Select Page

Microsoft identity lifecycle manager ILM

Microsoft identity lifecycle manager ILM

My story of Microsoft multi factor authentication

In this blog post, I will be talking about Microsoft multi factor authentication, and more specifically, their smart card Management solution, and how you can manage the life-cycle of smart cards, from enrolling them, managing them and finally retiring smart cards. The product that I will be taking about is called Microsoft identity lifecycle manager ILM.

When I start working in the security field back in 2007, security was a very complicated and dark field to me. I started working on security baselines and firewalls, before realizing so quickly that no matter how hard you secure your environment, bad guys will always get you.

I quickly understand that a security administrator shall do everything he can to protect his assets, but also assume breach. The next layer of protection is multi-factor authentication. In 2007, multi-factor authentication comes in form of smart cards or security tokens. I was so interested in smart cards, because you can integrate your badge and access control with your smart card. One card for all purposes. Sound interesting.

Microsoft identity lifecycle manager ILM & Smart Cards

So, I start doing calls with Gemalto, one of the big smart card providers. I was so excited to work on smart cards, and I quickly realized that smart cards come with a complicated and sophisticated management overhead.

Why is smart card management being so difficult? Well, you need to issue smart cards, by issuing a certificate from your CA to that piece of hardware. Smart cards get stolen, and you should be able to revoke certificates on that smart card. What if certificates got expired on the smart cards? In that case, you may need to replace certificates on the smart card and consider leaving the encryption certificate there, so that people can still decrypt encrypted files.

I looked for many management solutions out there, and I decided to try Microsoft identity lifecycle manager ILM. Of course, at that time, I already had Microsoft certificate services server installed with offline root CA. I had to deploy this new ILM server to start managing smart cards.

Microsoft Smart Card Management Guide

I worked very hard in 2007 to deploy Microsoft identity lifecycle manager ILM server, and I want to share my experience in a small guide. This guide can help you even if you are using the new Microsoft FIM/ CM server, as it demonstrates the different possible operations that can be made to a smart card, and what each operation do to the certificates inside the smart card.
The guide Index:

  • Certificate Templates.
  • Pre-CLM Installation.
    • Hardware and setup.
    • Modify AD Schema.
    • Enable the default KeyRecoveryAgent certificate template.
    • Create AD Accounts for CLM.
  • CLM Installation (Same server as CA)
    • Installation Walk Through.
    • Configuring CLM 2007 Using the CLM Configuration Wizard.
    • CLM IIS Site needs SSL Certificate.
  • Post Installation Tasks.
    • Export the CLM Users certificates.
    • Configuring the Certificate Lifecycle Manager 2007 Service.
    • Configure the CLM policy module.
    • Configure the CLM Exit module.
    • Configure additional policy modules.
    • Create CLM Users and Groups.
    • CLM Site.
    • Understand CLM Rights and Permissions.
  • Configuring Profile Templates.
    • Smart Card Profile Templates.
  • Appendix.
    • Appendix A : CONTOSO Encryption Class IS V1.
    • CONTOSO Signing/Authentication Class IIS V1.
    • CLM System users.
    • Installing and Configuring Certificate Lifecycle Manager 2007 Client.
    • What will happen if scenarios.

You can download the full Guide from here.

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Microsoft MVP


About Ammar

Digital Transformation | Microsoft MVP | Cloud Architect | Azure | Microsoft 365 |Modern Workplace | Cyber-Security | Speaker | Blogger | I Pluralsight Author| Jordan |

Speaking at Microsoft Ignite

Microsoft Ignite Speaker

My Pluralsight Course

Pin It on Pinterest