Step 7: Configure FIM CM for Centralized Smart Card Registration

Article
07/11/2012

CLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Administration test lab consists of the following:

Create the FIM CM Smart Card Subscribers group
Add members to the FIM CM Smart Card Subscribers group
Create the FIM CM Smart Card Issuers group
Add members to the FIM CM Smart Card Issuers group
Mailbox-enable User1
Create a GPO to add https://fimcm1 to Local Intranet
Create the FIMCM Smart Card Logon Certificate Template
Publish the Smart Card Logon Certificate Template
Set the CNG Key Isolation Service to Automatic and Start the Service
Create and Configure the FIM CM Profile template
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIMCM Smart Card Logon Certificate Template
Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template

Create the FIM CM Smart Card Subscribers group

Create an Active Directory group. This group will contain all of the users that are allowed to participate in self-service.

To create the FIM CM Smart Card Subscribers group

Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.
Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.
On the New Object – Group screen, in the Group name: box, type the following text:
FIM CM Smart Card Subscribers
Click OK.

Add members to the FIM CM Smart Card Subscribers group

Now we will add users to the FIM CM Smart Card Subscribers group.

To add users to the FIM CM Smart Card Subscribers group

In Active Directory Users and Computers, double-click on the newly created FIM CM Smart Card Subscribers group. This will bring up FIM CM Smart Card Subscribers Properties
In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter Britta Simon and click Check Names. This should resolve with an underline. Click OK.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter Lola Jacobson and click Check Names. This should resolve with an underline. Click OK.
On the FIM CM Smart Card Subscribers Properties click Apply. Click OK.

Create the FIM CM Smart Card Issuers group

Create an Active Directory group. This group will contain all of the users that are allowed to issue smart cards to other users.

To create the FIM CM Smart Card Issuers group

Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.
On the New Object – Group screen, in the Group name: box, type the following text:
FIM CM Smart Card Issuers
Click OK.

Add members to the FIM CM Smart Card Issuers group

Now we will add users to the FIM CM Smart Card Issuers group.

To add members to the FIM CM Smart Card Issuers group

In Active Directory Users and Computers, double-click on the newly created FIM CM Subscribers group. This will bring up FIM CM Subscribers Properties
In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter User1 and click Check Names. This should resolve with an underline. Click OK.
On the FIM CM Smart Card Issuers Properties click Apply. Click OK.
Close Active Directory Users and Computers.

Mailbox-enable User1

User1 is required to have the mail attribute populated when enrolling another user.

To Mailbox-enable User1

Log on to the EX1.corp.contoso.com server as the Administrator.
Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.
In the Exchange Management Console, click Microsoft Exchange On-Premises. This will start an Initialization.

Warning

This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just click OK.
In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, and then click Mailbox.
On the right, in the Actions pane, click New Mailbox to start the New Mailbox Wizard.
On the Introduction page, select User Mailbox, and then click Next.
On the User Type page, select Existing users, and then click Add. This will bring up the Select User – Entire Forest page.
From the list, select User1 and click Next.
On the Mailbox Settings page, place a check in Specify the mailbox database rather than using a database automatically selected and click Browse. Select the database and click OK. Click Next.
On the New Mailbox page, click New.
On the Completion page, verify that it was successful, and then click Finish.
Close Exchange Management Console.

Create a GPO to add https://fimcm1 to Local Intranet

Now we will create a Group Policy Object that will automatically add https://fimcm1 to the local intranet settings of Internet Explorer. This will make it easier for our users as they will not have to do this task manually. Otherwise, they will be prompted for credentials when attempting to access the FIM CM web portal.

To create a GPO to add https://fimcm1 to Local Intranet

Click Start, select Administrative Tools, and then click Group Policy Management. This will open the Group Policy Management MMC.
At the top, expand Forest:corp.contoso.com, expand Domains, expand corp.contoso.com, right-click Default Domain Policy and select Edit. This will bring up the Group Policy Management Editor
On the left, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.
On the right, double-click Security Zones and Content Ratings. This will bring up the Security Zones and Content Ratings dialog box.
In the top portion, under Security Zones and Privacy, select Import the current security zones and privacy settings. This will bring up a box that says that these settings will be ignored if Internet Explorer Enhanced Security is disabled. Click Continue.
Click Modify Settings. This will bring up the Internet Properties dialog box.
Click on the Local Intranet icon and click the Sites button. This will bring up the Local intranet dialog box.
In the box under add this website to the zone: enter https://fimcm1 and click Add. Click Close. This will close the Local intranet dialog box.
Click Ok. This will close the Internet Properties dialog box.
Click Apply and click OK. This will close the Security Zones and Content Ratings dialog box.
Close Group Policy Management Editor.
Close Group Policy Management.

Create the FIMCM Smart Card Logon Certificate Template

A centralized FIM CM registration model requires that the certificate template has authorization signatures set to 1. In order to do this, we will copy the Smart Card Logon certificate template and modify it to meet our requirements.

To create the FIMCM Smart Card Logon Certificate Template

Click Start, select Administrative Tools, and then click Server Manager.
In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.
On the right, under Template Display Name, scroll-down and right-click on Smartcard Logon, and select Duplicate Template.
This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.
This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Smart Card Logon.
At the top, click the Issuance Requirements tab and place a check in The number of authorized signatures. Make sure this is set to 1.
In the drop-down under Policy type required is signature select Application Policy.
In the drop-down under Application policy: select Certificate Request Agent.
At the bottom, click Apply and click OK.

Publish the FIMCM Smart Card Logon Certificate Template

Now we need to publish the FIMCM Smart Card Logon certificate template so our certificate authority can issue certificates based on this template.

To publish the FIMCM Smart Card Logon Certificate Template

In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.
This will bring up an Enable Certificate Templates dialog box.
Scroll down until you see FIM CM Smart Card Logon. Select FIMCM Smart Card Logon and click OK.
Close Server Manager.

Set the CNG Key Isolation Service to Automatic and Start the Service

Now we need to start the CNG Key Isolation Service.

To set the CNG Key Isolation Service to automatic and start the service

Log on to FIMCM1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Services.
Scroll down to CNG Key Isolation and double-click it. This will bring up the CNG Key Isolation Properties.
In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.
In Services, right-click CNG Key Isolation, and then click Start. This will start the CNG Key Isolation service.
When this completes, verify that the CNG Key Isolation has a status of Started.
Close Services.

Create and Configure the FIM CM Profile template

Now we will create and configure the FIM CM Profile template.

To create and configure the FIM CM Profile template

Click Start, click All Programs, and then click Internet Explorer (64-bit).
In Internet Explorer, in the address bar at the top, enter https://fimcm1/certificatemanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.
Scroll down and under Administration click Manager profile templates. This will bring up Profile Template Management.
On Profile Template Management, place a check in the box next to FIM CM Sample Smart Card Logon Profile Template and click Copy a selected profile template.
Clear what is in the box under New profile template name: and enter Constoso Centralized Smart Card Profile Template. Click OK.
On the Edit Profile Template screen, scroll down to Certificate Templates and click on Add new certificate template.
On the right, under Certificate Authorities, place a check in the box under selected.
Scroll down and on the right place a check in FIMCMSmartCardLogon. At the bottom of the page click Add.
On the Edit Profile Template screen, scroll down to Certificate Templates, place a check next to SmartcardLogon and click on Delete selected certificate template. This will bring up a box that says OK to delete selected items? Click OK.
On the Edit Profile Template screen, scroll down to Smart Card Configuration and click on Change Settings.
On the right, place a check in Initialize new card prior to use
On the right, place a check in Reuse retired card.
Scroll down to User PIN policy: and using the drop-down select User Provided. At the bottom, click OK.
The smart card configuration should now look like the screenshot below.
On the Edit Profile Template screen, on the left, click Enroll Policy.
Now scroll down under Workflow: General and select Change general settings. This will bring up the General Workflow Options.
On the right, remove the check from Use self serve and place a check in Require enrollment agent. Click OK.
Now scroll down under Workflow: Initiate Enroll Requests and select Add new principal for enroll request. This will bring up a screen that says you can set up permissions for users or groups.
Click the Lookup button. This will bring up a Search for Users and Groups screen.
Select Groups and in the box under Name: enter FIM CM Smart Card Issuers. Click Search.
At the bottom of the screen, under User Logon you should see CORP\FIM CM Smart Card Issuers. Click on this.
You should now return the previous screen and under Principal: you should see CORP\FIM CM Smart Card Issuers. Click OK.
This will return you the Edit Profile Template screen and you should see that FIM CM Smart Card Issuers has been added under Workflow: Initiate Enroll Requests.
Now scroll down under Workflow: Enroll Agent for Enroll Requests and select Add new principal for enroll request. This will bring up a screen that says you can set up permissions for users or groups.
Click the Lookup button. This will bring up a Search for Users and Groups screen.
Select Groups and in the box under Name: enter FIM CM Smart Card Issuers. Click Search.
At the bottom of the screen, under User Logon you should see CORP\FIM CM Smart Card Issuers. Click on this.
You should now return the previous screen and under Principal: you should see CORP\FIM CM Smart Card Issuers. Click OK.
This will return you the Edit Profile Template screen and you should see that FIM CM Smart Card Issuers has been added under Workflow: Enroll Agent for Enroll Requests.
Now scroll down under Data Collection and place a check next to Sample Data Item. Click Delete data collection item. This will bring up a box that says OK to delete selected items? Click OK.
Now scroll down under Data Collection and click Add new data collection item. This will bring up the Data Item Name and type page.
In the box under Name: enter Valid ID#1.
In the box under Description: enter This is a valid form of identification that was presented by the smart card requestor.
Scroll to the bottom and click OK. This will return you Edit Profile Template screen. Scroll down under Data Collection and you should see Valid ID#1.
Now scroll down under Data Collection and click Add new data collection item. This will bring up the Data Item Name and type page.
In the box under Name: enter Valid ID#2.
In the box under Description: enter This is a valid form of identification that was presented by the smart card requestor.
Scroll to the bottom and click OK. This will return you Edit Profile Template screen. Scroll down under Data Collection and you should see Valid ID#1 and Valid ID#2.
Close Internet Explorer.

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point

Now we will assign the appropriate permissions to the Service Connection Point.

To assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point

Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, expand corp.contoso.com, expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click FIMCM1, and select Properties. This will bring up FIMCM1 Properties.

Warning

In order to see the System node you must ensure that Advanced Features are selected. To select Advanced Features, at the top of Active Directory Users and Computers select View and the select Advanced Features.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Enrollment Agent. Click Apply. Click OK.

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group

Now we will assign the appropriate permissions to the FIM CM Smart Card Subscribers group. This will allow the FIM CM Smart Card Issuers to act as enrollment agents.

To assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group

In Active Directory Users and Computers, expand corp.contoso.com, select Users, right-click FIM CM Smart Card Subscribers, and select Properties. This will bring up FIM CM Smart Card Subscribers Properties.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Enrollment Agent. Click Apply. Click OK.

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIMCM Smart Card Logon Certificate Template

Now we will assign the appropriate permissions to the FIMCM Smart Card Logon certificate template.

To assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIMCM Smart Card Logon certificate template

Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Server Manager.
In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.
On the right, scroll down, right-click FIMCM Smart Card Logon and select Properties.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers place a check in Enroll. At this point Read and Enroll should both be checked. Click Apply. Click OK.
Close Server Manager.

Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template

Now we will assign the appropriate permissions to the FIM CM Profile template we just created.

To assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template

Click Start, select Administrative Tools, and then click Active Directory Sites and Services.
At the top, under View, select Show Services Node.
On the left, expand Services, expand Public Key Services and select Profile Templates.
On the right, right-click Contoso Smart Card Self-Service Certificate Profile Template and select Properties.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart and click Check Names. This will bring up a box saying Multiple Names Found.
Now select both and click OK. They should both resolve with an underline. Click OK.
Now select FIM CM Smart Card Issuers and down under Permissions for FIM CM Smart Card Issuers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked.
Now select FIM CM Smart Card Subscribers and down under Permissions for FIM CM Smart Card Subscribers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked. Click Apply. Click OK.
Close Active Directory Sites and Services.