FIM CM can be used in many ways, but to show you a little bit about how we can use its basics, The Company will use it to allow managers (like John) to issue Smart Cards to consultants (like Kent).

For reference purposes I give you, once again, the FIM CM overview image I showed you in Chapter 2, Overview of FIM 2010 R2:

We have also, in Chapter 3, Installation, discussed how to install the FIM CM website. But with that we have only just begun our FIM CM deployment. So, let's move on and take a good look at FIM CM.

Before we can do anything, we need to extend the Active Directory schema to support FIM CM.

If we don't, Configuration Wizard will stop and tell us to extend the Active Directory schema if we try to run it.

If you look at the FIM 2010 R2 media in the \Certificate Management\x64 folder, you will find a Schema folder where you can run the script ModifySchema.vbs.

If you just run that script, you will get a Success message:

However, this hasn't made any changes; it's a false Success message.

In order to actually change your schema, you need to modify the script and the files it used to match your environment before running the script.

If we knew what was coming in the configuration wizard, we might have prepared a bit more before starting it. But one way of configuring FIM CM is to solve the problems as they arise in the configuration wizard. It is quite common to cancel out from the wizard to fix something, and then start it again.

Since I know what is coming, I will make some preparations before I start it.

By default, the Forefront Identity Manager CM Update Service runs under the local system account. It is considered the best practice to change it and use a service account instead.

We have already created the svcFIMCMService user that we intend to use for this purpose. Before we can configure it for the service, we need to assign a few user rights to it.

The account needs the following User Rights Assignment:

It then needs to be added to the following local groups on the FIM CM server:

After that, we reconfigure the service to use the account and start automatically.

Once the database is created by the configuration wizard, we need to assign permissions to it. If you are not comfortable managing your SQL database, your DBA can help you with this.

On the FIMCertificateManagement database, we need to allow the CA server and the FIM CM Update Service with the clmApp role.

Usually, this also means that we need to create the logins since these accounts never had any.

So what we need is to create logins for AD\CA$ and AD\svcFIMCMService, and then assign them the clmApp role in the FIM CM database.

The CA used by FIM CM needs to be configured before we can use it.

First, we need to install the FIM CM CA files, and then we need to configure the modules we just installed.

Installing FIM CM CA files

You install the CA files by running the same setup as when installing the FIM CM server.

The only trick is to remember to deselect the FIM CM Portal and FIM CM Update Service options in the feature selection during setup. We only want to install FIM CM CA Files.

Configuring Policy Module

Once we have installed the modules, we need to configure them with some information regarding the FIM CM.

In the properties of Exit Module, we need to tell the CA how to connect to the FIM CM database by supplying it with a connection string.

A typical connection string might look as follows:

connect Timeout=15;Integrated Security=SSPI;Persist Security Info=True;Initial Catalog=FIMCertificateManagement;Data Source=dbFIMCM

In this example, I am using a SQL alias on the CA server as well.

Check...

On the client computers where users will manage Smart Cards (in some cases all workstations), you will need to install some client components.

The installation can be automated and settings controlled using GPOs, but showing the few manual steps gives you an idea of what might need to be changed.

If you are not using the self-service option...

Permissions for FIM CM are set in five different places, sometimes making it hard to troubleshoot permission errors. On the other hand, the granular permission model makes it possible for a granular policy to be defined.

If, for example, you have a policy that managers in the USA should only be able to issue Smart Cards for consultants in the USA but not in Europe, you can do so.

Service Connection Point

The Service Connection Point , SCP, permissions determine whether a user is assigned a management role in the FIM CM deployment.

When you run the configuration wizard, the SCP is decided but the default is the one shown in the following figure:

If a user is assigned any of the FIM CM permissions available on the SCP, the administrative view of the FIM CM portal will be shown.

The FIM CM permissions are defined on Microsoft Technet, http://aka.ms/FIMCMPermissions. For your convenience, I have copied parts of the following information:

• FIM CM Audit: Generates and displays FIM...

To allow our managers to issue the consultant Smart Cards using the FIM CM portal, we need to define the Profile Template and then configure the correct permissions.

The following guide shows what you need to consider. Prepare yourself for some trial and error before you are satisfied with the behavior and settings in all aspects of the process.

If, like me, you are using RDP (Remote Desktop) during testing and would like to try this from a computer that is not part of the domain where the Smart Cards are to be tested, you are likely to hit some problems:

So what about connecting FIM CM to FIM Synchronization and FIM Service?

If you look at your FIM Synchronization Service, you will find that you can create a Management Agent for Certificate Management. This MA is used to connect to FIM CM.

This MA is not used very often, since it is basically not that good. In FIM CM, the ID used for users is AD GUID. So in order for us to join our users with the objects in FIM CM, we need the objectGUID attribute from AD in our MV. And for some unknown reason the MA is preconfigured to Join using guid.

The usage of this MA, as I have said, is limited. If you initiate a request using this MA, the request would end up as pending in the FIM CM portal and the user would still be required to go to the FIM CM portal to finalize the request.

I have also used this MA to import the status from FIM CM into FIM, in order to gather the current status of FIM CM requests into FIM, and then use the FIM Service to act in case the request or profile show...

FIM CM is indeed the outcast of the FIM product family. Nevertheless, it is a very powerful component in an overall identity management perspective.

Enrolling certificates using FIM CM adds a layer of permission and workflow capabilities, which are not available using built-in functionality, in Active Directory Certificate Services.

In this chapter, we have seen how to configure FIM CM and also looked at one example of allowing a manager to issue a Smart Card to consultants.

In the next and final chapter, we will take a look at troubleshooting FIM. Troubleshooting might sometimes force us to do some recovery, so we will look at backup and recovery as well.