to delete selected items? Click OK.

    Configure Profile Template

  21. Close Internet Explorer.

Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon Certificate Template

Now we will assign the appropriate permissions to the Smartcard Logon certificate template.

To assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon certificate template

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Server Manager.

  3. In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

  4. On the right, scroll down, right-click Smartcard Logon and select Properties.

    Smartcard Logon permissions

  5. At the top, click the Security tab.

  6. Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.

  7. In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.

  8. Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in Enroll. At this point Read and Enroll should both be checked. Click Apply. Click OK.

    Smartcard Logon permissions

  9. Close Server Manager.

Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Self-Service Profile Template

Now we will assign the appropriate permissions to the FIM CM Profile template we just created.

To assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Self-Service Profile Template

  1. Click Start, select Administrative Tools, and then click Active Directory Sites and Services.

  2. At the top, under View, select Show Services Node.

  3. On the left, expand Services, expand Public Key Services and select Profile Templates.

  4. On the right, right-click Contoso Smart Card Self-Service Certificate Profile Template and select Properties.

    Profile Template permissions

  5. Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.

  6. In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.

  7. Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked. Click Apply. Click OK.

    Profile Template permissions

  8. Close Active Directory Sites and Services.