Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate ManagementBrian KomarPresidentIdentIT Inc.brian.komar@identit.ca

SESSION CODE: SIA307

Craig CarlstonSE System AnalystMicrosoft Corporation

Identity and Access Management: Notes from the Field: Microsoft IT's FIM 2010 Certificate Management Deployment

AgendaThe Microsoft PKI ArchitectureLegacy Smart Card ArchitectureLegacy Smart Card Management System DetailsBenefits of Moving to FIM 2010 Certificate ManagementMigration Plan to FIM CMThe Pain Points of the Migration

2

The Microsoft PKI Architecture

3

Microsoft PKINine production forestsMix of server Operating SystemsCombination of internal and external trustCentralized CA managementMultiple certificate typesCross-forest Enrollment where supported

4

Internal Trust Architecture

5

Smart Card Logon

Microsoft Corporate Root CA

Smart Card CAs

Encryption CA

EFS

Machine/User Auth

Utility CAs

NAP CAsNAP Health Client

CA Certificates

6

Microsoft

S/MIME CA SSL CA

Intermediate CA

Publicly Trusted Root Verizon

Web Server AuthenticationE-mail Encryption/Signing

CA Certificates

CA Certificates

External Trust Architecture

7

Legacy Smart Card Architecture

Smart Cards, Readers, and MiddlewareSmart Cards

Custom built hybrid cardsPhoto IDIndala RFID Cards for Building AccessGemalto smart card chip

128K .NET v2 cards (current standard)Legacy cards (all Base CSP cards)

MiddlewareMicrosoft Base Smart Card Crypto ProviderMini-drivers specific to actual cards used

Smart Card ReadersBuilt-in readers in our laptopsIf no built-in readers:

OmnikeyGemalto

8

Smart Card Issuance ToolsLenel

PrintingRFID management

Smart Card Manager v2MS Internal Solution

Smart Card Management = Smartcard Deployment Application (SDA)PIN Management = PIN Tool v2Custom smart card admin PIN diversification solution

9

Smart Card Architecture

Support ResourcesDistributed Issuance Offices (DIOs)HelpdeskClient Certificate Services Team

10

Smart Card Architecture

11

Legacy Smart Card Management System Details

Smart Card Management TodayApproximately 100,000 active cardsAverage 1,000 new cards a monthAverage processing time – 10 minutes

12

Challenges With Original Deployment in 2000Mobile devices, Macintosh, and UNIX platforms not compatible with smart card EAP/TLS authenticationSmart card distribution process was resource intensiveManaging policy and client groups is complexClient software version controlLimited reporting

13

Lessons LearnedImmature smart card administrative toolsSecure registration authority for issuance and renewal, if certificates expire users must visit DIORemote client troubleshootingDelegation of administrationDistributed functions without distributed trust

14

15

Benefits of Moving to FIM 2010 Certificate Management

Benefits of FIM CMCentralized Enrollment Agent (EA) and Key Recovery Agent (KRA)Improved overall process workflow

New Card EnrollLost Card ReplaceCard RetireCertificate Renewal

Detailed auditing and reportingSupport for extended self-service scenariosPIN unblocks with user’s credentialsIntegration with Active Directory and PKIDoes not perform an “RFC-Based” renewal – Allows renewals after certificate expiration

16

Chance to Review/Revise Corporate Policies to Profile Template Policies

Management policies must enforce security policies and certificate policies

CertificatePolicy

SecurityPolicy

EnrollmentEnroll EnrollmentUnblock

Management Policies

18

Migration Plan to FIM CM

Migration Plan to FIM CM GoalsMinimize User ImpactMinimize CostsMaintain same level of security

19

Migration Plan to FIM CMA FIM CM instance per forestCustom PIN Tool

Required for smart card-only PIN unblock scenario for elevated access accountsAllows offline unblockUsed as a sole method for Internet PIN unblock

Previously archived S/MIME encryption certificates imported to FIM CM for continued use

20

FIM CM Architecture at Microsoft

21

Profile TemplatesSmart Card Logon and RAS

Most email enabled primary user accountsSmart Card Logon, RAS, and Data Protection

Email enabled primary accounts with S/MIMESmart Card Logon No RAS

Alternate Accounts for elevated access

22

Normal User Account Enrollment Workflow

Admin Accounts require face-to-face issuance at DIO

User added to MS-Smartcard-LogonOnly

OrMS-Smartcard-LogonandEncrypt(FIM 2010 will ensure user only a

member of one group)

User visits DIO and smart card printed in Lenel

User has existing

smartcard?

Enrollment Process takes place• Certificates loaded on

smart card• PIN is randomized • Admin Key is diversified by

custom Admin Key Diversifier application

User Sent email sending link to FIM CM portal and

instructions on self-service enrollment

User moves to Unblock workflow

to use card

FIM CM PortalFIM and Manual

No

Yes

Unblock Workflow

Admin Accounts require face-to-face issuance at DIO

User added to MS-Smartcard-UnblockEnabled group

User must meet face-to-face to

meet CP-defined assurance level requirements

Has User been

Vetted?

User initiates:- Online Unblock if on

corporate network- Offline Unblock if

network connectivity not possible

User opens PIN Tool

Card Ready for Use

Custom PIN toolFIM and Manual

No

Yes

Admin Key retrieved from FIM CM database and re-set using Admin Key Generator

Custom PIN ToolCraig CarlstonSE Systems AnalystMicrosoft

DEMO

Normal User Account Replacement Workflow

Admin Accounts require face-to-face issuance at DIO

Card distributed to user

User visits DIO and

replacement smart card

printed in Lenel

New Smart Card Logon certificate issued

User connects to FIM CM portal

User moves to Unblock workflow

to use card

FIM CM PortalFIM and Manual

DIO employee validates picture on smart card with

person receiving replacement smart card

Encryption Certificates:• Previous encryption

certificates recovered• External Certificates

re-populated• New encryption

certificate issued

27

Pain Points of the FIM 2010 CM Migration

5. FIM 2010 CM Cannot Cross Forest BoundariesFIM 2010 CM is designed for single forest deployments

Microsoft has multiple forestsIf smart cards are deployed in a forest:

Required a FIM 2010 CM instanceRequired a CA be available for certificate issuance in the forest

Impacted ability to leverage cross forest enrollment to reduce CAs

4. Could Not Protect the clmAgent Certificate with an HSMSecurity policy requires that Admin Key diversification process use an HSM

HSM needed to protect the clmAgent certificateFound an issue with the HSM vendor that did not allow use of AES encryption with clmAgent certificate.

Acceptable solution allowed HSM protection but dropped down to three distinct key 3DES protection

3. Migrating Encryption Certificates to FIM CMSmart Card Logon, RAS, and Data Protection profile template required migration of previous S/MIME encryption certificates

CLMUtil used to import encryption certificates into FIM CM database and CA databaseRequired a new S/MIME CA to import the certificates toRequired a custom tool to automate the import processPrevious encryption certificates

Were revoked at the CAImported as External certificates into the FIM CM databaseProfile template configured to allow a designated number of external certificatesEnrollment/Replace process includes recovery of external encryption certificates onto the smart card

2. Restrictions Cannot be Imposed Across Profile TemplatesMicrosoft wishes to ensure that a user account only has a single smart card logon certificate

Easy to do within a single profile templateCannot be done across profile templates

Solution is to use FIM provisioning to ensure that a user account can only exist in one of two security groups

Each security group is assigned Read and FIM CM Enroll permissions against the designated profile templateA user can move from the non-encryption certificate profile template to the encryption certificate include profile template…. Not the other wayMigration to encryption certificate requires retiring the previous smart card for redeployment

1. Configuring Client Settings Across IE VersionsThree different versions of Internet Explorer are deployed on MS computers

IE 6.0 and IE 8.0 require that the FIM CM portal hostname be in the SiteLock registry keyIE 7 requires that the FIM CM portal hostname be in the SiteLock registry key and the URL be included in Trusted Sites

FIM CM client software must be automatically deployed to the massesSolution involved a custom script that

Detects the IE version and forestRuns the FIM CM Client installer package with options to designate the correct settings required for the IE version and forest

Deploying the FIM CM Client SoftwareCraig CarlstonSE Systems AnalystMicrosoft

DEMO

Announcing Deploying FIM 2010 CM with Thales HSMs

ANNOUNCING

http://iss.thalesgroup.com/en/l/program/FIM-eBook.aspx

INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEMicrosoft Forefront Identity Manager 2010What are IPD Guides?

Guidance & best practices for infrastructure planning of Microsoft technologies

Forefront Identity Manager 2010 Guide BenefitsHelps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources

Based on the scope, identifies the FIM infrastructure components required to achieve the project goals

Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases

It’s a free download!Go to www.microsoft.com/ipd

Check out the entire IPD series for streamlined IT infrastructure planning

“At the end of the day, IT operations is really about running your business as

efficiently as you can so you have more dollars left for innovation. IPD guides help

us achieve this.” Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

ConclusionsFIM CM will enhance the management of MS IT’s smart card deploymentFIM CM gives MS IT a chance to review all smart card and PKI related policiesDespite pain points, a customized solution can be developed to work for a large organization such as MicrosoftAllows future flexibility as requirements change

Adding certificate templates to deployment is easyChanging work flows is possible if requirements change

Related ContentSIA321 |Business Ready Security: Exploring the Identity and Access Management SolutionSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-ProveSIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle BinSIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In ProductionSIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity ManagerSIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity ManagerSIA06-INT | Identity and Access Management Solution Demos

SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory

Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA