My story of Microsoft multi factor authentication

In this blog post, I will be talking about Microsoft multi factor authentication, and more specifically, their smart card Management solution, and how you can manage the life-cycle of smart cards, from enrolling them, managing them and finally retiring smart cards. The product that I will be taking about is called Microsoft identity lifecycle manager ILM.

When I start working in the security field back in 2007, security was a very complicated and dark field to me. I started working on security baselines and firewalls, before realizing so quickly that no matter how hard you secure your environment, bad guys will always get you.

I quickly understand that a security administrator shall do everything he can to protect his assets, but also assume breach. The next layer of protection is multi-factor authentication. In 2007, multi-factor authentication comes in form of smart cards or security tokens. I was so interested in smart cards, because you can integrate your badge and access control with your smart card. One card for all purposes. Sound interesting.

Microsoft identity lifecycle manager ILM & Smart Cards

So, I start doing calls with Gemalto, one of the big smart card providers. I was so excited to work on smart cards, and I quickly realized that smart cards come with a complicated and sophisticated management overhead.

Why is smart card management being so difficult? Well, you need to issue smart cards, by issuing a certificate from your CA to that piece of hardware. Smart cards get stolen, and you should be able to revoke certificates on that smart card. What if certificates got expired on the smart cards? In that case, you may need to replace certificates on the smart card and consider leaving the encryption certificate there, so that people can still decrypt encrypted files.

I looked for many management solutions out there, and I decided to try Microsoft identity lifecycle manager ILM. Of course, at that time, I already had Microsoft certificate services server installed with offline root CA. I had to deploy this new ILM server to start managing smart cards.

Microsoft Smart Card Management Guide

I worked very hard in 2007 to deploy Microsoft identity lifecycle manager ILM server, and I want to share my experience in a small guide. This guide can help you even if you are using the new Microsoft FIM/ CM server, as it demonstrates the different possible operations that can be made to a smart card, and what each operation do to the certificates inside the smart card.
The guide Index:

  • Certificate Templates.
  • Pre-CLM Installation.
    • Hardware and setup.
    • Modify AD Schema.
    • Enable the default KeyRecoveryAgent certificate template.
    • Create AD Accounts for CLM.
  • CLM Installation (Same server as CA)
    • Installation Walk Through.
    • Configuring CLM 2007 Using the CLM Configuration Wizard.
    • CLM IIS Site needs SSL Certificate.
  • Post Installation Tasks.
    • Export the CLM Users certificates.
    • Configuring the Certificate Lifecycle Manager 2007 Service.
    • Configure the CLM policy module.
    • Configure the CLM Exit module.
    • Configure additional policy modules.
    • Create CLM Users and Groups.
    • CLM Site.
    • Understand CLM Rights and Permissions.
  • Configuring Profile Templates.
    • Smart Card Profile Templates.
  • Appendix.
    • Appendix A : CONTOSO Encryption Class IS V1.
    • CONTOSO Signing/Authentication Class IIS V1.
    • CLM System users.
    • Installing and Configuring Certificate Lifecycle Manager 2007 Client.
    • What will happen if scenarios.

You can download the full Guide from here.