Test Lab Guide: Demonstrating Forefront Identity Manager ...



Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card RegistrationMicrosoft CorporationPublished: June 2011Author: Bill MathersAcknowledgementsSpecial thanks to the following people for reviewing and providing invaluable feedback for this document: AbstractThis document will assist architects, consultants, system engineers, and system administrators in deploying smart cards with Microsoft? Forefront? Identity Manager 2010 Certificate Management in a test lab.CopyrightThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.? 2010 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, Windows?PowerShell, and Windows?Server are trademarks of the Microsoft group of companies.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.Contents TOC \o "1-5" \h Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration PAGEREF _Toc294688759 \h 5In This Guide PAGEREF _Toc294688760 \h 6Test Lab Overview PAGEREF _Toc294688761 \h 6Hardware and Software Requirements PAGEREF _Toc294688762 \h 7Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration Test Lab PAGEREF _Toc294688763 \h 8Step 1: Set Up the Base Configuration Test Lab PAGEREF _Toc294688764 \h 9Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test Lab PAGEREF _Toc294688765 \h 9Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test Lab PAGEREF _Toc294688766 \h 10Step 4: Set up the Forefront Identity Manager 2010 Test Lab PAGEREF _Toc294688767 \h 10Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab PAGEREF _Toc294688768 \h 10Step 6: Configure CLIENT2 PAGEREF _Toc294688769 \h 10Install Windows 7 Professional x64 on CLIENT2 PAGEREF _Toc294688770 \h 10Join CLIENT2 to the CORP domain PAGEREF _Toc294688771 \h 11Install the USB Smart Card Reader PAGEREF _Toc294688772 \h 12Install the Gemalto Minidriver for Windows 7 Professional PAGEREF _Toc294688773 \h 13Install Office Professional Plus 2010 on CLIENT2 PAGEREF _Toc294688774 \h 19Install the x86 FIM CM Client on CLIENT2 PAGEREF _Toc294688775 \h 20Install the x86 FIM CM Client Update 1 PAGEREF _Toc294688776 \h 21Step 7: Configure FIM CM for Delegated Smart Card Registration PAGEREF _Toc294688777 \h 22Create the FIM CM Smart Card Subscribers group PAGEREF _Toc294688778 \h 22Add members to the FIM CM Smart Card Subscribers group PAGEREF _Toc294688779 \h 23Create the FIM CM Smart Card Issuers group PAGEREF _Toc294688780 \h 25Add members to the FIM CM Smart Card Issuers group PAGEREF _Toc294688781 \h 25Add User1 to Manager Attribute of Lola Jacobson. PAGEREF _Toc294688782 \h 27Create a GPO to add to Local Intranet PAGEREF _Toc294688783 \h 28Publish the Smartcard Logon Certificate Template PAGEREF _Toc294688784 \h 32Enable Anonymous on the Default Receive Connector PAGEREF _Toc294688785 \h 33Mailbox-enable User1 PAGEREF _Toc294688786 \h 35Set the CNG Key Isolation Service to Automatic and Start the Service PAGEREF _Toc294688787 \h 36Create and Configure the FIM CM Profile template PAGEREF _Toc294688788 \h 37Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point PAGEREF _Toc294688789 \h 42Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group PAGEREF _Toc294688790 \h 44Assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon Certificate Template PAGEREF _Toc294688791 \h 46Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template PAGEREF _Toc294688792 \h 47Step 8: Verify Delegated Smart Card Registration PAGEREF _Toc294688793 \h 49Log on to CLIENT1 and initiate the smart card PAGEREF _Toc294688794 \h 49Log on to CLIENT 2 and complete the enrollment PAGEREF _Toc294688795 \h 52Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card RegistrationForefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration allows for a manager to initiate a smart card request and then the domain user logs on to the FIM CM web portal to execute the request. In this model, only the manager can initiate the request. The user can only execute the request once the one-time password challenge has been satisfied. The user receives the one-time password via e-mail.In this model, the following process is implemented:1.A user’s new manager initiates a smart card request on the user’s first day.2.An e-mail is sent to the user with a one-time secret password..3.The user receives the e-mail then logs on to the FIM CM web portal and executes the request.4.The user can now use their new smart card.This document will demonstrate how to enable this functionality in a test lab.In This GuideThis guide contains instructions for setting up a test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration. This is achieved by configuring Forefront Identity Manager 2010 Certificate Management using the environment that was built out in the preceding test lab guides. This lab also requires a client machine, CLIENT2, with a smart card reader. For purposes of this guide, a stand-alone physical computer was used. This was required because Hyper-V does not allow for the use of USB devices and the smart card reader that was used is a USB smart card reader. The smart card reader that is used in this lab is a Gemalto GemPC Twin, but any smart card reader should work as long as the smart card reader is installed, has the correct drivers, and is working properly.Important This lab also requires a physical smart card. The smart cards that were used in this lab were Gemalto .NET v2+. However any smart card that is supported by FIM CM should work provided the appropriate mini-driver or middleware is installed.The following is a brief explanation on the use of the x86 FIM CM client on a x64 OS when a 64-bit FIM CM client is available. The reason we are installing the x86 version is because the default version of Internet Explorer on Windows 7 is the 32-bit version. There currently is not a way to designate the default browser for Windows 7. In the future, we will demonstrate manager initiated workflow and this will error out if we have are using the 64-bit version of the client. This is because when you click on the link that is sent via email it will launch the 32-bit version of IE which does not have the ActiveX control installed if you installed the 64-bit client.Attempting to adapt this Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment ().Test Lab OverviewIn this test lab, Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration is deployed with:?One new client running Windows? 7 Professional Edition x64 named CLIENT2.?One preexisting server running the FIM CM Portal named FIMCM1.?One preexisting server running SQL Server? 2008 Enterprise with Service Pack 2, named APP1.?One preexisting server running Windows?Server? 2008 R2 Enterprise Edition, named DC1.The Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration uses the following subnet:?The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).Computers on each subnet connect using a hub or switch. See the following figure.This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration configuration process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service.Hardware and Software RequirementsThere following table provides a list of software used in this guide.SoftwareAdditional informationForefront Identity Manager 2010 Certificate Management ClientForefront Identity Manager 2010 ().Forefront Identity Manager 2010 Certificate Management Client Update (KB978864) This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. ()Gemalto GemPC Twin Smart Card Reader SoftwareGemalto GemPC Twin Smart Card Reader()Gemalto .NET v2+ Smart Card MinidriverGemalto .NET v2+ Smart Card Minidriver( minidriver net)There following table provides a list of hardware used in this guide.HardwareAdditional informationGemalto GemPC Twin Smart Card ReaderGemalto GemPC Twin Smart Card Reader ().Gemalto .NET v2+ Smart CardGemalto .NET v2+ Smart Card ()Physical computer for CLIENT2This is to allow for the use of the USB smart card reader. Hyper-V does not support the use of USB devices.Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration Test LabThere are eight steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration.?Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.?Step 2: Set up the Exchange Server 2010 with Service Pack 1 TLG—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory? attributes and e-mail functionality for FIM CM.?Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.?Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.?Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM TLG— The fourth step is to complete the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab guide. This provides FIM CM to the test lab environment.?Step 6: Configure CLIENT2—The sixth step walks you through configuring CLIENT2, joining the domain and installing the FIM CM client.?Step 7: Configure FIM CM for Delegated Smart Card Registration—The seventh step walks you through configuring FIM CM to enable delegated registration.?Step 8: Verify Delegated Smart Card Registration— The eighth step includes verifying that delegated registration is working successfully.This guide provides steps for configuring the computers of Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration. The following sections provide details about how to perform these tasks.Step 1: Set Up the Base Configuration Test LabSet up the Base Configuration test lab for both the Corpnet and Internet subnets using the procedures in the “Steps for Configuring the Corpnet Subnet” and “Steps for Configuring the Internet Subnet” sections of the Test Lab Guide: Base Configuration ().Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test LabSet up the Exchange Server 2010 with Service Pack 1 test lab using the procedures outlined in Test Lab Guide: Exchange Server 2010 with Service Pack 1 ().Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test LabSet up the SQL Server 2008 Enterprise with Service Pack 2 test lab using the procedures outlined in Test Lab Guide: SQL Server 2008 Enterprise with Service Pack 2 ().Step 4: Set up the Forefront Identity Manager 2010 Test LabSet up Forefront Identity Manager 2010 test lab using the procedures outlined in Test Lab Guide: Forefront Identity Manager 2010 ().Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM Test LabSet up Forefront Identity Manager 2010 Certificate Management with Consrained Delegation, Update 1 and FIM test lab using the procedures outlined in Test Lab Guide: Installing Forefront Identity Manager Certificate Management with Constrained Delegation, Update 1, and FIM 2010 ().Step 6: Configure CLIENT2CLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service test lab consists of the following:?Install Windows 7 Professional x64 on CLIENT2?Join CLIENT2 to the CORP domain?Install the USB Smart Card Reader?Install the Gemalto Mini-driver for Windows 7 Professional?Install Office Professional Plus 2010 on CLIENT2?Install the x86 FIM CM Client on CLIENT2?Install the x86 FIM CM Client Update 1Install Windows 7 Professional x64 on CLIENT2Install the Windows 7 Professional operating system on CLIENT2.To install Windows 7 Professional x64 on CLIENT21.Start the installation of Windows 7 Professional x64.2.Follow the instructions to complete the installation, specifying CLIENT2 as the PC name and a strong password for the local Administrator account.3.Once the installation completes, log on using the local Administrator account.4.Connect CLIENT2 to a network that has Internet access and run Windows Update to install the latest updates for Windows 7 Professional.5.Once the updates are complete, restart CLIENT2 and log on as the local Administrator.Join CLIENT2 to the CORP domainNow join CLIENT2 to the corp. domain.To join CLIENT2 to the CORP domain1.Click Start, right-click Computer, and then click Properties.2.On the System page, under Computer name, domain, and workgroup settings click Change Settings.View basic information about your computer3.In the System Properties dialog box, on the Computer name tab, click Change.4.Under Member of, select Domain, and enter corp. in the box. Click OK.5.When you are prompted for a user name and password, type the user name and password for the User1 account, and then click OK. Note You can also use the CORP\Administrator account to join CLIENT2 to the domain.6.When you see a dialog box welcoming you to the corp. domain, click OK.7.When you are prompted that you must restart the computer, click OK.8.On the System Properties dialog box, click Close.9.When you are prompted to restart the computer, click Restart Now.10.After the computer restarts, click Switch User, and then click Other User and log on to the CORP domain with the Administrator account.Install the USB Smart Card ReaderInstall the USB Smart Card Reader on CLIENT2.To Install the USB Smart Card Reader on CLIENT21.Navigate to the directory that contains the GemPcCCID_201_en-us_64.exe and begin the installation.2.Follow the instructions to complete the installation.3.Once the installation completes click Finish.4.Now plug the USB smart card reader into CLIENT2.5.Windows 7 will automatically detect the USB smart card reader and install the driver.Install the Gemalto Minidriver for Windows 7 ProfessionalNow install the Gemalto Minidriver for Windows 7 Professional.To Install the Gemalto Minidriver for Windows 7 Professional1.Navigate to the directory that contains the AMD64_X86-ar_bg_zh-tw_cs_da_de_el_en_es_fi_fr_he_hu_it_ko_nl_n...br_ro_ru_hr_sk_sv_th_tr_sl_et_lv_lt_zh-cn_pt_ja-nec-20395701_92604914396b1e89d0c78b2fad2f05fe80754d66 .cab file and double-click it.2.This will open the cab file and there will be four files present. Highlight all four files and at the top select Extract.Gemalto Minidriver3.In the Select a Destination dialog box, navigate to the C:\ drive and click Make new folder.4.Rename the folder Gemalto Minidriver and click Extract.5.Now insert a smart card into the smart card reader. This will bring up a window that says installing driver. Then it will say Device driver software was not successfully installed.6.Click Start and select Devices and Printers. This will bring up Devices and Printers.Devices and Printers7.You will see Smart Card with a yellow triangle on it. Double-click on the smart card. This will bring up the Smart Card Properties. At the top, click the Hardware tab.Smart Card Properties8.On the Hardware tab, click the Properties button. This will bring up Smart Card Properties.Smart Card Properties9.On the General tab click Update Driver. This will bring up the Update Driver Software – Smart Card dialog box.10.On the Update Driver Software – Smart Card dialog box, click on Browse my computer for driver software. This will bring up the Browse for driver software on your computer dialog box. Click Browse.Update Driver Software – Smart Card11.Navigate to the newly created folder C:\Gemalto Minidriver and click OK.12.On the Browse for driver software on your computer click Next.13.This will install the driver successfully. When it is finished click Close.Update Driver Software – Gemalto Minidriver for .NET Smart Card14.On the Gemalto Minidriver for .NET Smart Card Properties click Close.15.On the Smart Card Properties click OK.Install Office Professional Plus 2010 on CLIENT2To install Office Professional Plus 2010 on CLIENT21.Log on to CLIENT2.corp. as Administrator.2.Navigate to the directory that contains the Office Professional Plus 2010 binaries and double-click Setup.EXE. This will launch Office Professional Plus 2010. 3.On the Enter your Product Key screen, enter your Office Professional Plus 2010 product key and click Continue.4.On the Read the Microsoft Software License Terms screen, read the agreement. Once you are finished with the agreement place a check in the box next to I accept the terms of this agreement and click Continue.On the Choose the installation you want screen, click Install Now.5.Once the installation completes, click Close.6.Log off CLIENT2.corp..Install the x86 FIM CM Client on CLIENT2Now install the x86 FIM CM Client on CLIENT2.Install the x86 FIM CM Client on CLIENT21.Navigate to the directory that contains the Forefront Identity Manager 2010 binaries. Navigate to the CM Client\x86 and double-click setup.2.On the Welcome page, click Next.3.On the End User License Agreement page, read the License Agreement, select I accept the terms in the license agreement, and then click Next.4.On the Custom Setup page, click Next.5.On the Configure CM Client page, in the box provided, enter fimcm1 and click Next.Configure CM Client6.On the Install Forefront Identity Manager Certificate Management Client page, click Install.7.Once the installation completes, click Finish.Install the x86 FIM CM Client Update 1Install the FIM CM Update 1 binaries on FIMCM1.To install the x86 FIM CM Client Update 11.Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 Synchronization Service Update (KB978864) and double-click X86-all-fimcmclient_kb978864_f59b3d60073691225cc524ed6fe33254c08c14bbe.cab.2.This will open the cab file and there will be one file present. Highlight this file and at the top select Extract.3.In the Select a Destination dialog box, navigate to the C:\ drive and click Make new folder.4.Rename the folder FIM CM Client Update1 and click Extract.5.Navigate to the newly created folder C:\ FIM CM Client Update1 and double-click FIMCMClient_KB978864.msp. This will begin the update.6.On the Welcome page, click Update. This will begin the update.Forefront Identity Manager CM Client Update Wizard7.Once the installation completes, click Finish. Step 7: Configure FIM CM for Delegated Smart Card RegistrationCLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Administration test lab consists of the following:?Create the FIM CM Smart Card Subscribers group?Add members to the FIM CM Smart Card Subscribers group?Create the FIM CM Smart Card Issuers group?Add members to the FIM CM Smart Card Issuers group?Add User1 to Manager Attribute of Lola Jacobson.?Create a GPO to add to Local Intranet?Enable Anonymous on the Default Receive Connector?Mailbox-enable User1?Publish the Smartcard Logon Certificate Template?Set the CNG Key Isolation Service to Automatic and Start the Service?Create and Configure the FIM CM Profile template?Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point?Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group?Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Smartcard Logon Certificate Template?Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile TemplateCreate the FIM CM Smart Card Subscribers groupCreate an Active Directory group. This group will contain all of the users that are allowed to participate in self-service.To create the FIM CM Smart Card Subscribers group1.Log on to DC1 as corp\Administrator.2.Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.3.In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp..4.Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.5.On the New Object – Group screen, in the Group name: box, type the following text: FIM CM Smart Card Subscribers6.Click OK.Active Directory Users and ComputersAdd members to the FIM CM Smart Card Subscribers groupNow we will add users to the FIM CM Smart Card Subscribers group.To add users to the FIM CM Smart Card Subscribers group1.In Active Directory Users and Computers, double-click on the newly created FIM CM Smart Card Subscribers group. This will bring up FIM CM Smart Card Subscribers Properties2.In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.3.Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.4.In the box below Enter the object names to select (examples): enter Britta Simon and click Check Names. This should resolve with an underline. Click OK.5.Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.6.In the box below Enter the object names to select (examples): enter Lola Jacobson and click Check Names. This should resolve with an underline. Click OK.FIM CM Smart Card Subcribers Properties7.On the FIM CM Smart Card Subscribers Properties click Apply. Click OK.Create the FIM CM Smart Card Issuers groupCreate an Active Directory group. This group will contain all of the users that are allowed to issue smart cards to other users.To create the FIM CM Smart Card Issuers group1.Now, right-click Users, select New, and then select Group. This will bring up the New Object – Group window.2.On the New Object – Group screen, in the Group name: box, type the following text: FIM CM Smart Card Issuers3.Click OK.FIM CM Smart Card IssuersAdd members to the FIM CM Smart Card Issuers groupNow we will add users to the FIM CM Smart Card Issuers group.To add members to the FIM CM Smart Card Issuers group1.In Active Directory Users and Computers, double-click on the newly created FIM CM Subscribers group. This will bring up FIM CM Subscribers Properties2.In the FIM CM Smart Card Subscribers Properties, at the top, select the Members tab.3.Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.4.In the box below Enter the object names to select (examples): enter User1 and click Check Names. This should resolve with an underline. Click OK.5.On the FIM CM Smart Card Issuers Properties click Apply. Click OK.FIM CM Smart Card Issuers Properties6.Close Active Directory Users and Computers.Add User1 to Manager Attribute of Lola Jacobson.First we need to publish the Smartcard Logon certificate template so our certificate authority can issue certificates based on this template.To add User1 to Manager Attribute of Lola Jacobson.1.In Active Directory Users and Computers, in the Users container, double-click on Lola Jacobson. This will bring up Lola Jacobson Properties2.In the Lola Jacobson Properties, at the top, select the Organization tab.3.Under Manager, click Change. This will bring up the Select Users or Contact dialog box.4.In the box below Enter the object names to select (examples): enter User1 and click Check Names. This should resolve with an underline. Click OK.5.On the Lola Jacobson Properties click Apply. Click OK.Lola Jacobson Properties6.Close Active Directory Users and Computers.Create a GPO to add to Local IntranetNow we will create a Group Policy Object that will automatically add to the local intranet settings of Internet Explorer. This will make it easier for our users as they will not have to do this task manually. Otherwise, they will be prompted for credentials when attempting to access the FIM CM web portal.To create a GPO to add to Local Intranet1.Click Start, select Administrative Tools, and then click Group Policy Management. This will open the Group Policy Management MMC.2.At the top, expand Forest:corp., expand Domains, expand corp., right-click Default Domain Policy and select Edit. This will bring up the Group Policy Management Editor3.On the left, under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.Group Policy Management Editor4.On the right, double-click Security Zones and Content Ratings. This will bring up the Security Zones and Content Ratings dialog box.5.In the top portion, under Security Zones and Privacy, select Import the current security zones and privacy settings. This will bring up a box that says that these settings will be ignored if Internet Explorer Enhanced Security is disabled. Click Continue.Security Zones and Content Ratings6.Click Modify Settings. This will bring up the Internet Properties dialog box.Internet Properties7.Click on the Local Intranet icon and click the Sites button. This will bring up the Local intranet dialog box.8.In the box under add this website to the zone: enter and click Add. Click Close. This will close the Local intranet dialog box.Local intranet9.Click Ok. This will close the Internet Properties dialog box.10.Click Apply and click OK. This will close the Security Zones and Content Ratings dialog box.11.Close Group Policy Management Editor.12.Close Group Policy Management.Publish the Smartcard Logon Certificate TemplateIn this step we publish the Smartcard Logon certificate template so our certificate authority can issue certificates based on this template.To publish the Smartcard Logon Certificate Template1.Log on to DC1 as CORP\Administrator.2.Click Start, select Administrative Tools, and then click Server Manager. 3.In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.4.This will bring up an Enable Certificate Templates dialog box. 5.Scroll down until you see Smartcard Logon. Select Smartcard Logon and click OK.Server Manager6.Close Server Manager.Enable Anonymous on the Default Receive ConnectorIn this step we will enable anonymous connection to the default receive connector in Exchange. This will allow FIM CM to send e-mails.To enable Anonymous on the Default Receive Connector1.Log on to EX1 as corp\Administrator.2.Click Start, select All Programs, select Microsoft Exchange Server 2010, and then click Exchange Management Console. 3.In the Exchange Management Console, expand Server Configuration, and click Hub Transport.4.At the bottom under Receive Connectors, right-click Default EX1 and select Properties. This will bring up the Default EX1 Properties.Exchange Management Console5.At the top, click Permission Groups. Place a check in Anonymous users. Click Apply. Click OK.Default EX1 PropertiesMailbox-enable User1Now we mailbox-enable User1.To Mailbox-enable User11.In the Exchange Management Console, expand Recipient Configuration, and click Mailbox.2.On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.3.On the Introduction screen, select User Mailbox and click Next.4.On the User Type screen, select Existing users and click Add. This will bring up the Select User – Entire Forest screen.5.From the list, using the Ctrl key, select User1 and then click OK.6.Click Next.7.On the Mailbox Settings screen, click Next.8.On the New Mailbox screen, click New.9.On the Completion screen, verify that it was successful and click Finish10.Close Exchange Management ConsoleSet the CNG Key Isolation Service to Automatic and Start the ServiceNow we need to start the CNG Key Isolation Service.To set the CNG Key Isolation Service to automatic and start the service1.Log on to FIMCM1 as corp\Administrator.2.Click Start, select Administrative Tools, and then click Services. 3.Scroll down to CNG Key Isolation and double-click it. This will bring up the CNG Key Isolation Properties.4.In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.5.In Services, right-click CNG Key Isolation, and then click Start. This will start the CNG Key Isolation service.6.When this completes, verify that the CNG Key Isolation has a status of Started.Services7.Close Services.Create and Configure the FIM CM Profile templateNow we will create and configure the FIM CM Profile template.To create and configure the FIM CM Profile template1.Click Start, click All Programs, and then click Internet Explorer (64-bit).2.In Internet Explorer, in the address bar at the top, enter and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.3.Scroll down and under Administration click Manager profile templates. This will bring up Profile Template Management.Administration4.On Profile Template Management, place a check in the box next to FIM CM Sample Smart Card Logon Profile Template and click Copy a selected profile template.Profile Template List5.Clear what is in the box under New profile template name: and enter Constoso Delegated Smart Card Profile Template. Click OK.6.On the Edit Profile Template screen, scroll down to Smart Card Configuration and click on Change Settings.7.On the right, place a check in Initialize new card prior to use8.On the right, place a check in Reuse retired card.Smart Card Settings9.Scroll down to User PIN policy: and using the drop-down select User Provided. At the bottom, click OK.PIN policy10.The smart card configuration should now look like the screenshot below.Smart Card Configuration11.On the Edit Profile Template screen, on the left, click Enroll Policy.12.Now scroll down under Workflow: General and select Change general settings. This will bring up the General Workflow Options.13.On the right, remove the check from Use self serve. Click OK.Workflow: General14.Now scroll down under Workflow: Initiate Enroll Requests and select Add new principal for enroll request. This will bring up a screen that says you can set up permissions for users or groups.15.Click the Lookup button. This will bring up a Search for Users and Groups screen.16.Select Groups and in the box under Name: enter FIM CM Smart Card Issuers. Click Search.17.At the bottom of the screen, under User Logon you should see CORP\FIM CM Smart Card Issuers. Click on this.18.You should now return the previous screen and under Principal: you should see CORP\FIM CM Smart Card Issuers. Click OK.19.This will return you the Edit Profile Template screen and you should see that FIM CM Smart Card Issuers has been added under Workflow: Initiate Enroll Requests.Workflow: Initiate Enroll Requests20.Now scroll down under Data Collection and place a check next to Sample Data Item. Click Delete data collection item. This will bring up a box that says OK to delete selected items? Click OK.21.Now scroll down under Passwords Distribution and click on Display on screen. This will bring up the One-Time Password Distribution screen.22.On the right, from the drop-down under Distribution method select Email Subscriber.23.In the box below Mail from enter {Manager!mailNickname}@corp..24.In the box below Mail Subject enter Complete Smart Card Enrollment.25.In the box below Mail body enter Welcome {User}, Your secret one-time password is {Secret1}. Please log on to to complete the enrollment process. Ensure that you have a smart card reader and a smart card in the reader prior to beginning.Thank you and welcome aboard!{Manager}One-Time Password Distribution26.At the bottom click OK.27.Close Internet Explorer.Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection PointNow we will assign the appropriate permissions to the Service Connection Point.To assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point1.Log on to DC1 as corp\Administrator.2.Click Start, select Administrative Tools, and then click Active Directory Users and Computers.3.In Active Directory Users and Computers, expand corp., expand System, expand Microsoft, expand Certificate Lifecycle Manager, right-click FIMCM1, and select Properties. This will bring up FIMCM1 Properties.Warning In order to see the System node you must ensure that Advanced Features are selected. To select Advanced Features, at the top of Active Directory Users and Computers select View and the select Advanced Features.Active Directory Users and Computers4.At the top, click the Security tab.5.Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.6.In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.7.Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Request Enroll. Click Apply. Click OK.FIMCM1 PropertiesAssign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers groupNow we will assign the appropriate permissions to the FIM CM Smart Card Subscribers group. This will allow the FIM CM Smart Card Issuers to request enrollment.To assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group1.In Active Directory Users and Computers, expand corp., select Users, right-click FIM CM Smart Card Subscribers, and select Properties. This will bring up FIM CM Smart Card Subscribers Properties.Active Directory Users and Computers2.At the top, click the Security tab.3.Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.4.In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK.5.Make sure FIM CM Smart Card Issuers is selected at the top and down under Permissions for FIM CM Smart Card Issuers make sure there is a check in Read and then place a check in FIM CM Request Enroll. Click Apply. Click OK.FIM CM Smart Card Subscribers PropertiesAssign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon Certificate TemplateNow we will assign the appropriate permissions to the Smartcard Logon certificate template.To assign the FIM CM Smart Card Subscribers group the appropriate permissions to the Smartcard Logon certificate template1.Log on to DC1 as corp\Administrator.2.Click Start, select Administrative Tools, and then click Server Manager.3.In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.4.On the right, scroll down, right-click Smartcard Logon and select Properties.5.At the top, click the Security tab.6.Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.7.In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.8.Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in Enroll. At this point Read and Enroll should both be checked. Click Apply. Click OK.Smartcard Logon Properties9.Close Server Manager.Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile TemplateNow we will assign the appropriate permissions to the FIM CM Profile template we just created.To assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template1.Click Start, select Administrative Tools, and then click Active Directory Sites and Services.2.At the top, under View, select Show Services Node.3.On the left, expand Services, expand Public Key Services and select Profile Templates.4.On the right, right-click Contoso Smart Card Self-Service Certificate Profile Template and select Properties.5.Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.6.In the box below Enter the object names to select (examples): enter FIM CM Smart Card Issuers and click Check Names. This should resolve with an underline. Click OK. There is nothing additional that we need to do with the FIM CM Smart Card Issuers group. They only need Read permissions.7.Click Add. This will bring up the Select Users, Computers, Service Accounts, or Groups dialog box.8.In the box below Enter the object names to select (examples): enter FIM CM Smart Card Subscribers and click Check Names. This should resolve with an underline. Click OK.9.Make sure FIM CM Smart Card Subscribers is selected at the top and down under Permissions for FIM CM Smart Card Subscribers place a check in FIM CM Enroll. At this point Read and FIM CM Enroll should both be checked. Click Apply. Click OK.Contoso Delegated Smart Card Profile Template Properties10.Close Active Directory Sites and Services.Step 8: Verify Delegated Smart Card RegistrationVerifying Forefront Identity Manager 2010 Certificate Management for Smart Card self-service consists of the following:?Log on to CLIENT1 and initiate the smart card?Log on to CLIENT 2 and complete the enrollmentLog on to CLIENT1 and initiate the smart cardLogon with a regular user and issue that user a smart card.To Log on to CLIENT1 and initiate the smart card1.Log on to CLIENT1 as corp\User1.2.Click Start, click All Programs, and then click Internet Explorer.3.In Internet Explorer, in the address bar at the top, enter and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.4.Under Common Tasks click Enroll a user for a new set of certificates or smart card. This will bring up a Search for Users mon Tasks5.On the Search for Users screen, click Search. This will return all of the users in our domain. Search for User6. From the users, click Lola Jacobson. This will bring up the Manager-Initiated Enroll screen.Search Results7.On the Manager-Initiated Enroll screen click OK.8.This will begin the process and an e-mail will be sent to Lola. On the Request Status screen click OK.Request Status9.Close Internet Explorer.Log on to CLIENT 2 and complete the enrollmentLogon with a regular user and issue that user a smart card.To log on to CLIENT 2 and complete the enrollment1.Log on to CLIENT2 as corp\ljacobson.2.Insert a new smart card into the smart card reader.3.Click Start, select All Programs, click Microsoft Office, and then select Microsoft Office Outlook 2010. This will launch the Microsoft Outlook 2010 Startup Wizard. Click Next.4.On E-mail Accounts, ensure Yes is selected, and then click Next.5.On Auto Account Setup, wait for the information to automatically populate. It should have LolaJacobson@corp. for an e-mail address. Click Next.6.On Configuring, wait until you receive three green checks, and then click Finish. 7.Outlook will now start up. On the User Name box, click OK.8.This will bring up the Activation Wizard. Click Cancel.Warning If you are planning on using this lab for more than 30 days you will have to activate Outlook either via the Internet or by telephone.9.This will bring up the Welcome to Microsoft Office 2010 screen. Select Use Recommended Settings and click OK. This will bring up a UAC window. Enter the Administrator username and password. Click Yes.10.In Outlook, there should be an e-mail in Lola Jacobson’s inbox from User1. This is the e-mail that was sent in the previous step. Double-click it.Smart Card Enrollment E-mail11.In the e-mail, highlight the secret password, right-click and select copy. Next click the link.12.This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.13.Under Common Tasks click Complete a request with one-time passwords. This will bring up the Validate One-Time Passwords mon Tasks14.In the box next to One-time password 1 paste the copied secret password and click Next. This will bring up the Request Enrollment screen.Validate One-Time Password15.On the Request Enrollment screen, click Next. 16.This will begin the process. You will see a small pop-up box that says Initializing, Creating and generating keys, writing certificates.17.At this point, you will be prompted for a PIN. Enter 1234 for the New PIN and 1234 for Confirm PIN. Click OK.FIM CM Smart Card Client PIN Entry18.At this point, the smart card should complete and you will be on the Request Complete screen.Request Complete19.Close Internet Explorer.20.Log off of CLIENT2.21.On CLIENT2, hit CTRL+ALT+DELETE, click Switch User and select Lola Jacobson Smartcard Logon.22.Enter the PIN (1234) and hit enter. You should now be logged on to CLIENT2 as Lola. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download