Microsoft FIM – Certificate Management

Microsoft Forefront Identity Management, has a module to handle and manage enrollment of certificates and smart cards. Microsoft call that module, Microsoft FIM CM or FIM Certificate Management.

Microsoft FIM CM has a portal that runs under its own application pool identity. Configuration of the product is done by manipulating the web.config file (c:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web). Knowledge of the sections in the web.config file is required for FIM CM administration.

Microsoft FIM CM uses its own database FIMCertificateManagement, that is created during the initial configuration wizard when you first install FIM CM on your server. The FIM CM uses its application pool identity for database access. A new SQL Role is introduced named CLMApp, and that right should be granted to the FIM CM application pool identity. The FIM CM database contains information about smart cards, and their admin keys.

FIM CM also stores profile template data in the configuration partition of Active Directory. DACL on those profile templates determine part of the authorization model within FIM CM.
FIM CM also has its own Service Connection Point (SCP) under the system container in AD. Permissions on the SCP determines if users are allowed to log on to the FIM CM admin portal or user portal.

Microsoft FIM CM portal comes in two modes, user mode in which end users enrolled with certificates can view their digital identity information or request new ones, and admin mode, in which FIM CM admins perform their management tasks. Permissions on the SCP control which mode to be accessed.

As part of Microsoft FIM CM installation, AD schema is extended to include new FIM CM permissions like (CLM audit, CLM Request Enroll, and others).

Note: You can place the FIM CM database in a backend SQL, or on the same server as FIM CM server. In all cases, I recommend having the FIM CM database on a dedicated SQL server that doesn’t host any other database. The reason behind this is that you don’t want your company SQL administrators to have high privileges on this database as it contains sensitive information.

Microsoft FIM CM communicates heavily with:

  • Active Directory: for authentication, authorization and profile templates configuration.
  • SQL Database: to store many information, especially smart card information and its admin keys.
  • Certification Authority or CA: one or more CA servers to request certificates or revoke existing ones.
  • Mail Server: to send notifications if configured.

Microsoft-FIM-20

FIM CM Agents

The power of Microsoft FIM CM and its ability to proxy requests to the CA and to proxy identities, can be achieved by the concept of FIM CM Agents. Those agents are AD accounts in your Active Directory and are used by FIM CM to perform its tasks. You must configure the web.config file to associate some of the FIM CM agent accounts with their certificates.
Note: FIM CM initial configuration wizard will allow you to automatically create and configure those accounts. It is highly recommended that you choose to create them manually and even enroll them for certificates manually. This is very important for later manageability, especially when those account certificates are about to expire. You must create those accounts in Active Directory prior to installation.

Microsoft-FIM-13

FIM Agent

The first agent account used by Microsoft FIM CM is called simply (FIM Agent) which is a very important account. Configuring this account correctly from the first time will ensure smooth deployment of FIM CM in your corporate. FIM Agent is enrolled for signing and encryption certificates usually from the “User certificate template”. I usually duplicate the “User certificate template” and configure the key to be exportable.

Once you get a certificate for encryption and signing, you must log on to the FIM CM server with the FIM Agent account, and install the certificate in the user personal certificate store.
FIM Agent user is used for the following tasks:

  • Protect communication between the FIM CM server and the CA.
  • Revoke Certificates.
  • Encrypt “smart card admin Keys” in the FIM CM database.
  • Encrypt (data collection information) that is requested by the FIM CM portal, in the FIM CM database.

Microsoft-FIM-4

You need to make sure that the thumbprint of the FIM Agent certificate is placed in the following sections in the FIM CM web.config file:

  • <add key=”Clm.SigningCertificate.Hash” value.
  • <add key=”Clm.Encryption.Certificate.Hash” value.
  • <add key=”Clm.SmartCard.ExchangeCertificate.Hash” value.

FIM KRA

The second account is the Microsoft FIM KRA account. This account is used to recover archived keys from the CA database. You should enroll this account a certificate from the “Key Recovery Agent” certificate template, and configure the CA server to use it for key recovery. This account should be member of the local administrators group on the FIM CM server.

Microsoft-FIM-5

FIM Enroll Agent

This account will perform the actual enrollment of certificates. You should enroll this account a certificate from the (Enrollment Agent) certificate template, and you would place the certificate keys to an HSM for enhance protection. This account is what makes it possible to proxy identities when enrolling through the FIM CM portal, because the FIM CM admins will not be enrolled an enrollment certificate in this case, instead, they will be assigned a management role in the Microsoft FIM CM profile template while FIM CM Enroll Agent is the actual user that will perform the enrollment.

The FIM Enroll Agent should have (Read, Request Certificates) on the CA server. The thumbprint of the FIM KRA agent should be inserted in the following filed of the FIM CM web.config file:

<add key=”Clm.EnrollAgent.Certificate.Hash” value .

Microsoft-FIM

FIM Authentication Agent

This agent doesn’t need a certificate to function. The main purpose of this account is to provide a security context for FIM CM services to read configuration data in Active Directory.

The account should be granted the following permissions and rights:

  • “Generate Security Alerts” right in the FIM CM server
  • Member of the (Pre-Windows 2000 Compatible Access) group in AD.
  • “Read” Permission on the CA certificate Templates
  • “Read” and “Write” on the FIM Profile Templates
  • “Create Child Objects” on the Profile Template Container”

Note: If you don’t want some of the legacy profile templates to appear on your FIM CM admin portal, just remove the “Read” permission of the FIM Auth Agent from those profile templates.

Microsoft-FIM-7

FIM CA Manager

This agent is used by FIM CM to perform CA management tasks like issuing CRLs or delta CRLs when a smart card or certificate is retired or disabled for example. This account should have “Read” and “Manage CA” rights on the CA.

Microsoft-FIM8

FIM Web Pool Agent

This is one of the most important agents in FIM CM deployment, as it runs the application pool identity of the FIM CM portal. This account is used also to access the FIM CM database.

This account should have the following rights and permissions:

  • “Generate Security Alerts” right on the FIM CM server.
  • Member of the local administrators group on the FIM CM server.
  • Member of the (IIS_USRS) local group in the FIM CM server.
  • “Act as part of the operating system” right in the FIM CM server.
  • “Replace process level token” right in the FIM CM server.
  • “Read” on the FIM CM Registry Keys.
  • Trusted for delegation for the CA server.

Microsoft-FIM-9

FIM Agents Infographic

I hope by now you have a good idea about FIM agents and how each one is used inside this solution. Here is an overall diagram showing all FIM agents.

Microsoft-FIM-10