FIM 2010 CM - configuration

Installation



FIM Server

Install FIM Certificate Management

Please see: the technet article for Forefront Identity Manager - Certificate Management

Prepare for FIM CM setup

1. Modify the Active Directory Schema: Run D:\Certificate Management\x64\Schema\ModifySchema.vbs
2. servermanagercmd -i net-framework web-server web-asp-net
3. Create a User template for FIM CM agent:
- AD CS > Certificate templates
- Duplicate the template "User" > Windows 2008 server template type to "UserFIMAgent"
- Subject Name: Uncheck "Email name", and "Include e-mail in subject name"
4. Allow the PKI to issue following templates:
- Key Recovery Agent
- UserFIMAgent
- Enrollment Agent
5. Publish the spn in the AD:
setspn -A HTTP/fim-dc fim-dc
setspn -A HTTP/fim-dc.contoso.com fim-dc

Run the FIM CM setup

- Virtual Folder: CertificateManagement

Configure FIM CM

- Run Certificate Management config Wizard-
- SQL: FIM-SHAREPOINT\FIMINSTANCE
- templates: UserFIM


Fim client

Install the Forefront Identity Manager CM Client

FIM Websites: fim-dc.contoso.com;fim-dc


Configuration




AD DS:

Create FIM User groups

- FIMcmAdministrators: cyrilv ; administrator
- FIMcmCertMgrs: FIMcmAdministrators ; pascals
- FIMcmUsers: FIMcmCertMgrs ; fabiend ; youssefz

1. SCP permissions

- View > Advanced Features
- contoso.com > System > Microsoft > Certificate Lifecycle Manager > FIM-DC
- grant FIMcmUsers: Read
- grant FIMcertMgrs : CLM Audit and CLM Request Enroll

2. Users and groups permissions
- FIMcmUsers:
- grant FIM CM Request Enroll for SELF and for FIMcmCertMgrs

3. Policy template permissions
- create a new Smart card template: Contoso FIM smart card policy template
- grant FIMcmUsers and FIMcmCertMgrs the permission to Enroll on "Contoso

4. PKI templates:
- grant FIMcmUsers READ and ENROLL rights on the templates issued in Contoso FIM smart card card policy template

Contoso smart card profile template

- http://fim-dc/certificatemanagement/ as CONTOSO\Administrator
- Administration > Manage profile templates
- duplicate the FIM default smart card template
- Enroll policy: grant FIMcmUsers the Workflow initiate request right
- choose the Certificate templates to enroll
- foreach of them: grant FIMcmUsers the right to Enroll on ADCS> Certificates Templates

FIM CM is only supported on Windows Server 2003 or 2008 enterprise (at least for now)

The Card Management functionnality of FIM is only able to run on Windows Server 2003 or Server 2008 computers, not on Windows Server 2008 R2 - at least on this RC1 version-.

FIM CM configuration error: cannot impersonate a user

You have to set the UserFIM template to be less restrictive:
- remove email

Base CSP smart card self-service control is not installed

When loading the FIM CM http://fim-dc.contoso.com/CertificateManagement/ it shows a .NET SQL Connection timeout

Check that the SQL spn is correctly registred:
setspn -l Contoso\SQLsvc
if no result is present, then type:
setspn -a MSSQL/fim-sharepoint:1433 Contoso\SQLsvc
setspn -a MSSQL/fim-sharepoint.contoso.com:1433 Contoso\SQLsvc

If the MS SQL spn is alreday registred, then increase the timeout:
- Server Manager > AD CS > Right clic on CA > propreties > Exit Module > Fim CM Exit Module > Proprieties
- increase the Connect Timeout