Step 7: Perform FIM CM PrerequisiteTasks

  • Article

FIMCM1 prerequisite tasks for the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab consists of the following:

  • Create copies the Enrollment Agent, Key Recovery Agent, and User certificate templates

  • Publish the copied certificate templates

  • Extend the Active Directory Schema

  • Create the FIM CM service accounts

  • Disable Internet Explorer Enhanced Security for Administrators on FIMCM1

  • Implement Secure Sockets Layer (SSL) for the FIM CM Web Portal

Create copies the Enrollment Agent, Key Recovery Agent, and User certificate templates

FIM CM requires three certificates for three of the service accounts used by FIM CM. Because we need to make some changes to 2 of the templates, we will create duplicates and make the modifications to these.

To create copy the Enrollment Agent, Key Recovery Agent, and User certificate templates

  1. Log on to DC1 as CORP\Administrator. Server Manager should launch automatically once you are logged on.

  2. In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

  3. On the right, under Template Display Name, scroll-down and right-click on Enrollment Agent, and select Duplicate Template.

    Warning

    Select Enrollment Agent, not Enrollment Agent (Computer).

  4. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

    Windows 2003 Certificate

  5. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Enrollment Agent.

  6. At the top, click the Request Handling tab and place a check in Allow private key to be exported.

    Enrollment Agent allow export

  7. At the bottom, click Apply and click OK. This will close the properties.

  8. Back in Certificate Templates, on the right, under Template Display Name, scroll-down and right-click on Key Recovery Agent, and select Duplicate Template.

  9. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

  10. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Key Recovery Agent.

    Key Recovery Agent

  11. At the bottom, click Apply and click OK.

  12. Back in Certificate Templates, on the right, under Template Display Name, scroll-down and right-click on User, and select Duplicate Template.

  13. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

  14. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM User.

  15. At the top, click the Request Handling tab and click the CSPs… button at the bottom. This will bring up the CSP Selection window. Place a check in Microsoft Enhanced RSA and AES Cryptographic Provider. Click OK.

    CSP

  16. At the top, click the Subject Name tab and remove the check from Include e-mail name in subject name. Also, under Include this information in alternate subject name: remove the check from E-mail.

    no email

  17. At the bottom, click Apply and click OK.

Publish the copied certificate templates

Now that we have created these new certificate templates, we need to publish them so the certificate authority can issue certificates based on these templates.

To publish the copied certificate templates

  1. In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.

    new certificate to issue

  2. This will bring up an Enable Certificate Templates dialog box.

  3. Scroll down until you see the FIMCM certificates. Hold down the CTRL key and click all 3 so that they are all selected.

  4. Click OK.

Extend the Active Directory Schema

In this step we will extend the Active Directory Schema so that it is ready for FIM CM. In order to accomplish this, the Forefront Identity Manager 2010 installation binaries must be accessible from DC1.

To extend the Active Directory Schema

  1. On DC1, navigate to the directory that contains the binaries for Forefront Identity Manager 2010.

  2. Navigate to Certificate Management\x64\Schema and double-click ModifySchema.vbs.

  3. This will begin the schema modification. When it completes you will see a pop-box that says Schema modified successfully.

    Modify Schema

  4. Click OK.

Creating the FIM CM Service Accounts

Six service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 Certificate Management installation.

Table 1 – Service Accounts Summary

Full name User logon name Forest Password

FIM CM Agent

FIMCMAgent

corp.contoso.com

Pass1word$

FIM CM Authorization Agent

FIMCMAuthAgent

corp.contoso.com

Pass1word$

FIM CM CA Manager Agent

FIMCMManagerAgent

corp.contoso.com

Pass1word$

FIM CM Enrollment Agent

FIMCMEnrollAgent

corp.contoso.com

Pass1word$

FIM CM Key Recovery Agent

FIMCMKRAgent

corp.contoso.com

Pass1word$

FIM CM Web Pool Agent

FIMCMWebAgent

corp.contosos.com

Pass1word$

To create the Service Accounts

  1. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  3. Now, right-click ServiceAccounts, select New, and then select User. This will bring up the New Object – User window.

  4. On the New Object – User screen, in the Full Name box, type the following text:
    FIM CM Agent

  5. On the New Object – User screen, in the User logon name box, type the following text, and then click Next:
    FIMCMAgent

  6. On the New Object – User screen, in the Password box, type the following text:
    Pass1word$

  7. On the New Object – User screen, in the Confirm Password box, type the following text:
    Pass1word$

  8. On the New Object – User screen, clear the User must change password at next logon check box.

  9. On the New Object – User screen, select Password never expires, and then click Next.

  10. Click Finish.

  11. Repeat these steps for all of the accounts listed in the Account Summary table.

    create FIM CM accounts

  12. Log off DC1.corp.contoso.com.

Disabling Internet Explorer Enhanced Security for Administrators on FIMCM1

This section lists the steps for disabling Internet Explorer Enhanced Security.

To disable Internet Explorer Enhanced Security for Administrators

  1. Log on to FIMCM1 as CORP\Administrator.

  2. In Server Manager, on the right-hand side, scroll down to Security Information, and then select Configure IE ESC.

  3. From the Internet Explorer Enhanced Security Configuration screen, under Administrators, select Off.

  4. Click OK.

Implementing Secure Sockets Layer (SSL) for the FIM CM Web Portal

In this step, you will implement SSL for the FIM CM Web Portal. You will be requesting a new domain certificate and binding it to the Default Web Site. If you recall, the Base Configuration Test Lab guide automatically issues a server certificate to FIMCM1 when it joins the domain. However, because this certificate uses the FQDN (FIMCM1.corp.contoso.com) as its common name and not the NetBios name (FIMCM1), you will receive a certificate error when attempting to access the site with the URL https://fimcm1. If you used https://FIMCM1.corp.contoso.com as the URL you will not receive the error. However, because this site will be used inside the domain and primarily accessed using https://fim1, you should request a new certificate to use.

To implement Secure Sockets Layer (SSL) for the FIM CM Web portal

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

  2. On the left, expand FIMCM1 (CORP\Administrator). This will populate the center pane with icons. Make sure that FIMCM1(CORP\Administrator) is still selected.

  3. In the center, double-click Server Certificates.

  4. On the right, click Create Domain Certificate. This will launch the Create Certificate Wizard.

  5. For Common Name, type the following text: FIMCM1

  6. For Organizational Unit, type the following text: IT

  7. For City, type the following text: Anywhere

  8. For State, type the following text: NC

  9. Click Next.

  10. On the On-line Certificate Authority page, under Specify Online-Certificate Authority, click Select. This will bring up a Select Certificate Authority page.

  11. Select corp-DC1-ca, and click OK.

  12. On the On-line Certificate Authority page, under Friendly Name, type FIMCM1_SSL, and then click Finish. This will close the Create Certificate Wizard and you should see the newly created certificate in the center pane.

  13. On the left, click Default Web Site, and then on the far right, under actions click Bindings. This will bring up the Site Bindingswindow.

  14. Click Add.

  15. Under type, select https from the drop-down list.

  16. Under SSL Certificate, select FIMCM1_SSL from the drop-down list. Click OK, and then click Close.

    Add site bindings

  17. On the left, select Default Web Site and from the center pane double-click SSL Settings.

  18. Place a check in Require SSL. On the right, click Apply.

    ssl

  19. Close Internet Information Services (IIS) Manager.

  20. Click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

  21. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.