How to Set Up FIM CM Active Directory Permissions

Updated: November 8, 2010

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

Forefront Identity Management Certificate Management (FIM CM) Active Directory Permission Overview

Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) is tightly integrated with the Active Directory® directory service for authentication and authorization.

What This Document Covers

This document is a quick tutorial about FIM CM Active Directory permissions. It walks you through setup of those permissions.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

An understanding of Active Directory, Active Directory permissions concepts, Active Directory users and groups concepts, using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and using the Active Directory Sites and Services MMC snap-in is necessary for completion of this tutorial.

Audience

This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

Time Requirements

The procedures in this document take about 30 minutes to complete.

Scenario Roadmap

The walkthrough for setting up Active Directory permissions for FIM CM includes the following elements:

  • FIM CM Extended Permissions

  • Identifying Permission Assignment Locations

  • Setup Constrained Delegation

  • Trust the clmWebPool for Delegation to CA

  • CM Authorization Agent Permissions

  • Permission Assignment for Self-Service

  • Permission Assignment for Initiating a Request

  • Permission Assignment for Approving a Request

  • Permission Assignment for an Enrollment Agent

FIM CM Extended Permissions

After you install FIM CM, the first step is to extend the Active Directory schema. The schema extensions add seven FIM CM extended permissions that you can use to delegate FIM CM management permissions to groups and users.

noteNote
For more information about the Active Directory schema extensions for FIM CM, see Installing and Configuring FIM CM Infrastructure

FIM CM extended permissions include the following:

  • FIM CM Audit: Generates and displays FIM CM policy templates, defines management policies within a profile template, and generates FIM CM reports.

  • FIM CM Enrollment Agent: Performs certificate requests for the user or group on behalf of another user. The issued certificate’s subject contains the target user’s name, not the requester’s name.

  • FIM CM Enroll: Initiates, executes, or completes an enrollment request.

  • FIM CM Recover: Initiates encryption key recovery from the certification authority (CA) database.

  • FIM CM Renew: Initiates, executes, or completes an enrollment request. The renewal request replaces a user’s certificate that is near its expiration date with a new certificate that has a new validity period.

  • FIM CM Revoke: Revokes a certificate before the expiration of the certificate’s validity period. This can be necessary, for example, if a user’s computer or smart card is stolen.

  • FIM CM Request Unblock Smart Card: Resets a smart card’s user personal identification number (PIN) so that you can access the key material on a smart card.

noteNote
With Active Directory schemas that were updated with an earlier version of this component, such as ILM 2007 CLM or ILM "2" RC0 CLM, the names of the extended permissions are different. To recognize the earlier version of each name, replace "FIM CM" with "CLM". For example, FIM CM Audit would be CLM Audit. This was a name change only.

Identifying Permission Assignment Locations

There are five different permission assignment locations that determine the actual authorization level of the requesting user, as shown in the following illustration. When you define a management policy workflow, you must determine whether permissions are necessary at each of the five locations.

AD Object Permissions for FIM CM

The five locations for permissions are as follows:

  1. On the service connection point: The service connection point permissions determine whether a user is assigned a management role in the FIM CM deployment. For example, if a user must initiate requests for other users, the user is assigned the FIM CM Request Enroll permission at the service connection point.

    Navigation: Active Directory Users and Computers\<Domain>\System\Microsoft\Certificate Lifecycle Manager\<Computer Name>.

  2. On the profile template object: The profile template permissions determine whether a user can read the contents of the profile template (to execute management policy workflows within the profile template) or receive certificates based on the management policies within the profile template. If a user is required to enroll certificates based on the profile template, the user must be assigned the FIM CM Enroll permissions on the profile template.

    Navigation: Active Directory Sites and Services\View\Show Services\Services\Public Key Services\Profile Templates.

  3. In users or groups: A user or group that is assigned a management role in the FIM CM environment must have permissions assigned on the users or groups that they will manage in the environment. For example, if you want to enable a manager to recover certificates that are issued to members of the GroupA users group, you must assign the manager or a group containing the manager the FIM CM Recover permission on the GroupA users group.

  4. In certificate templates: The user or group that submits enrollment and renewal requests to the certification authority must be assigned the Read and Enroll permissions on all certificate templates within a profile template.

    Navigation: Active Directory Sites and Services\View\Show Services Node\Services\Public Key Services\Profile Templates.

  5. Within the management policy: The user or group must be assigned their management role within the management policy. For example, if the user is given the task of with approving enrollment requests, you must assign the user the ability to Approve enrollment requests within the Enroll management policy.

noteNote
Management Policy permissions are located in the Profile Template property sheets. You can modify these permissions by using the FIM CM Portal.

FIM CM Active Directory Permission Walkthrough

This walkthrough results in the setup and configuration of essential users and services for your CA.

Setup Constrained Delegation

Update the FIM CM Server to trusted delegation of the rpcss service.

  1. Open the Active Directory Users and Computers snap-in.

  2. Click View, and then click Advanced Features.

  3. Expand the <domain name>, and then navigate to the Computers container or the organizational unit (OU) that contains your FIM CM server.

  4. Right-click the FIM CM server, click Properties, and then click the Delegation tab.

  5. Click Trust this computer for delegation to specified services only, select Use any authentication protocol, and then click Add.

  6. In Add Services, click Users or Computers.

  7. In Select Users or Computers, type the name of the CA, and then click OK.

  8. In Add Services, in the list of Available services, select rpcss, and then click OK.

Trust the clmWebPool for Delegation to the CA

Add Kerberos as a trusted service.

  1. Open Active Directory Users and Computers.

  2. Expand <domain name>, click Users, right click the account clmWebPool, and then click Properties.

  3. Click the Delegation tab, click Trust this user for delegation to specified services only, click Use Kerberos only, and then click Add.

  4. In Add Services, click User or Computers.

  5. In Select Users or Computers, type the name of the CA, and then click OK.

  6. In Add Services, in the list of Available services, select HOST, and then click OK.

CM Authorization Agent Permissions

This section describes in detail the permissions that the clmAuthAgent account must have to perform various actions and roles.

The clmAuthAgent account requires the following permissions:

  1. Read permissions on all users and groups that use the portal or that are subscribers. These permissions can be inherited from Authenticated Users if they are configured in step 3 in the Setup Constrained Delegation.

  2. Read permissions on the certificate templates that you can use with the profile templates

  3. Read and Write permissions on all existing profile templates

  4. Permission to create a child object on the profile templates container

Delegating Profile Template Administrator

Create a user called ProfileAdmin01,a Global Security group called ProfileAdmins and assign needed permissions.

  1. Service connection point: Assign FIM CM Audit permissions to the ProfileAdmins group.

  2. Profile template: Assign ProfileAdmins Full Control to the container, specifying that it apply to “This object and all descendant objects”.

  3. User or group: No permission must be granted to users or groups.

  4. Certificate template: No permission must be granted.

  5. Within the management policy: No permission must be granted.

Permission Assignment for Self-Service

Create a user named Subscriber1, a Global Security group named Subscribers and assign needed permissions.

  1. Service connection point: You do not have to assign explicit permissions to the service connection point because the inherited authenticated users Read permission is sufficient.

  2. Profile template: Assign the Subscribers group Read and FIM CM Enroll permissions on the profile templates that the user can enroll for.

  3. User or group: No permission must be granted to users or groups.

  4. Certificate template: Assign the Subscribers Group Read and Enroll permission in the certificate template that the user is enrolling for as part of the profile template.

  5. Within the management policy: Activate Self Service under the Workflow General Settings for the FIM CM Operation to be performed (for example, Enroll and Revoke Policy).

Permission Assignment for Initiating a Request

Create a user named Initiator01, a Global Security group named Initiators and assign needed permissions.

  1. Service connection point: Assign the Initiators group the FIM CM Request set of permissions that is related to the Request operation that they will be initiating (for example, FIM CM Request Enroll, and so on).

  2. Profile template: Grant Read permissions to the Initiators group on the profile template.

  3. User or group: Assign permissions to the Subscribers Security group so that Initiators can Read and perform the FIM CM Request operations on all members of this group.

  4. Certificate template: No explicit permissions must be granted to certificate templates.

  5. Within the management policy: In the profile template, grant the Initiators group rights to Workflow: Initiate RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Permission Assignment for Approving a Request

Create a user named Approver01, a Global Security group named Approvers and assign needed permissions.

  1. Service connection point: Grant Approvers FIM CM Audit and Read permissions.

  2. Profile template: Assign the Approvers group Read permissions on the profile template.

  3. User or group: Ensure that each approver account receives Read permission (all properties) on each subscriber user account. These permissions could be propagated through existing group memberships. Permissions can be assigned to an Approvers security group and then granted on all subscriber objects by granting permissions on the organizational units (OUs) where user accounts are assigned..

    noteNote
    • If you have subscriber users in the default Users container or at the domain level(s) of your directory structure, you will either have to move those accounts into an OU structure or assign permissions to the Approvers security group at the Domain level.

  4. Certificate template: No explicit permissions must be granted to certificate templates.

  5. Within the management policy: In the profile template, grant the Approvers group rights to Workflow: Approve RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Permission Assignment for an Enrollment Agent

Create a user named EnrollAgent01 and a Global Security group named EnrollmentAgents.

  1. Service connection point: Assign the EnrollmentAgents group Read permissions on the Profile Templates container. Assign the EnrollmentAgents group Read and FIM CM Enroll rights on each of the Profile Templates for which they enroll..

  2. Profile template: Grant Read permissions on the profile templates container to the EnrollmentAgents. Grant EnrollmentAgents Read and FIM CM Enroll rights on each of the profile templates that they need to enroll for.

  3. User or group: Assign permissions to the Subscribers Security group so that Enrollment Agents are given Read and FIM CM Enrollment Agent permissions.

  4. Certificate template: Assign the EnrollmentAgents group Read and Enroll rights on all certificate templates that are configured in the profile template.

  5. Within the management policy: In the profile template, grant the EnrollmentAgents group rights to Workflow: Enroll Agent for RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Community Additions

ADD
Show: