brian komar president identit inc. [email protected] session code: sia307 craig carlston se...
TRANSCRIPT
Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate ManagementBrian KomarPresidentIdentIT [email protected]
SESSION CODE: SIA307
Craig CarlstonSE System AnalystMicrosoft Corporation
Identity and Access Management: Notes from the Field: Microsoft IT's FIM 2010 Certificate Management Deployment
AgendaThe Microsoft PKI ArchitectureLegacy Smart Card ArchitectureLegacy Smart Card Management System DetailsBenefits of Moving to FIM 2010 Certificate ManagementMigration Plan to FIM CMThe Pain Points of the Migration
2
The Microsoft PKI Architecture
3
Microsoft PKINine production forestsMix of server Operating SystemsCombination of internal and external trustCentralized CA managementMultiple certificate typesCross-forest Enrollment where supported
4
Internal Trust Architecture
5
Smart Card Logon
Microsoft Corporate Root CA
Smart Card CAs
Encryption CA
EFS
Machine/User Auth
Utility CAs
NAP CAsNAP Health Client
CA Certificates
6
Microsoft
S/MIME CA SSL CA
Intermediate CA
Publicly Trusted Root Verizon
Web Server AuthenticationE-mail Encryption/Signing
CA Certificates
CA Certificates
External Trust Architecture
7
Legacy Smart Card Architecture
Smart Cards, Readers, and MiddlewareSmart Cards
Custom built hybrid cardsPhoto IDIndala RFID Cards for Building AccessGemalto smart card chip
128K .NET v2 cards (current standard)Legacy cards (all Base CSP cards)
MiddlewareMicrosoft Base Smart Card Crypto ProviderMini-drivers specific to actual cards used
Smart Card ReadersBuilt-in readers in our laptopsIf no built-in readers:
OmnikeyGemalto
8
Smart Card Issuance ToolsLenel
PrintingRFID management
Smart Card Manager v2MS Internal Solution
Smart Card Management = Smartcard Deployment Application (SDA)PIN Management = PIN Tool v2Custom smart card admin PIN diversification solution
9
Smart Card Architecture
Support ResourcesDistributed Issuance Offices (DIOs)HelpdeskClient Certificate Services Team
10
Smart Card Architecture
11
Legacy Smart Card Management System Details
Smart Card Management TodayApproximately 100,000 active cardsAverage 1,000 new cards a monthAverage processing time – 10 minutes
12
Challenges With Original Deployment in 2000Mobile devices, Macintosh, and UNIX platforms not compatible with smart card EAP/TLS authenticationSmart card distribution process was resource intensiveManaging policy and client groups is complexClient software version controlLimited reporting
13
Lessons LearnedImmature smart card administrative toolsSecure registration authority for issuance and renewal, if certificates expire users must visit DIORemote client troubleshootingDelegation of administrationDistributed functions without distributed trust
14
15
Benefits of Moving to FIM 2010 Certificate Management
Benefits of FIM CMCentralized Enrollment Agent (EA) and Key Recovery Agent (KRA)Improved overall process workflow
New Card EnrollLost Card ReplaceCard RetireCertificate Renewal
Detailed auditing and reportingSupport for extended self-service scenariosPIN unblocks with user’s credentialsIntegration with Active Directory and PKIDoes not perform an “RFC-Based” renewal – Allows renewals after certificate expiration
16
Chance to Review/Revise Corporate Policies to Profile Template Policies
Management policies must enforce security policies and certificate policies
CertificatePolicy
SecurityPolicy
EnrollmentEnroll EnrollmentUnblock
Management Policies
18
Migration Plan to FIM CM
Migration Plan to FIM CM GoalsMinimize User ImpactMinimize CostsMaintain same level of security
19
Migration Plan to FIM CMA FIM CM instance per forestCustom PIN Tool
Required for smart card-only PIN unblock scenario for elevated access accountsAllows offline unblockUsed as a sole method for Internet PIN unblock
Previously archived S/MIME encryption certificates imported to FIM CM for continued use
20
FIM CM Architecture at Microsoft
21
Profile TemplatesSmart Card Logon and RAS
Most email enabled primary user accountsSmart Card Logon, RAS, and Data Protection
Email enabled primary accounts with S/MIMESmart Card Logon No RAS
Alternate Accounts for elevated access
22
Normal User Account Enrollment Workflow
Admin Accounts require face-to-face issuance at DIO
User added to MS-Smartcard-LogonOnly
OrMS-Smartcard-LogonandEncrypt(FIM 2010 will ensure user only a
member of one group)
User visits DIO and smart card printed in Lenel
User has existing
smartcard?
Enrollment Process takes place• Certificates loaded on
smart card• PIN is randomized • Admin Key is diversified by
custom Admin Key Diversifier application
User Sent email sending link to FIM CM portal and
instructions on self-service enrollment
User moves to Unblock workflow
to use card
FIM CM PortalFIM and Manual
No
Yes
Unblock Workflow
Admin Accounts require face-to-face issuance at DIO
User added to MS-Smartcard-UnblockEnabled group
User must meet face-to-face to
meet CP-defined assurance level requirements
Has User been
Vetted?
User initiates:- Online Unblock if on
corporate network- Offline Unblock if
network connectivity not possible
User opens PIN Tool
Card Ready for Use
Custom PIN toolFIM and Manual
No
Yes
Admin Key retrieved from FIM CM database and re-set using Admin Key Generator
Custom PIN ToolCraig CarlstonSE Systems AnalystMicrosoft
DEMO
Normal User Account Replacement Workflow
Admin Accounts require face-to-face issuance at DIO
Card distributed to user
User visits DIO and
replacement smart card
printed in Lenel
New Smart Card Logon certificate issued
User connects to FIM CM portal
User moves to Unblock workflow
to use card
FIM CM PortalFIM and Manual
DIO employee validates picture on smart card with
person receiving replacement smart card
Encryption Certificates:• Previous encryption
certificates recovered• External Certificates
re-populated• New encryption
certificate issued
27
Pain Points of the FIM 2010 CM Migration
5. FIM 2010 CM Cannot Cross Forest BoundariesFIM 2010 CM is designed for single forest deployments
Microsoft has multiple forestsIf smart cards are deployed in a forest:
Required a FIM 2010 CM instanceRequired a CA be available for certificate issuance in the forest
Impacted ability to leverage cross forest enrollment to reduce CAs
4. Could Not Protect the clmAgent Certificate with an HSMSecurity policy requires that Admin Key diversification process use an HSM
HSM needed to protect the clmAgent certificateFound an issue with the HSM vendor that did not allow use of AES encryption with clmAgent certificate.
Acceptable solution allowed HSM protection but dropped down to three distinct key 3DES protection
3. Migrating Encryption Certificates to FIM CMSmart Card Logon, RAS, and Data Protection profile template required migration of previous S/MIME encryption certificates
CLMUtil used to import encryption certificates into FIM CM database and CA databaseRequired a new S/MIME CA to import the certificates toRequired a custom tool to automate the import processPrevious encryption certificates
Were revoked at the CAImported as External certificates into the FIM CM databaseProfile template configured to allow a designated number of external certificatesEnrollment/Replace process includes recovery of external encryption certificates onto the smart card
2. Restrictions Cannot be Imposed Across Profile TemplatesMicrosoft wishes to ensure that a user account only has a single smart card logon certificate
Easy to do within a single profile templateCannot be done across profile templates
Solution is to use FIM provisioning to ensure that a user account can only exist in one of two security groups
Each security group is assigned Read and FIM CM Enroll permissions against the designated profile templateA user can move from the non-encryption certificate profile template to the encryption certificate include profile template…. Not the other wayMigration to encryption certificate requires retiring the previous smart card for redeployment
1. Configuring Client Settings Across IE VersionsThree different versions of Internet Explorer are deployed on MS computers
IE 6.0 and IE 8.0 require that the FIM CM portal hostname be in the SiteLock registry keyIE 7 requires that the FIM CM portal hostname be in the SiteLock registry key and the URL be included in Trusted Sites
FIM CM client software must be automatically deployed to the massesSolution involved a custom script that
Detects the IE version and forestRuns the FIM CM Client installer package with options to designate the correct settings required for the IE version and forest
Deploying the FIM CM Client SoftwareCraig CarlstonSE Systems AnalystMicrosoft
DEMO
Announcing Deploying FIM 2010 CM with Thales HSMs
ANNOUNCING
http://iss.thalesgroup.com/en/l/program/FIM-eBook.aspx
INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEMicrosoft Forefront Identity Manager 2010What are IPD Guides?
Guidance & best practices for infrastructure planning of Microsoft technologies
Forefront Identity Manager 2010 Guide BenefitsHelps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources
Based on the scope, identifies the FIM infrastructure components required to achieve the project goals
Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases
It’s a free download!Go to www.microsoft.com/ipd
Check out the entire IPD series for streamlined IT infrastructure planning
“At the end of the day, IT operations is really about running your business as
efficiently as you can so you have more dollars left for innovation. IPD guides help
us achieve this.” Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services
ConclusionsFIM CM will enhance the management of MS IT’s smart card deploymentFIM CM gives MS IT a chance to review all smart card and PKI related policiesDespite pain points, a customized solution can be developed to work for a large organization such as MicrosoftAllows future flexibility as requirements change
Adding certificate templates to deployment is easyChanging work flows is possible if requirements change
Related ContentSIA321 |Business Ready Security: Exploring the Identity and Access Management SolutionSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-ProveSIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle BinSIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In ProductionSIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity ManagerSIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity ManagerSIA06-INT | Identity and Access Management Solution Demos
SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA