Management of PKI, certificates and smartcards with Forefront Identity Manager 2010 (FIM CM)

• Fredrik “DXter” Jonsson, Steria – Blog: http://poweradmin.se

• Hasain Alshakarti, TrueSec – Blog: http://secadmins.com

• Göran Melvås, Cortego/Techta – Blog: N/A

1

Benefits of FIM CM • Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA)

• Improved overall process workflow

– New Card Enroll

– Lost Card Replace

– Card Retire

– Certificate Renewal

• Detailed auditing and reporting

• Support for extended self-service scenarios

• PIN unblocks with user’s credentials

• Integration with Active Directory and PKI

• Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration

2

Smart Cards, Readers, and Middleware Smart Cards • Custom built hybrid cards • Photo ID • Indala RFID Cards for Building Access • Gemalto smart card chip

– 128K .NET v2 cards (current standard) – Legacy cards (all Base CSP cards)

Middleware

• Microsoft Base Smart Card Crypto Provider • Mini-drivers specific to actual cards used Smart Card Readers • Built-in readers in our laptops • If no built-in readers:

– Omnikey – Gemalto

3

Normal User Account Enrollment Workflow

No

Yes

Normal User Account Replacement Workflow

Unblock Workflow

No

Yes

FIM 2010 CM Limitations

• FIM 2010 CM does not support multiple forests!

• Restrictions are only effective within Profile Templates, they are not FIM CM wide!

• FIM CM has no support for V3/2008/CNG Certificate Templates, including algorithms such as SHA256, (ECC) Elliptic Curve Cryptography, etc…

• No “auto enrollment” support of computer certificates (supply request only).

• No native support for third party operating systems or browsers.

• Limited card and CSP support (BaseCSP and mini driver based cards preferred!)