Microsoft Forefront Identity Manager 2010 R2 Handbook

4 (1 reviews total)
By Kent Nordström
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    The Story in this Book
About this book

Microsoft's Forefront Identity Manager simplifies enterprise identity management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems.

The "Microsoft Forefront Identity Manager 2010 R2 Handbook" is an in-depth guide to Identity Management. You will learn how to manage users and groups and implement self-service parts. This book also covers basic Certificate Management and troubleshooting.

Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure including both test and production environment. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail.

With the "Microsoft Forefront Identity Manager 2010 R2 Handbook" you will be able implement and manage FIM 2010 R2 almost effortlessly.

Publication date:
August 2012


Chapter 1. The Story in this Book

Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is a tool that helps you with Identity Management. As you might know or are able to guess, Identity Management is, for the most part, process-oriented rather than technology-oriented. In order to be able to explain some concepts within this area, I have chosen to write this book using a fictive company as an example.

In this chapter, I will give you a description of this company and will talk about:

  • The challenges

  • The solutions

  • The environment


The Company

The name of my fictive company is The Company. The Company is neither small nor big. I will not give you any numbers on the size of this company because I do not want you to take my example setup as being optimized for a company of a particular size.

As with many other companies, The Company tries to keep up with modern techniques within their IT infrastructure. They are a big fan of Microsoft and live by the following principle:

If Microsoft has a product that can do it, let's try that one first.

The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future this technology will be an important factor for them, so they have decided that, for every new system or function that needs to be implemented, they will take cloud computing into account.


The challenges

During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.

Provisioning of users

Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.

The Company would like for this to not take more than a few hours.

Identity lifecycle procedures

A number of issues were detected in lifecycle management of identities.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.

After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.

What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.

Highly Privileged Accounts (HPA)

Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.


They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled and who approved that?


The solutions

Once the challenges had been defined, The Company started looking for possible solutions.

When they were searching the globe for someone who might help them with their issues, they found a highly recommended consultant in Sweden, who had worked with identity management for more than a decade. We will now have a look at the solutions that he proposed for their major issues.

Implement FIM 2010 R2

By implementing Microsoft Forefront Identity Manager 2010 R2, The Company will be able to:

  • Automate lifecycle management of identities all the way from creation to deletion

  • Implement self-service password reset

  • Strengthen the identity of highly privileged accounts, using smart cards

  • Get traceability of the whole lifecycle of an identity

Start using smart cards

By using smart cards to store identities of the highly privileged accounts, the security for this type of account is increased. Even if the PKI does not have a high assurance level, it is more secure to use a smart card than to just use a password.

By implementing the Certificate Management (CM) part of FIM 2010 R2, The Company will get the control they would like when managing these strong identities.

Even if the PKI within The Company does not have high assurance levels, the use of smart cards will enhance the security of the highly privileged accounts. If the initial proof-of-concept of using smart cards works out, a redesign of the current PKI will be discussed.

Implement federation

All the services shared with the major partners were using Microsoft Sharepoint. The consultant therefore suggested that The Company should investigate if federation would work with these partners.

The Microsoft product used when implementing federation is Active Directory Federation Services (AD FS). To get an overview of federation and AD FS, please visit

By implementing federation, it would be easier for The Company to move shared resources to the cloud. For example, moving the Sharepoint sites shared with partners, to Microsoft Office 365 cloud services. Read more about Office 365 at


Within this book, I will not explain in detail how the implementation of federation using Active Directory Federation Services (AD FS) is made.

The use of FIM is vital in a federation scenario, as federation using claims-based authentication and authorization requires very good control on attributes and group/role membership changes of users.


The environment

The following diagram gives you an overview of the relevant parts of infrastructure within The Company:

The servers you see do not in any way represent any scaling scenario, but rather show the different functions I will be using in my examples in this book.

In the following table, you will find a short summary of the systems involved, so that when they are referenced in the book later on, you will have an idea about their usage:



Products installed/to be installed


Domain Controller for the Active Directory domain

AD DS and DNS role installed.


Enterprise Root Certification Authority. The Company uses only a one-layer PKI without any HSM.

AD CS, including Web Enrollment role, installed


Central Microsoft SQL Server used by many systems. Among these systems are the HR and Phone systems.

SQL Server 2008 R2, including Integration Services, installed.


E-mail system.

Exchange 2010 installed.


Remote Desktop system used by administrators.

Remote Desktop Services role installed.


The Company firewall.

Forefront Threat Management Gateway 2010 installed.


The remote access solution used by The Company.

Forefront Unified Access Gateway 2010 installed.


The test and development server for FIM.

SQL Server 2008 R2 and Visual Studio 2008. FIM Sync, Service and Portal will be installed.


The FIM Synchronization server.

FIM Synchronization Service will be installed.


The FIM Web Service and Portal server.

FIM Service and FIM Portal will be installed.


The FIM Certificate Management Server

FIM CM Service and Portal will be installed.


The FIM Password Registration and Reset server.

FIM Password Registration and Reset will be installed.


SCSM Management Server. Used by FIM Reporting.

SQL Server 2008 R2 and System Center Service Manager will be installed.


SCSM Data Warehouse Server. Used by FIM Reporting.

SQL Server 2008 R2 and System Center Service Manager will be installed.

All systems have Microsoft Windows Server 2008 R2 as the operating system.

The products installed/to be installed show the status of the systems when we start our journey with The Company in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.

The Active Directory domain within The Company is, using AD as the NetBIOS name. The public domain used by The Company is; this is also the primary email domain used.


Moving forward

The CIO, CSO, and CTO of The Company found that the solutions explained to them by the consultant would indeed help The Company mitigate the challenges they were facing. They decided to implement FIM 2010 R2.

In this book, we will follow them as they implement FIM 2010 R2. We will see how the different features and functions of FIM 2010 R2 will, in the end, solve all the issues that the company has detected.

The use of digital identities, using smart cards, is very new to them, so they decide that this should initially be implemented as a proof of concept.



You now know a little about the company I will be using in this book to give you examples and to explain concepts. So let's go on and see how The Company implements Microsoft Forefront Identity Manager 2010 R2 in its environment.

In the next chapter, I will start off with an overview to give you some conceptual understanding of FIM 2010 R2.

About the Author
  • Kent Nordström

    Kent Nordström wrote his first lines of code in the late 70s so he’s been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on

    Browse publications by this author
Latest Reviews (1 reviews total)
I don't have problem with this order.
Microsoft Forefront Identity Manager 2010 R2 Handbook
Unlock this book and the full library FREE for 7 days
Start now