Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1 and FIM 2010
Authored By: Bill Mathers
A downloadable version of this document is available at Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1 and FIM 2010.
The Forefront Identity Manager 2010 Certificate Management (FIM CM) component provides enterprise grade certificate and smart card management capabilities for centralized or highly distributed enterprises. It allows security and system administrators to apply certificate management policies consistently across a wide range of certificate uses and to a diverse user base of clients.
FIM CM provides the following certificate and smart card management capabilities:
Single administration point for digital certificates and smart cards: FIM CM provides a web based interface that provides administrators access to a management portal for the management and administration of certificates and smart cards.
User self-service: The FIM CM portal also provides users with the ability to perform self-registration process or to perform basic certificate and smart card lifecycle management tasks such as requesting new certificates or performing PIN resets.
Configurable policy-based workflows for common tasks: FIM CM provides the ability to apply policies against common certificate and smart card management tasks from any given certificate or grouping of certificates through the use of profile templates. Profile templates provide a common set of policies for certificate enrollment, renewal, update, recovery, revocation and retirement. In addition, specialized policies have been created to handle lifecycle management challenges related to the management of smart cards such as temporary issuance of smart cards, smart card duplication, personalization and retirement.
Detailed auditing and reporting: FIM CM provides a comprehensive set of reports for common reporting tasks. “Out-of-the-Box” reports include: certificate usage, certificate expiry summary report, smart card report, request report, certificate template settings report, profile template settings report, certificate template usage report, certificate revocation list report and smart card history reports. Granular auditing of all FIM CM tasks is also available to the administrator through the web-based management interface.
Support for centralized, de-centralized and self-service scenarios: FIM CM’s role and permissions architecture provides for a fine-grained level of control. This allows for configurations that support centralized or de-centralized administration and management through designated accounts. It also provides for user self-service scenarios where users are delegated specific permissions to perform their own self-management tasks.
Tightly integrated with Certificate Services and Active Directory: – FIM CM is tightly integrated with underlying Microsoft technologies including the two Windows Server components Active Directory Certificate Services and Active Directory Domain Services. The FIM CM component integrates with Certificate Services by acting as a higher-level management interface (commonly referred to as a Registration Authority or RA) between administrators and certificate services through the use of FIM CM policy and exit modules. This allows FIM CM to perform all day to day certificate management tasks which would previously be performed through the Certificate Services MMC. Integration with Active Directory is supported by extending the schema to support FIM CM objects and permissions. This allows enterprises to leverage existing infrastructure to the fullest extent and to extend the functionality of their existing investment.
In This Guide
This guide contains instructions for setting up a test lab based on the Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010. This is achieved by deploying Forefront Identity Manager 2010 Certificate Management using one new server computer and using the environment that was build out in the preceding test lab guides. The resulting Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab demonstrates and verifies installation. Future test lab guides will demonstrate the powerful functionalities of FIM CM and how FIM and FIM CM work together to provide identity and certificate management.
Important
The following instructions are for configuring a Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab using a scaled-out deployment. That is, the FIM CM Portal and the FIM CM database will not be residing on the same server. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network. Attempting to adapt this Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment (https://go.microsoft.com/fwlink/?LinkId=210866).
Test Lab Overview
In this test lab, Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 is deployed with:
One computer running the FIM CM Portal named FIMCM1. FIMCM1 uses the Windows Server® 2008 R2 Enterprise Edition operating system.
One preexisting server running SQL Server® 2008 Enterprise with Service Pack 2, named APP1.
One preexisting server running Microsoft Exchange Server 2010 with Service Pack 1, named EX1.
One preexisting client running Windows® 7 Ultimate Edition named CLIENT1.
One preexisting server running Microsoft Forefront Identity Manager 2010 with Update 1, named FIM1.
One preexisting server running Windows Server® 2008 R2 Enterprise Edition, named DC1.
The Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 uses the following subnet:
- The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).
Computers on each subnet connect using a hub or switch. See the following figure.
.png "FIM CM Test Lab Guide Architecture")
This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 installation process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010. This test lab guide can be used as a building block for additional test lab guides that demonstrate increased functionality or additional features of Forefront Identity Manager 2010 Certificate Management.
Hardware and Software Requirements
The following are required components of the test lab:
The product disc or files for Windows Server 2008 R2 Enterprise Edition.
The product disc or files for Forefront Identity Manager 2010.
The files for Forefront Identity Manager 2010 Certificate Management Update (KB978864).
The following table provides a summary of the Microsoft software that is used in this guide.
Software |
Additional information |
Forefront Identity Manager 2010 |
Forefront Identity Manager 2010 (https://go.microsoft.com/fwlink/?LinkId=204577). |
Forefront Identity Manager 2010 Certificate Management Update (KB978864) |
This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. (https://go.microsoft.com/fwlink/?LinkId=20457) |
Steps for Configuring the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Test Lab
There are ten steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab based on the Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Test Lab Guide.
Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.
Step 2: Set up the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for FIM CM.
Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.
Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.
Step 5: Configure FIMCM1—The fifth step includes installing the operating system, and then configuring and joining FIMCM1 to the domain.
Step 6: Install FIM CM Prerequisite Software—The sixth step walks you through installing prerequisite software.
Step 7: Perform FIM CM Prerequisites Tasks—The seventh step includes performing prerequisite tasks.
Step 8: Install FIM CM—The eighth step includes performing installation tasks and running the configuration wizard.
Step 9: Perform FIM CM Post-Installation Tasks— The ninth step includes performing post installation tasks
Step 10: Verify the Installation— The tenth step includes verifying the installation was successful
This guide provides steps for configuring the computers of Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab. The following sections provide details about how to perform these tasks.