Step 7: Configure FIM CM for Delegated Smart Card Registration
CLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Administration test lab consists of the following:
Create the FIM CM Smart Card Subscribers group
Add members to the FIM CM Smart Card Subscribers group
Create the FIM CM Smart Card Issuers group
Add members to the FIM CM Smart Card Issuers group
Add User1 to Manager Attribute of Lola Jacobson.
Create a GPO to add https://fimcm1 to Local Intranet
Enable Anonymous on the Default Receive Connector
Mailbox-enable User1
Publish the Smartcard Logon Certificate Template
Set the CNG Key Isolation Service to Automatic and Start the Service
Create and Configure the FIM CM Profile template
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Smartcard Logon Certificate Template
Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template
Create the FIM CM Smart Card Subscribers group
Create an Active Directory group. This group will contain all of the users that are allowed to participate in self-service.
To create the FIM CM Smart Card Subscribers group
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.
Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.
On the New Object – Group screen, in the Group name: box, type the following text:
FIM CM Smart Card SubscribersClick OK.
Add members to the FIM CM Smart Card Subscribers group
Now we will add users to the FIM CM Smart Card Subscribers group.
To add users to the FIM CM Smart Card Subscribers group
In Active Directory Users and Computers, double-click on the newly created FIM CM Smart Card Subscribers group. This will bring up FIM CM Smart Card Subscribers Properties
In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter Britta Simon and click Check Names. This should resolve with an underline. Click OK.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter Lola Jacobson and click Check Names. This should resolve with an underline. Click OK.
On the FIM CM Smart Card Subscribers Properties click Apply. Click OK.
Create the FIM CM Smart Card Issuers group
Create an Active Directory group. This group will contain all of the users that are allowed to issue smart cards to other users.
To create the FIM CM Smart Card Issuers group
Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.
On the New Object – Group screen, in the Group name: box, type the following text:
FIM CM Smart Card IssuersClick OK.
Add members to the FIM CM Smart Card Issuers group
Now we will add users to the FIM CM Smart Card Issuers group.
To add members to the FIM CM Smart Card Issuers group
In Active Directory Users and Computers, double-click on the newly created FIM CM Subscribers group. This will bring up FIM CM Subscribers Properties
In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.
Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter User1 and click Check Names. This should resolve with an underline. Click OK.
On the FIM CM Smart Card Issuers Properties click Apply. Click OK.
Close Active Directory Users and Computers.
Add User1 to Manager Attribute of Lola Jacobson.
First we need to publish the Smartcard Logon certificate template so our certificate authority can issue certificates based on this template.
To add User1 to Manager Attribute of Lola Jacobson.
In Active Directory Users and Computers, in the Users container, double-click on Lola Jacobson. This will bring up Lola Jacobson Properties
In the Lola Jacobson Properties, at the top, select the Organization tab.
Under Manager, click Change. This will bring up the Select Users or Contact dialog box.
In the box below Enter the object names to select (examples): enter User1 and click Check Names. This should resolve with an underline. Click OK.
On the Lola Jacobson Properties click Apply. Click OK.
Close Active Directory Users and Computers.
Create a GPO to add https://fimcm1 to Local Intranet
Now we will create a Group Policy Object that will automatically add https://fimcm1 to the local intranet settings of Internet Explorer. This will make it easier for our users as they will not have to do this task manually. Otherwise, they will be prompted for credentials when attempting to access the FIM CM web portal.
To create a GPO to add https://fimcm1 to Local Intranet
Click Start, select Administrative Tools, and then click Group Policy Management. This will open the Group Policy Management MMC.
At the top, expand Forest:corp.contoso.com, expand Domains, expand corp.contoso.com, right-click Default Domain Policy and select Edit. This will bring up the Group Policy Management Editor
On the left, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.
On the right, double-click Security Zones and Content Ratings. This will bring up the Security Zones and Content Ratings dialog box.
In the top portion, under Security Zones and Privacy, select Import the current security zones and privacy settings. This will bring up a box that says that these settings will be ignored if Internet Explorer Enhanced Security is disabled. Click Continue.
Click Modify Settings. This will bring up the Internet Properties dialog box.
Click on the Local Intranet icon and click the Sites button. This will bring up the Local intranet dialog box.
In the box under add this website to the zone: enter https://fimcm1 and click Add. Click Close. This will close the Local intranet dialog box.
Click Ok. This will close the Internet Properties dialog box.
Click Apply and click OK. This will close the Security Zones and Content Ratings dialog box.
Close Group Policy Management Editor.
Close Group Policy Management.
Publish the Smartcard Logon Certificate Template
In this step we publish the Smartcard Logon certificate template so our certificate authority can issue certificates based on this template.
To publish the Smartcard Logon Certificate Template
Log on to DC1 as CORP\Administrator.
Click Start, select Administrative Tools, and then click Server Manager.
In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.
This will bring up an Enable Certificate Templates dialog box.
Scroll down until you see Smartcard Logon. Select Smartcard Logon and click OK.
Close Server Manager.
Enable Anonymous on the Default Receive Connector
In this step we will enable anonymous connection to the default receive connector in Exchange. This will allow FIM CM to send e-mails.
To enable Anonymous on the Default Receive Connector
Log on to EX1 as corp\Administrator.
Click Start, select All Programs, select Microsoft Exchange Server 2010, and then click Exchange Management Console.
In the Exchange Management Console, expand Server Configuration, and click Hub Transport.
At the bottom under Receive Connectors, right-click Default EX1 and select Properties. This will bring up the Default EX1 Properties.
At the top, click Permission Groups. Place a check in Anonymous users. Click Apply. Click OK.
Mailbox-enable User1
Now we mailbox-enable User1.
To Mailbox-enable User1
In the Exchange Management Console, expand Recipient Configuration, and click Mailbox.
On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.
On the Introduction screen, select User Mailbox and click Next.
On the User Type screen, select Existing users and click Add. This will bring up the Select User – Entire Forest screen.
From the list, using the Ctrl key, select User1 and then click OK.
Click Next.
On the Mailbox Settings screen, click Next.
On the New Mailbox screen, click New.
On the Completion screen, verify that it was successful and click Finish
Close Exchange Management Console
Set the CNG Key Isolation Service to Automatic and Start the Service
Now we need to start the CNG Key Isolation Service.
To set the CNG Key Isolation Service to automatic and start the service
Log on to FIMCM1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Services.
Scroll down to CNG Key Isolation and double-click it. This will bring up the CNG Key Isolation Properties.
In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.
In Services, right-click CNG Key Isolation, and then click Start. This will start the CNG Key Isolation service.
When this completes, verify that the CNG Key Isolation has a status of Started.
Close Services.
Create and Configure the FIM CM Profile template
Now we will create and configure the FIM CM Profile template.
To create and configure the FIM CM Profile template
Click Start, click All Programs, and then click Internet Explorer (64-bit).
In Internet Explorer, in the address bar at the top, enter https://fimcm1/certificatemanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.
Scroll down and under Administration click Manager profile templates. This will bring up Profile Template Management.
On Profile Template Management, place a check in the box next to FIM CM Sample Smart Card Logon Profile Template and click Copy a selected profile template.
Clear what is in the box under New profile template name: and enter Constoso Delegated Smart Card Profile Template. Click OK.
On the Edit Profile Template screen, scroll down to Smart Card Configuration and click on Change Settings.
On the right, place a check in Initialize new card prior to use
On the right, place a check in Reuse retired card.
Scroll down to User PIN policy: and using the drop-down select User Provided. At the bottom, click OK.
The smart card configuration should now look like the screenshot below.
On the Edit Profile Template screen, on the left, click Enroll Policy.
Now scroll down under Workflow: General and select Change general settings. This will bring up the General Workflow Options.
On the right, remove the check from Use self serve. Click OK.
Now scroll down under Workflow: Initiate Enroll Requests and select Add new principal for enroll request. This will bring up a screen that says you can set up permissions for users or groups.
Click the Lookup button. This will bring up a Search for Users and Groups screen.
Select Groups and in the box under Name: enter FIM CM Smart Card Issuers. Click Search.
At the bottom of the screen, under User Logon you should see CORP\FIM CM Smart Card Issuers. Click on this.
You should now return the previous screen and under Principal: you should see CORP\FIM CM Smart Card Issuers. Click OK.
This will return you the Edit Profile Template screen and you should see that FIM CM Smart Card Issuers has been added under Workflow: Initiate Enroll Requests.
Now scroll down under Data Collection and place a check next to Sample Data Item. Click Delete data collection item. This will bring up a box that says OK to delete selected items? Click OK.
Now scroll down under Passwords Distribution and click on Display on screen. This will bring up the One-Time Password Distribution screen.
On the right, from the drop-down under Distribution method select Email Subscriber.
In the box below Mail from enter {Manager!mailNickname}@corp.contoso.com.
In the box below Mail Subject enter Complete Smart Card Enrollment.
In the box below Mail body enter
Welcome {User},
Your secret one-time password is {Secret1}.
Please log on to https://fimcm1/certificatemanagement to complete the enrollment process. Ensure that you have a smart card reader and a smart card in the reader prior to beginning.
Thank you and welcome aboard!
{Manager}
At the bottom click OK.
Close Internet Explorer.
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point
Now we will assign the appropriate permissions to the Service Connection Point.
To assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, expand corp.contoso.com, expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click FIMCM1, and select Properties. This will bring up FIMCM1 Properties.
Warning
In order to see the System node you must ensure that Advanced Features are selected. To select Advanced Features, at the top of Active Directory Users and Computers select View and the select Advanced Features.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Request Enroll. Click Apply. Click OK.
Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group
Now we will assign the appropriate permissions to the FIM CM Smart Card Subscribers group. This will allow the FIM CM Smart Card Issuers to request enrollment.
To assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group
In Active Directory Users and Computers, expand corp.contoso.com, select Users, right-click FIM CM Smart Card Subscribers, and select Properties. This will bring up FIM CM Smart Card Subscribers Properties.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Request Enroll. Click Apply. Click OK.
Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon Certificate Template
Now we will assign the appropriate permissions to the Smartcard Logon certificate template.
To assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon certificate template
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Server Manager.
In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.
On the right, scroll down, right-click Smartcard Logon and select Properties.
At the top, click the Security tab.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in Enroll. At this point Read and Enroll should both be checked. Click Apply. Click OK.
Close Server Manager.
Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template
Now we will assign the appropriate permissions to the FIM CM Profile template we just created.
To assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template
Click Start, select Administrative Tools, and then click Active Directory Sites and Services.
At the top, under View, select Show Services Node.
On the left, expand Services, expand Public Key Services and select Profile Templates.
On the right, right-click Contoso Smart Card Self-Service Certificate Profile Template and select Properties.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK. There is nothing additional that we need to do with the FIM CM Smart Card Issuers group. They only need Read permissions.
Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.
In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.
Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked. Click Apply. Click OK.
Close Active Directory Sites and Services.