Select Page

Microsoft FIM – Certificate Management Part 3

Microsoft FIM – Certificate Management Part 3

FIM Certificate Management and CA integration

It is very important to understand the integration between the FIM Certificate Management and the CA server. The FIM CM installation files will add two modules in the CA server (Policy module and Exist module):

  • In the CA FIM Policy module: you configure the thumbprint of the FIM Agent Certificate. This will ensure that communication with the CA server is authenticated and encrypted.
  • In the CA FIM Exist module: you configure the FIM CM database SQL connection string. This will allow the CA to write to the FIM CM database.

Note: In order for the CA to access and the FIM CM SQL database, you have to create logon for the computer account of your CA server with (public and clmapp) rights on the FM CM database.

In simple words, the FIM Agent certificate is used to protect traffic between the CA and the FIM CM server, and the FIM KRA certificate is used to encrypt archived keys in the CA database.

Certificate-Management-1

FIM Permission Model

As this is the most difficult part in the FIM CM deployment, I will try to make it easy and simple. I will be referring to the following terms here:

  • FIM CM Subscribers: those are usually end user (certificate consumers).
  • FIM CM managers: those are the users that are assigned a management role through the FIM CM portal. This can be the FIM CM full admin, or just a help desk that is assigned the task to offline unblock smart cards.
  • FIM Permissions: are the new permissions that are introduced by the FIM Certificate Management Installation Schema extension (Please refer to Microsoft TechNet for more information about FIM CM Extended Permissions)

Certificate-Management-2

The permissions and rights are assigned in five different places:

  • FIM CM subscribers Group: Permissions are FIM Extended permissions.
  • Service Connection Point: Permissions are FIM Extended permissions.
  • CA Certificate Templates: Permissions are (Read) and/or (Enroll).
  • FIM CM Management Policy: what you see when you configure a profile template.
  • FIM CM Profile Templates:
    • Profile Template Container: Permissions are (Read) and/or (Write).
    • Profile Templates: Permissions are:
      • “Read” and “CLM Enroll”: For Certificate Consumers.
      • “Read” and “Write”: For FIM CM Full Admins.

Note that FIM Certificate Management managers will need permissions on all five locations, while end users (FIM subscribers) should have permissions only on those places:

  • Service Connection Point (Required).
  • Profile Template container and Profile Templates (Required).
  • CA certificate Template: Only if they will do the actual enrollment.
  • FIM CA Management Policy: Only if they will do the actual enrollment.

1. Permissions at the Service Connection Point SCP

Rights at the service connection point SCP determine if the user is a typical FIM subscriber (FIM CM Certificate consumer) or has a management role in the FIM CM portal:

  • FIM CM Subscribers Group: “Read”.
  • FIM CM Managers: “Read” and “FIM Extended Permissions”.

For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards, they should have ( CLM Request Unblock) and ( CLM Enrollment Agent) , and frankly speaking this is confusing but this is how things work.

Certificate-Management-3

2 Permission at the FIM CM Subscribers Group

Once FIM Certificate Management manager got the required permissions on the SCP, to restrict their permissions to a group of users, you should assign FIM CM extended permissions on the group of users that you choose:

  • FIM CM Full admin: should have all the FIM CM Extended Permissions.
  • FIM CM Manager: This is an admin.

For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards, they should have (CLM Request Unblock) and (CLM Enrollment Agent), and frankly speaking this is confusing but this is how things work.

Certificate-Management-4

3. Permission at the Certificate Templates

The golden role is:

  • If the end user can enroll a certificate from the FIM CM portal by himself, then he needs (Read + Enroll) permissions on the certificate template.
  • If the Actual Enrollment is done by a FIM CM Manager, then that manager only needs the (Read + Enroll) permissions on the certificate template.

Certificate-Management-5

4. Permission at the Profile Template

There are two places to assign permissions here:

  • Profile Template Container:
    • FIM Subscribers: Read.
    • FIM Full Manager only: Read + Write.
    • FIM Managers: Read.
  • Profile Templates
    • FIM Subscribers: Always should have (Read + CLM Enroll).
    • FIM Manager: The FIM manager that will perform enroll on behalf of the user, should also have (Read + CLM enroll)

Note: FIM Subscribers should always have Read and CLM Enroll at the profile template even if they do not do the actual enrollment.
So, in case of a centralized deployment were the FIM Manager will initiate the request and will enroll on behalf of user and thus executes the enrollment, both the FIM manager AND the FIM subscribers should have (Read + CLM Enroll) at the profile template.

Certificate-Management-6

5. Permission at the FIM Management Policy

Here where you configure the Profile Template by accessing the FIM Certificate Management admin portal. A new role is introduced here which is (Approve Request), which could be the user business manager. The (Approve Request) role should be granted the following:

  • (CLM Audit) and (Read) at the service connection point.
  • (CLM Audit) and (Read) at the FIM CM Subscribers group.
  • Assigned the (Approve Requests) from within the FIM CM management Policy.

Certificate-Management-7

FIM Permission Model Examples

Sometimes it is very tricky to assign permission on your FIM CM model. Here is couple of practical examples :

Example 1 – Self Service Registration Model

 Requirements:

  • The certificate subscriber initiates the request for the smart card.
  • The request is left pending until a certificate manager approval.
  • One approved, the certificate subscriber execute the smart card request.

Permissions:

  • SCP and Subscriber Group: Assign the approval manager both Read and CLM Audit.
  • Profile Template: Assign the subscriber Read and CLM Enroll on the profile template.
  • Certificate Template: Assign the subscriber Read and Enroll on the profile template.
  • Management Policy: Ensure that Self Service is enabled on the General Settings, and assign the manager: Approve requests.

Note: Although the user is going to initiate and execute the enrollment, you don’t need to give him any FIM Extended Permissions. Instead, enabling the Self Service in the management policy is sufficient.

Example 2 – Manager Initiated Registration Model

 Requirements:

  • The certificate manager initiates the request.
  • If further approvals are required, then another manager should approve it.
  • One approved, OTP is sent to the subscriber.
  • The subscriber inputs the OTP and completes the request.

Permissions:

  • SCP and Subscriber Group: Assign the approval manager both Read and CLM Request Enroll.
  • Profile Template: Assign the subscriber Read and CLM Enroll on the profile template. Assign the manager Read permission.
  • Certificate Template: Assign the subscriber Read and Enroll on the profile template.
  • Management Policy: Assign the first manager initiate privilege .Assign the manager: Approve requests.

Example 3 – Centralized Management

Requirements:

  • There are four parties here :
    • FIM Full admins: Has Full Permissions.
    • FIM Security Officer: Enroll smart card for users.
    • FIM Help Desk: Unblock Smart Cards.
    • FIM Subscribers.
  • FIM Security Officer Initiates the smart card request and executes the enrollment for smart cards (Smart Card PIN is randomized).
  • FIM Subscribers receive their smart card, log to the FIM portal to perform the initial online unblock.
  • FIM Help Desk will perform offline unblock operations if needed.

Permissions:

  • SCP and Subscriber Group:
    • FIM Full Admin: Full Permissions.
    • FIM Security Officer: Read and all FIM Extended Permissions.
    • FIM Help Desk:  Read + CLM Request Offline Unblock + CLM Enrollment Agent.
  • Profile Template: all four parties will have Read and CLM Enroll.
  • Certificate Template: FIM Full Admin and FIM Security Officer will have Read and Enroll.
  • Management Policy:
    • Enroll Policy: “Initiate Enroll Request” and “Enroll Agent For Enroll Requests”: FIM Full Admins and FIM Security Officer.
    • General Settings: Self Service Disabled.
    • Offline Unblock policy: “Initiate Offline Unblock Requests” and “Unblock Agent for Offline Unblock Requests”: FIM Full Admin, FIM Security Officer and FIM Help Desk. 

Final Thoughts

I hope by now, you know how and where permissions should be assigned in Microsoft FIM Certificate Management solution. Here is a quick summary diagram that shows all permission locations:

Certificate-Management-8

About The Author

Ammar Hasayen

Ammar Hasayen is a trusted technology adviser and entrepreneur and has been in the software industry for over 10 years with a special focus on the security, Office 365, and cloud solutions. Ammar is an active blogger and is active speaker in many local tech communities where he talks about Azure and Office 365. A part from that, Ammar appears in many global tech events and conferences like Microsoft Teched and Ignite.

Leave a reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest