Data
Reader small image

You're reading from  Microsoft Identity Manager 2016 Handbook

Product typeBook
Published inJul 2016
PublisherPackt
ISBN-139781785283925
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Authors (2):
David Steadman
David Steadman
author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

Jeff Ingalls
Jeff Ingalls
author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

View More author details
Right arrow

Chapter 12. Certificate Management Scenarios

The Financial Company is interested in the management of its certificates and has decided to deploy MIM Certificate Management (CM). This chapter will discuss step-by-step instructions to implement and test various CM scenarios and models. We will cover configuration files, permissions, and error files and provide some of our personal feedback on what to avoid. Furthermore, we will discuss new features not found in earlier versions of the product, such as enabling one forest to provide certificates to another forest.

In this chapter, we will cover the following topics:

  • Virtual smart card with TPM (Modern App)

  • Using support for non-MIM CM

  • Multi-forest configuration

  • Active Directory Federation Services (ADFS) configuration

  • Models at a glance

Modern app and TPM virtual smart card

In the previous chapter, we configured the Modern App for The Financial Company. Our next step is to allow the enrollment of the virtual smart card deployment by deploying the certificate template and updating the policy template.

First, enable the MIM CM REST API by setting CLM.WebApi.Enabled to true inside the web.config file and make sure CLM.WebApi.Enabled is set to true, as follows:

Another useful setting is adding error logging for the REST API controllers under <system.diagnostics> of web.config, as follows:

<add name="Microsoft.Clm.Web.API" value="4" />

This setting allows errors from the REST interface to be written to the event log along with a correlation ID. The correlation ID is sent to the client, and you can trace the error all the way back to its origin. More information on the REST API for CM can be found at http://bit.ly/MIMCMRestAPI.

Creating a certificate template

We will now create a certificate template in the CA. Open CA...

Using support for Non-MIM CM

Most organizations want auto-enrolment of certain certificate templates, while still having MIM CM capabilities. In the following example, The Financial Company will use the EFS certificate for enrolment and recovery.

Creating the software certificate

The first step in this process is to set up the certificate template. We will navigate to the CA to duplicate the Basic EFS template, as depicted in the following screenshot:

In the template screen, enter the following information:

  • The General tab:

    • Template Display Name: Archive EFS

    • Validity Period: 2 years

    • Renewal Period: 6 weeks

    • Publish certificate in Active Directory: Enabled

    • Do not automatically re-enrol if a duplicate certificate exists in Active Directory: Enabled

    • Leave all the other settings at default values

  • The Request Handling tab:

    • Archive subject's encryption private key: Enabled

    • Leave all the other settings at default values

  • The Subject Name, Server, Issuance Requirements, and Extensions tabs:

    • Leave all the settings...

Multiforest configuration

We will now discuss the new multiforest CM capabilities. Multiforest CM enables an enterprise to issue certs to users from another forest that is trusted by TFC. The Financial Company is bringing on a new UK domain called TFCUK.LOCAL, which only hosts users. The UK group plans to use CM in the future, but it needs to issue certs immediately.

First, we will verify that our requirements are working properly, such as DNS and the trust; then, we will extend the schema.

Step 1 – CM DNS setup

Perform the following steps:

  1. Go to the domain controller hosting DNS, open the DNS manager, and add conditional forwarders to The Financial Company.

  2. Expand the server name in the left-hand side pane and right-click on Conditional Forwarders.

  3. Select New Conditional Forwarder and click on Next on the first wizard page:

  4. Then, in the DNS domain, type tfcuk.local.

  5. In the next section, select DNS Domain.

  6. On the next page, select To all DNS … on this forest and click on Next.

  7. In IP Address, enter...

ADFS configuration

MIM CM configuration for ADFS installation is quite similar to the Windows Authentication configuration. We will outline the installation to the existing CM configuration of The Financial Company.

The ADFS installation requires a dedicated server because the web administration portal is not compatible with the ADFS authentication model's claims-based authentication. This setup assumes that you already have ADFS set up within your environment, so we will not go through this configuration. The Financial Company has already set up ADFS, but if you need help with setting it up, visit http://bit.ly/MIMCMADFSGuides.

Step 1 – the CM installation and prerequisites

The first step is to install CM software on the CM2 (TFCCM02) server. Request a domain certificate for the IIS website and call it cm2.thefinacialcompany.net:

Once we have the certificate, we will make sure it is tied to the default site by navigating to IIS <Server name> | Sites | Default Web Sites. Open the Bindings...

Models at a glance

There are some high-level models that most environments use to manage certificates. In the next few sections, we will uncover these models and the requirements and permissions needed to succeed with them. The Financial Company has already applied the self-service registration model as part of the manager-initiated model. The models are not explicit, but they are flexible, and TFC could use a mixture of both. Let's now look at the centralized management model.

The centralized management model

The centralized management model works well when there is a tightly controlled HR process or a security officer enrolls a smart card for the user, and in general cases where a random PIN is assigned to the card. When the card is received by the subscriber (that is, the user), then they would perform the initial online unblock. The helpdesk would be able to assist if an offline unblock operation is needed. In the centralized model, the following permissions would be needed:

Service Connection...

Summary

As you can see, certificate management provides a company with many options and features. In this chapter, we discussed implementing the enrollment of virtual smart cards, support for non-MIM CM scenarios, and the configuration and requirements necessary for multi-forest CM capabilities. We also walked you through the installation of CM with ADFS and its prerequisites. We ended the chapter by looking at three CM models and their required permissions.

In the next chapter, we will explore one of the new features in Identity Manager 2016, the built-in reporting support.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 18 of 22
Next Chapter
You have been reading a chapter from
Microsoft Identity Manager 2016 Handbook
Published in: Jul 2016Publisher: PacktISBN-13: 9781785283925
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages