Hi, Question regarding the CSP availible for 2008 templates If I generate a 2003 template under 'Request Handeling' tab, and 'CSP' in the list provided I can enforce 'Request must use one of the folowing.: Microsoft Enhanced Cryptographic Provider V1.0 Duplicating that template, but this time using a 2008 template under 'Cryptography' - these seems to be only two choices Microsoft Smart Card Key Provider & Microsoft Software Key Storage Provider' So - I 'guess' that its becuase the ECP v1 was CryptoAPI and SKSP is CNG? A client tool needs ECP or it falls over so can I do this using a 2k8 template - I say the 2k8 template because there I can enforce a minimum od SHA2 in the Crypto section, whereas I believe using the 2003 template type theclient 'could' use SHA-256 or SHA1 depending on its capabilities? Can this be resolved and how? Do I need to rebuild the CA in a particular way (wouldnt have thought so but.). What you configure in Cryptography tab is related to client side only. If you select KSP provider and SHA2 algorithm, then client generates key pair by using KSP and signs the request with SHA2 algorithm. However, issued certificate will be signed by using default hashing algorithm in CA settings (by default it is SHA1).
That is, hashing algorithm you configure in Cryptography tab tells the client which signing algorithm to use for.request. signing. My weblog: PowerShell PKI Module: Check out new: tool. What you configure in Cryptography tab is related to client side only. If you select KSP provider and SHA2 algorithm, then client generates key pair by using KSP and signs the request with SHA2 algorithm. However, issued certificate will be signed by using default hashing algorithm in CA settings (by default it is SHA1). That is, hashing algorithm you configure in Cryptography tab tells the client which signing algorithm to use for.request.
signing. My weblog: PowerShell PKI Module: Check out new: tool.
The installation of Microsoft Identity Manager Certificate Manager 2016 (MIM CM) involves a number of steps. As a way to simplify the process we are breaking things down. There are preliminary steps that must be taken prior to any actual MIM CM steps. Without the preliminary work the installation is likely to fail. Deployment Overview. Pre-deployment steps. What else?
The diagram below shows an example of the type of environment that may be used. The systems with numbers are included in the list below the diagram and are required to successfully complete the steps covered in this article. Finally, Windows 2016 Datacenter Servers are used:.
CORPDC – Domain Controller. CORPCM – MIM CM Server. CORPCA – Certificate Authority. CORPCMR – MIM CM Rest API Web – CM Portal For Rest API – Used for later. CORPSQL1 – SQL 2016 SP1. CORPWK1 – Windows 10 Domain Joined Deployment overview.
Base operating system installation. The lab consists of windows 2016 Datacenter servers.
!NOTE For more details on the supported platforms for MIM 2016 take a look at the article titled. Pre-deployment steps. Creating service accounts.
.gif "0表示されない")
IIS. Configuring Kerberos.
Database-related steps. SQL configuration requirements. Database permissions. Deployment Pre-deployment steps The MIM CM configuration wizard requires information to be provided along the way in order for it to complete successfully. Extending the schema The process of extending the schema is straightforward but must be approached with caution due to its irreversible nature. Note You will need to add a DNS A Record for the “cm.contoso.com” and point to CORPCM IP Requiring SSL on the MIM CM portal It is highly recommended that you require SSL on the MIM CM portal.
If you don’t the wizard will even warn you about it. Enroll in web certificate for cm.contoso.com assign to default site. Open IIS Manager and navigate to Certificate Management. In Features View, double-click SSL Settings. On the SSL Settings page, select Require SSL. In the Actions pane, click Apply.
Database Configuration CORPSQL For MIM CM. Ensure that you are connected to the CORPSQL01 Server. Ensure you are logged on as SQL DBA. Run the following T-SQL script to allow the CONTOSO MIMINSTALL Account to create the database when we go to the configuration step. Note We will need to come back to SQL when we are ready for the exit & policy module create login CONTOSO MIMINSTALL from windows; exec spaddsrvrolemember 'CONTOSO MIMINSTALL', 'dbcreator'; exec spaddsrvrolemember 'CONTOSO MIMINSTALL', 'securityadmin'; Deployment of Microsoft Identity Manager 2016 Certificate Management. Ensure that you are connected to the CORPCM Server and that the MIMINSTALL account is a member of the local administrators group. Ensure you are logged on as Contoso MIMINSTALL.
Mount the Microsoft Identity Manager SP1 ISO. Open the Certificate Management x64 directory. In the x64 window, right-click Setup, and then click Run as administrator. On the Welcome to the Microsoft Identity Manager Certificate Management Setup Wizard page, click Next. On the End-User License Agreement page, read the agreement, enable the I accept the terms in the license agreement check box, and then click Next. On the Custom Setup page, make sure the MIM CM Portal and MIM CM Update Service components are set to be installed, and then click Next. On the Virtual Web Folder page, ensure that the Virtual folder name is CertificateManagement, and then.click Next.
On the Install Microsoft Identity Manager Certificate Management page, click Install. On the Completed the Microsoft Identity Manager Certificate Management Setup Wizard page, click Finish. Configuration Wizard of Microsoft Identity Manager 2016 Certificate Management Before logging in to CORPCM please add MIMINSTALL to domain Admins, Schema Admins and local administrators group for configuration wizard.
This can be removed later once configuration is complete. From the Start menu, click Certificate Management Config Wizard. And Run as Administrator. On the Welcome to the Configuration Wizard page, click Next. On the CA Configuration page, ensure that the selected CA is Contoso-CORPCA-CA, ensure that the selected server is CORPCA.CONTOSO.COM, and then click Next.
Microsoft Enhanced Cryptographic Provider V1 0 Windows 7
On the Set up the Microsoft® SQL Server® Database page, in the Name of SQL Server box, type CORPSQL1, enable the Use my credentials to create the database check box, and then click Next. On the Database Settings page, accept the default database name of FIMCertificateManagement, ensure that SQL integrated authentication is selected, and then click Next. On the Set up Active Directory page, accept the default name provided for the service connection point, and then click Next. On the Authentication method page confirm windows integrated Authentication is selected, then click Next. On the Agents – FIM CM page, clear the Use the FIM CM default settings check box, and then click Custom Accounts. In the Agents – FIM CM multi-tabbed dialog box, on each tab, type the following information:. User name: Update.
Password: Pass@word1. Confirm Password: Pass@word1.
Use an existing user: Enabled !NOTE We created these accounts earlier. Make sure that the procedures in step 8 are repeated for all six agent account tabs. When all agent account information is complete, click OK. On the Agents – MIM CM page, click Next.
On the Set up server certificates page, enable the following certificate templates:. Certificate template to be used for the recovery agent Key Recovery Agent certificate: MIMCMKeyRecoveryAgent. Certificate template to be used for the FIM CM Agent certificate: MIMCMSigning.
Certificate template to be used for the enrollment agent certificate: FIMCMEnrollmentAgent. On the Set-up server certificates page, click Next. On the Setup E-mail Server, Document Printing page, in the Specify the name of the SMTP server you want to use to e-mail registration notifications box and then click Next. On the Ready to configure page, click Configure. In the Configuration Wizard – Microsoft Forefront Identity Manager 2010 R2 warning dialog box, click OK to acknowledge that SSL is not enabled on the IIS virtual directory. Note Do not click the Finish button until the execution of the configuration wizard is complete.
Logging for wizard can be found here:%programfiles% Microsoft Forefront Identity Management 2010 Certificate Management config.log. Click Finish.
Close all open windows. Add to local intranet zone in your browser. Visit site from server CORPCM Verify the CNG Key Isolation Service. From Administrative Tools, open Services. In the details pane, double-click CNG Key Isolation. On the General tab, change the Startup Type to Automatic. On the General tab, start the service if it is not in a started state.
On the General tab, click OK. Installing and Configuring the CA Modules: In this step, we will install and configure the FIM CM CA modules on the certification authority. Configure FIM CM to only inspect user permissions for management operations. In the C: Program Files Microsoft Forefront Identity Manager 2010 Certificate Management web window, make a copy of web.config naming the copy web.1.config. In the Web window, right-click Web.config, and then click Open.
Note The Web.config file is opened in notepad. When the file opens, press CTRL+F. In the Find and Replace dialog box, in the Find what box, type UseUser, and then click Find Next three times.
Close the Find and Replace dialog box. You should be on the line. Change the line to read. Close the file, saving all changes. Create an account for the CA computer at the SQL server. Ensure that you are connected to the CORPSQL01 server. Ensure you are logged on as DBA.
From the Start menu, launch SQL Server Management Studio. In the Connect to Server dialog box, in the Server name box, type CORPSQL01, and then click Connect. In the console tree, expand Security, and then click Logins. Right-click Logins, and then click New Login. On the General page, in the Login name box, type contoso CORPCA$. Select Windows Authentication. Default database is FIMCertificateManagement.
In the left pane, select User Mapping. In the right pane, click the check box in the Map column beside FIMCertificateManagement. In the database role membership for: FIMCertificateManagement list, enable the clmApp role.
Close Microsoft SQL Server Management Studio. Install the FIM CM CA modules on the Certification Authority. Ensure that you are connected to the CORPCA server. In the X64 windows, right-click Setup.exe, and then click Run as administrator. On the Welcome to the Microsoft Identity Manager Certificate Management Setup Wizard page, click Next.
On the End-User License Agreement page, read the agreement. Select the I accept the terms in the license agreement check box, and then click Next. On the Custom Setup page, select MIM CM Portal, and then click This feature will not be available. On the Custom Setup page, select MIM CM Update Service, and then click This Feature will not be available. Note This will leave the MIM CM CA Files as the only feature enabled for the installation. On the Custom Setup page, click Next.
On the Install Microsoft Identity Manager Certificate Management page, click Install. On the Completed the Microsoft Identity Manager Certificate Management Setup Wizard page, click Finish. Close all open windows. Configure the MIM CM Exit Module.
From Administrative Tools, open Certification Authority. In the console tree, right-click contoso-CORPCA-CA, and then click Properties. On the Exit Module tab, select FIM CM Exit Module, and then click Properties. In the Specify the CM database connection string box, type Connect Timeout=15;Persist Security Info=True; Integrated Security=sspi;Initial Catalog=FIMCertificateManagement;Data Source=CORPSQL01. Leave the Encrypt the Connection String check box enabled, and then click OK. In the Microsoft FIM Certificate Management message box, click OK.
In the contoso-CORPCA-CA Properties dialog box, click OK. Right-click contoso-CORPCA-CA, point to All Tasks, and then click Stop Service. Wait until Active Directory Certificate Services stops. Right-click contoso-CORPCA-CA, point to All Tasks, and then click Start Service. Minimize the Certification Authority console. From Administrative Tools, open Event Viewer.
In the console tree, expand Application and Services Logs, and then click FIM Certificate Management. In the list of events, verify that the latest events do not include any Warning or Error events since the last restart of Certificate Services.
Note The last event should state that the Exit Module loaded using settings from SYSTEM CurrentControlSet Services CertSvc Configuration ContosoRootCA ExitModules Clm.Exit. Minimize the Event Viewer.
Copy the MIMCMAgent Certificate’s thumbprint to Windows® clipboard. Restore the Certification Authority console. In the console tree, expand contoso-CORPCA-CA, and then click Issued Certificates. In the details pane, double-click the certificate with CONTOSO MIMCMAgent in the Requester Name column and with FIM CM Signing in the Certificate Template column. On the Details tab, select the Thumbprint field.
Select the thumbprint, and then press CTRL+C. Note This removes all of the spaces between the characters in the thumbprint. In the Replace dialog box, click Cancel. Select the converted thumbprintstring, and then press CTRL+C. Close Notepad without saving changes. Configure the FIM CM Policy Module.
Restore the Certification Authority console. Right-click contoso-CORPCA-CA, and then click Properties.
In the contoso-CORPCA-CA Properties dialog box, on the Policy Module tab, click Properties. On the General tab, ensure that Pass non-FIM CM requests to the default policy module for processing is selected. On the Signing Certificates tab, click Add. In the Certificate dialog box, right-click the Please specify hex-encoded certificate hash box, and then click Paste. In the Certificate dialog box, click OK.