Test Lab Guide: Installing Forefront Identity Manager 2010 ...download.microsoft.com/.../FIM_CM_TLG.docx · Web viewThis is achieved by deploying Forefront Identity Manager 2010 Certificate

Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Integration

Microsoft Corporation

Published: June 2011

Author: Bill Mathers

AcknowledgementsSpecial thanks to the following people for reviewing and providing invaluable feedback for this document:

AbstractThis document will assist architects, consultants, system engineers, and system administrators in deploying Microsoft® Forefront® Identity Manager 2010 Certificate Management with constrained delegation and update 1 in a test lab environment that also contains Microsoft® Forefront® Identity Manager 2010.

CopyrightThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ContentsTest Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with

Constrained Delegation, Update 1 and FIM 2010.......................................................................5In This Guide............................................................................................................................... 6Test Lab Overview....................................................................................................................... 6Hardware and Software Requirements........................................................................................8Steps for Configuring the Forefront Identity Manager 2010 Certificate Management with

Constrained Delegation, Update 1, and FIM 2010 Test Lab.....................................................8

Step 1: Set Up the Base Configuration Test Lab.............................................................................9

Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test Lab.......................................9

Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test Lab..............................9

Step 4: Set up the Forefront Identity Manager 2010 Test Lab.......................................................10

Step 5: Configure FIMCM1...........................................................................................................10Install Windows Server 2008 R2 on FIMCM1............................................................................10Configure TCP/IP Properties on FIMCM1..................................................................................10Rename and Joining the Domain on FIMCM1...........................................................................11

Step 6: Install FIM CM Prerequisite Software...............................................................................12Install the .NET Framework 3.5.1 and IIS 7.5 on FIMCM1........................................................12

Step 7: Perform FIM CM PrerequisiteTasks..................................................................................14Create copies the Enrollment Agent, Key Recovery Agent, and User certificate templates.......14Publish the copied certificate templates....................................................................................19Extend the Active Directory Schema.........................................................................................20Creating the FIM CM Service Accounts.....................................................................................21Disabling Internet Explorer Enhanced Security for Administrators on FIMCM1.........................23Implementing Secure Sockets Layer (SSL) for the FIM CM Web Portal...................................23

Step 8: Install FIM CM.................................................................................................................. 25Install the FIM CM binaries on FIMCM1....................................................................................26Install the FIM CM binaries on DC1...........................................................................................27Run the FIM CM Configuration Wizard......................................................................................28Install the FIM CM Update 1 on FIMCM1..................................................................................36Install the FIM CM Update 1 on DC1.........................................................................................37

Step 9: Perform FIM CM Post-Installation Tasks...........................................................................38Configure the FIM CM Server for delegation.............................................................................38

Configure the FIM CM Web Pool Agent for delegation..............................................................40Configure IIS for Kerberos Delegation.......................................................................................42Verify the SPNs on the FIM CM Web Pool Agent Account........................................................45Allow DC1 to access the FIM CM database on APP1...............................................................46Obtain the FIM CM Agent account hash....................................................................................48Configure FIM CM Exit Module on DC1....................................................................................53Configure FIM CM Policy Module on DC1.................................................................................55Add the FIM CM Web Portal URL to Local Intranet Sites for CORP\Administrator....................58

Step 10: Verify the Installation......................................................................................................59Verify the Build Numbers of the FIM CM Policy Module............................................................59Verify the Build Numbers of the FIM CM binaries......................................................................60Verify the CA is in the CertificateAuthority SQL Table................................................................62Obtain a certificate for the Administrator....................................................................................63

Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1 and FIM 2010The Forefront Identity Manager 2010 Certificate Management (FIM CM) component provides enterprise grade certificate and smart card management capabilities for centralized or highly distributed enterprises. It allows security and system administrators to apply certificate management policies consistently across a wide range of certificate uses and to a diverse user base of clients.

FIM CM provides the following certificate and smart card management capabilities:

Single administration point for digital certificates and smart cards: FIM CM provides a web based interface that provides administrators access to a management portal for the management and administration of certificates and smart cards.

User self-service: The FIM CM portal also provides users with the ability to perform self-registration process or to perform basic certificate and smart card lifecycle management tasks such as requesting new certificates or performing PIN resets.

Configurable policy-based workflows for common tasks: FIM CM provides the ability to apply policies against common certificate and smart card management tasks from any given certificate or grouping of certificates through the use of profile templates. Profile templates provide a common set of policies for certificate enrollment, renewal, update, recovery, revocation and retirement. In addition, specialized policies have been created to handle lifecycle management challenges related to the management of smart cards such as temporary issuance of smart cards, smart card duplication, personalization and retirement.

Detailed auditing and reporting: FIM CM provides a comprehensive set of reports for common reporting tasks. “Out-of-the-Box” reports include: certificate usage, certificate expiry summary report, smart card report, request report, certificate template settings report, profile template settings report, certificate template usage report, certificate revocation list report and smart card history reports. Granular auditing of all FIM CM tasks is also available to the administrator through the web-based management interface.

Support for centralized, de-centralized and self-service scenarios: FIM CM’s role and permissions architecture provides for a fine-grained level of control. This allows for configurations that support centralized or de-centralized administration and management through designated accounts. It also provides for user self-service scenarios where users are delegated specific permissions to perform their own self-management tasks.

Tightly integrated with Certificate Services and Active Directory: – FIM CM is tightly integrated with underlying Microsoft technologies including the two Windows Server components Active Directory Certificate Services and Active Directory Domain Services. The FIM CM component integrates with Certificate Services by acting as a higher-level management interface (commonly referred to as a Registration Authority or RA) between

5

administrators and certificate services through the use of FIM CM policy and exit modules. This allows FIM CM to perform all day to day certificate management tasks which would previously be performed through the Certificate Services MMC. Integration with Active Directory is supported by extending the schema to support FIM CM objects and permissions. This allows enterprises to leverage existing infrastructure to the fullest extent and to extend the functionality of their existing investment.

In This GuideThis guide contains instructions for setting up a test lab based on the Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010. This is achieved by deploying Forefront Identity Manager 2010 Certificate Management using one new server computer and using the environment that was build out in the preceding test lab guides. The resulting Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab demonstrates and verifies installation. Future test lab guides will demonstrate the powerful functionalities of FIM CM and how FIM and FIM CM work together to provide identity and certificate management.

The following instructions are for configuring a Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab using a scaled-out deployment. That is, the FIM CM Portal and the FIM CM database will not be residing on the same server. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Attempting to adapt this Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment (http://go.microsoft.com/fwlink/?LinkId=210866).

Test Lab OverviewIn this test lab, Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 is deployed with:

One computer running the FIM CM Portal named FIMCM1. FIMCM1 uses the Windows Server® 2008 R2 Enterprise Edition operating system.

One preexisting server running SQL Server® 2008 Enterprise with Service Pack 2, named APP1.

Important

6

http://go.microsoft.com/fwlink/?LinkId=210866

One preexisting server running Microsoft Exchange Server 2010 with Service Pack 1, named EX1.

One preexisting client running Windows® 7 Ultimate Edition named CLIENT1. One preexisting server running Microsoft Forefront Identity Manager 2010 with Update 1,

named FIM1. One preexisting server running Windows Server® 2008 R2 Enterprise Edition, named DC1.

The Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 uses the following subnet:

The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).

Computers on each subnet connect using a hub or switch. See the following figure.

This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 installation process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010. This test lab guide can be used as a building block for additional test lab guides that demonstrate increased functionality or additional features of Forefront Identity Manager 2010 Certificate Management.

7

Hardware and Software RequirementsThe following are required components of the test lab:

The product disc or files for Windows Server 2008 R2 Enterprise Edition. The product disc or files for Forefront Identity Manager 2010. The files for Forefront Identity Manager 2010 Certificate Management Update (KB978864).

The following table provides a summary of the Microsoft software that is used in this guide.

Software Additional information

Forefront Identity Manager 2010 Forefront Identity Manager 2010 (http://go.microsoft.com/fwlink/?LinkId=204577).

Forefront Identity Manager 2010 Certificate Management Update (KB978864)

This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. (http://go.microsoft.com/fwlink/?LinkId=20457)

Steps for Configuring the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Test LabThere are ten steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab based on the Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Test Lab Guide.

Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.

Step 2: Set up the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for FIM CM.

Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.

Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.

Step 5: Configure FIMCM1—The fifth step includes installing the operating system, and then configuring and joining FIMCM1 to the domain.

8



Step 6: Install FIM CM Prerequisite Software—The sixth step walks you through installing prerequisite software.

Step 7: Perform FIM CM Prerequisites Tasks—The seventh step includes performing prerequisite tasks.

Step 8: Install FIM CM—The eighth step includes performing installation tasks and running the configuration wizard.

Step 9: Perform FIM CM Post-Installation Tasks— The ninth step includes performing post installation tasks

Step 10: Verify the Installation— The tenth step includes verifying the installation was successful

This guide provides steps for configuring the computers of Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab. The following sections provide details about how to perform these tasks.

Step 1: Set Up the Base Configuration Test LabSet up the Base Configuration test lab for both the Corpnet and Internet subnets using the procedures in the “Steps for Configuring the Corpnet Subnet” and “Steps for Configuring the Internet Subnet” sections of the Test Lab Guide: Base Configuration (http://go.microsoft.com/fwlink/?LinkId=198140).

Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test LabSet up the Exchange Server 2010 with Service Pack 1 test lab using the procedures outlined in Test Lab Guide: Exchange Server 2010 with Service Pack 1 (http://go.microsoft.com/fwlink/?LinkId=206341).

Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test LabSet up the SQL Server 2008 Enterprise with Service Pack 2 test lab using the procedures outlined in Test Lab Guide: SQL Server 2008 Enterprise with Service Pack 2 (http://go.microsoft.com/fwlink/?LinkID=207698).

9

http://go.microsoft.com/fwlink/?LinkID=207698



Step 4: Set up the Forefront Identity Manager 2010 Test LabSet up Forefront Identity Manager 2010 test lab using the procedures outlined in Test Lab Guide: Forefront Identity Manager 2010 (http://go.microsoft.com/fwlink/?LinkID=205228).

Step 5: Configure FIMCM1FIMCM1 configuration for the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab consists of the following:

Install Windows Server 2008 R2 on FIMCM1 Configure TCP/IP Properties on FIMCM1 Rename and Joining the Domain on FIMCM1

Install Windows Server 2008 R2 on FIMCM1Install the Windows Server 2008 R2 operating system on FIMCM1.

1. Start the installation of Windows Server 2008 R2.2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2

Enterprise Edition (full installation) and a strong password for the local Administrator account.

3. Once the installation completes, log on using the local Administrator account.4. Connect FIMCM1 to a network that has Internet access and run Windows Update to

install the latest updates for Windows Server 2008 R2.5. Once the updates are complete, restart FIMCM1 and log on as the local Administrator.

Configure TCP/IP Properties on FIMCM1Configure the TCP/IP properties on FIMCM1 so that it can join the corp.contoso.com domain.

1. In Initial Configuration Tasks, click Configure networking.2. In the Network Connections window, right-click Local Area Connection, and then click

Properties.3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.4. Select Use the following IP address. In IP address, type 10.0.0.11. In Subnet mask,

type 255.255.255.0. In Default Gateway, type 10.0.0.1. In Preferred DNS server, type

To install Windows Server 2008 R2 on FIMCM1

To configure the TCP/IP properties on FIMCM1

10



10.0.0.1.5. Click Advanced, and then click the DNS tab. In DNS suffix for this connection, type

the following text, click OK twice, and then click Close: corp.contoso.com

6. Close the Network Connections window and leave the Initial Configuration Tasks window open.

7. To check name resolution and network communication between FIMCM1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

8. In the Command Prompt window, type the following text: ping dc1.corp.contoso.com

9. Verify that there are four replies from 10.0.0.1.10. Close the Command Prompt window.

Rename and Joining the Domain on FIMCM1Now, rename FIMCM1 and join it to the corp.contoso.com domain.

1. In Initial Configuration Tasks, click Provide Computer Name and Domain.2. In the System Properties dialog box, on the Computer Name tab, click Change.3. In Computer Name, type the following text:

FIMCM1 In Member of, click Domain, and then type the following text: corp.contoso.com

4. Click OK.5. When you are prompted for a user name and password, type the following text and its

password, and then click OK: User1

NoteYou can also use the CORP\Administrator account to join FIMCM1 to the domain.

6. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.7. When you are prompted that you must restart the computer, click OK.8. On the System Properties dialog box, click Close.9. When you are prompted to restart the computer, click Restart Now.10. After the computer restarts, click Switch User, and then click Other User and log on to

the CORP domain with the Administrator account.11. In Initial Configuration Tasks, click Do not show this window at logon, and then click

Close.

To rename FIMCM1 and join the corp.contoso.com domain

11

Step 6: Install FIM CM Prerequisite SoftwareFIMCM1 prerequisite software for the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab consists of the following:

Install the .NET Framework 3.5.1 and Internet Information Services (IIS) 7.5 on FIMCM1.

Install the .NET Framework 3.5.1 and IIS 7.5 on FIMCM1Install the .NET Framework 3.5.1 and IIS 7.5 on FIMCM1.

1. In Server Manager, on the left, click Features and on the right, click Add Features. This will launch the Add Features Wizard and you will see the Select Features page.

2. Scroll down the list of features and select .NET Framework 3.5.1. This will bring up a box that asks to install Web Server (IIS). Click Add Required Role Services. The box will disappear. Click Next.

3. On the Web Server (IIS) page, click Next.4. On the Role Services page, place a check in all of the items that are listed in tables 1

and 2 below.

NoteWhen you select ASP.NET this will bring up a pop-up box with the title Add features required for Web Server (IIS). Click the Add Required Features button. This will automatically select ISAPI Extensions, ISAPI Filters, and .NET Extensibility. This will also add the .NET Environment to the Windows Process Activation Service.

5. On the Confirm Installation Selections page, click Install. This will begin the installation. When this completes you will see the Installation Results page. Click Close.

Installation Results

To install the .NET Framework 3.5.1 and IIS 7.5

12

Table 1 Required IIS 7.5 Web Server Role Services

Role service Required features

Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection

Application Development ASP .NET .NET Extensibility ISAPI Extensions ISAPI Filters

Health and Diagnostics HTTP Logging Request Monitor

Security Basic Authentication Windows Authentication

13


Request Filtering

Performance Static Content Compression Dynamic Content Compression

Table 2 Required IIS 7.5 Management Tools Role Services


IIS Management Console

IIS 6 Management Compatibility IIS 6 Metabase Compatibility IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console

Step 7: Perform FIM CM PrerequisiteTasksFIMCM1 prerequisite tasks for the Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 test lab consists of the following:

Create copies the Enrollment Agent, Key Recovery Agent, and User certificate templates Publish the copied certificate templates Extend the Active Directory Schema Create the FIM CM service accounts Disable Internet Explorer Enhanced Security for Administrators on FIMCM1 Implement Secure Sockets Layer (SSL) for the FIM CM Web Portal

Create copies the Enrollment Agent, Key Recovery Agent, and User certificate templatesFIM CM requires three certificates for three of the service accounts used by FIM CM. Because we need to make some changes to 2 of the templates, we will create duplicates and make the modifications to these.

1. Log on to DC1 as CORP\Administrator. Server Manager should launch automatically once you are logged on.

To create copy the Enrollment Agent, Key Recovery Agent, and User certificate templates

14

2. In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

3. On the right, under Template Display Name, scroll-down and right-click on Enrollment Agent, and select Duplicate Template.

WarningSelect Enrollment Agent, not Enrollment Agent (Computer).

4. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

Duplicate Template

5. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Enrollment Agent.

6. At the top, click the Request Handling tab and place a check in Allow private key to be exported.

Properties of New Template

15

7. At the bottom, click Apply and click OK. This will close the properties.8. Back in Certificate Templates, on the right, under Template Display Name, scroll-down

and right-click on Key Recovery Agent, and select Duplicate Template.9. This will bring up a dialog box asking to choose between Windows Server 2003

Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

10. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Key Recovery Agent.


16

11. At the bottom, click Apply and click OK.12. Back in Certificate Templates, on the right, under Template Display Name, scroll-down

and right-click on User, and select Duplicate Template.13. This will bring up a dialog box asking to choose between Windows Server 2003

Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

14. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM User.

15. At the top, click the Request Handling tab and click the CSPs… button at the bottom. This will bring up the CSP Selection window. Place a check in Microsoft Enhanced RSA and AES Cryptographic Provider. Click OK.

17

CSP Selection

16. At the top, click the Subject Name tab and remove the check from Include e-mail name in subject name. Also, under Include this information in alternate subject name: remove the check from E-mail.


18

17. At the bottom, click Apply and click OK.

Publish the copied certificate templatesNow that we have created these new certificate templates, we need to publish them so the certificate authority can issue certificates based on these templates.

1. In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.

Server Manager

To publish the copied certificate templates

19

2. This will bring up an Enable Certificate Templates dialog box.3. Scroll down until you see the FIMCM certificates. Hold down the CTRL key and click all

3 so that they are all selected.4. Click OK.

Extend the Active Directory SchemaIn this step we will extend the Active Directory Schema so that it is ready for FIM CM. In order to accomplish this, the Forefront Identity Manager 2010 installation binaries must be accessible from DC1.

1. On DC1, navigate to the directory that contains the binaries for Forefront Identity Manager 2010.

2. Navigate to Certificate Management\x64\Schema and double-click ModifySchema.vbs.

3. This will begin the schema modification. When it completes you will see a pop-box that says Schema modified successfully.

To extend the Active Directory Schema

20

Success

4. Click OK.

Creating the FIM CM Service AccountsSix service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 Certificate Management installation.

Table 1 – Service Accounts Summary

Full name User logon name Forest Password

FIM CM Agent FIMCMAgent corp.contoso.com Pass1word$

FIM CM Authorization Agent

FIMCMAuthAgent corp.contoso.com Pass1word$

FIM CM CA Manager Agent

FIMCMManagerAgent corp.contoso.com Pass1word$

FIM CM Enrollment Agent

FIMCMEnrollAgent corp.contoso.com Pass1word$

FIM CM Key Recovery Agent

FIMCMKRAgent corp.contoso.com Pass1word$

FIM CM Web Pool Agent

FIMCMWebAgent corp.contosos.com Pass1word$

1. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

3. Now, right-click ServiceAccounts, select New, and then select User. This will bring up

To create the Service Accounts

21

the New Object – User window.4. On the New Object – User screen, in the Full Name box, type the following text:

FIM CM Agent5. On the New Object – User screen, in the User logon name box, type the following text,

and then click Next: FIMCMAgent

6. On the New Object – User screen, in the Password box, type the following text: Pass1word$

7. On the New Object – User screen, in the Confirm Password box, type the following text: Pass1word$

8. On the New Object – User screen, clear the User must change password at next logon check box.

9. On the New Object – User screen, select Password never expires, and then click Next.

10. Click Finish.11. Repeat these steps for all of the accounts listed in the Account Summary table.

Active Directory Users and Computers

22

12. Log off DC1.corp.contoso.com.

Disabling Internet Explorer Enhanced Security for Administrators on FIMCM1This section lists the steps for disabling Internet Explorer Enhanced Security.

1. Log on to FIMCM1 as CORP\Administrator.2. In Server Manager, on the right-hand side, scroll down to Security Information, and

then select Configure IE ESC.3. From the Internet Explorer Enhanced Security Configuration screen, under

Administrators, select Off.4. Click OK.

Implementing Secure Sockets Layer (SSL) for the FIM CM Web PortalIn this step, you will implement SSL for the FIM CM Web Portal. You will be requesting a new domain certificate and binding it to the Default Web Site. If you recall, the Base Configuration Test Lab guide automatically issues a server certificate to FIMCM1 when it joins the domain. However, because this certificate uses the FQDN (FIMCM1.corp.contoso.com) as its common name and not the NetBios name (FIMCM1), you will receive a certificate error when attempting to access the site with the URL https://fimcm1. If you used https://FIMCM1.corp.contoso.com as the URL you will not receive the error. However, because this site will be used inside the domain and primarily accessed using https://fim1, you should request a new certificate to use.

1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

2. On the left, expand FIMCM1 (CORP\Administrator). This will populate the center pane with icons. Make sure that FIMCM1(CORP\Administrator) is still selected.

3. In the center, double-click Server Certificates.4. On the right, click Create Domain Certificate. This will launch the Create Certificate

Wizard.5. For Common Name, type the following text: FIMCM16. For Organizational Unit, type the following text: IT7. For City, type the following text: Anywhere8. For State, type the following text: NC9. Click Next.

To disable Internet Explorer Enhanced Security for Administrators

To implement Secure Sockets Layer (SSL) for the FIM CM Web portal

23

10. On the On-line Certificate Authority page, under Specify Online-Certificate Authority, click Select. This will bring up a Select Certificate Authority page.

11. Select corp-DC1-ca, and click OK.12. On the On-line Certificate Authority page, under Friendly Name, type FIMCM1_SSL,

and then click Finish. This will close the Create Certificate Wizard and you should see the newly created certificate in the center pane.

13. On the left, click Default Web Site, and then on the far right, under actions click Bindings. This will bring up the Site Bindingswindow.

14. Click Add.15. Under type, select https from the drop-down list.16. Under SSL Certificate, select FIMCM1_SSL from the drop-down list. Click OK, and then

click Close.

Add Site Binding

17. On the left, select Default Web Site and from the center pane double-click SSL Settings.

18. Place a check in Require SSL. On the right, click Apply.

SSL Settings

24

19. Close Internet Information Services (IIS) Manager.20. Click Start, click All Programs, click Accessories, and click Command Prompt. This

will launch a command prompt window.21. In the command prompt window, type iisreset and hit enter. This will stop and then re-

start IIS. Once this completes, close the command prompt window.

Step 8: Install FIM CMInstallation of the FIM CM consists of the following:

Install the FIM CM binaries on FIMCM1 Install the FIM CM binaries on DC1 Run the FIM CM Configuration Wizard Install the FIM CM Update 1 on FIMCM1 Install the FIM CM Update 1 on DC1

25

Install the FIM CM binaries on FIMCM1Install the FIM CM binaries on FIMCM1.

1. Log on to FIMCM1 as CORP\Administrator.2. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010

and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 splash screen.

3. On the splash screen, click Install Certificate Management, 64 bit. Click Run. You will see a pop-up that says Do you want to run this software? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager Certificate Management Setup Wizard.

4. On the Welcome page, click Next.

Welcome to the Forefront Identity Manager Certificate Management Setup Wizard

5. On the End User License Agreement page, read the License Agreement, select I accept the terms in the license agreement, and then click Next.

To install the FIM CM binaries on FIMCM1

26

6. On the Custom Setup page, click Next.7. On the Virtual Web Folder page, click Next.8. On the Install Forefront Identity Manager Certificate Management page, click Install.9. Once the installation completes, click Finish.10. Close the splash screen.

Install the FIM CM binaries on DC1Install the FIM CM binaries on DC1.

1. Log on to DC1 as CORP\Administrator.2. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010

and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 splash screen.

3. On the splash screen, click Install Certificate Management, 64 bit. Click Run. You will see a pop-up that says Do you want to run this software? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager Certificate Management Setup Wizard.

4. On the Welcome page, click Next.5. On the End User License Agreement page, read the License Agreement, select I

accept the terms in the license agreement, and then click Next.6. On the Custom Setup page, under Click on the icons in the tree below to change the

way features will be installed:, click FIM CM Update Service and select This feature will not be available and click Next.

WarningWe are only installing the FIM CM CA Files so this should be the only feature that is selected.

Custom Setup

To install the FIM CM binaries on DC1

27

7. On the Install Forefront Identity Manager Certificate Management page, click Install.8. Once the installation completes, click Finish.9. Close the splash screen.

Run the FIM CM Configuration WizardOnce the binaries are installed we must run the FIM CM Configuration Wizard to create the FIM CM database and configure the service accounts.

1. Log on to FIMCM1 as CORP\Administrator.2. Click Start and click Certificate Management Config Wizard.3. On the Welcome to the Configuration Wizard page, click Next.4. On the CA Configuration page, click Next.

CA Configuration

To Run the FIM CM Configuration Wizard

28

5. On the Setup the SQL Server Database page, in the box under Name of SQL Server, enter APP1. Click Next.

Set up the SQL Server Database

29

6. On the Database Settings page, leave the default options configured and click Next.

Database Settings

30

7. On the Set up Active Directory page, leave the default setting in place and click Next.

Set up Active Directory

31

8. On the Agents - FIM CM, clear Use the FIM CM default settings and then click Custom Accounts. This will bring up the Agents – FIM CM dialog box.

9. On the Agents - FIM CM dialog box, on the FIM CM Agent tab, in User name, type corp\FIMCMAgent. In Password and Confirm password, type Pass1word$. Select Use an existing user. Repeat this process for each of the items in the table below.

Agents – FIM CM

32

FIM CM Accounts

Agents Tab User name Password Use an existing user

FIM CM Agent corp\FIMCMAgent Pass1word$ Checked

Key Recovery Agent

corp\FIMCMKRAgent Pass1word$ Checked

Authorization Agent

corp\FIMCMAuthAgent Pass1word$ Checked

CA Manager Agent

corp\FIMCMManagerAgent Pass1word$ Checked

Web Pool Process Worker Agent

corp\FIMCMWebAgent Pass1word$ Checked

Enrollment Agent corp\FIMCMEnrollAgent Pass1word$ Checked

10. Once this is complete click OK and click Next.

33

Agents – FIM CM

11. On Set up server certificates page, under Certificate template to be used for the recovery agent Key Recovery Agent certificate: from the drop-down, select FIMCMKeyRecoveryAgent.

12. On Set up server certificates page, under Certificate template to be used for the FIM CM Agent certificate: from the drop-down, select FIMCMUser.

13. On Set up server certificates page, under Certificate template to use for the enrollment agent certificate: from the drop-down, select FIMCMEnrollmentAgent.

Set up server certificates

34

14. Click Next.15. On the Set up Email Server, Document Printing page, under Specify the name of the

SMTP server you want to use to e-mail registration information, enter 10.0.0.5. This is the IP address of EX1. Click Next.

Set up E-mail Server. Document Printing

35

16. On the Ready to Configure page, click Configure.17. When this completes click Finish.

Install the FIM CM Update 1 on FIMCM1Install the FIM CM Update 1 binaries on FIMCM1.

1. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 Synchronization Service Update (KB978864) and double-click AMD64-all-fimcm_kb978864_d11c069c7099712849e8b21d6f5925dd365c71c3.exe. This will begin the update installation and start the Update Wizard.

2. On the Welcome page, click Update. This will begin the update.

Forefront Identity Management Update Wizard

To install the FIM CM Update 1 on FIMCM1

36

3. Once the installation completes, click Finish.

Install the FIM CM Update 1 on DC1Install the FIM CM Update 1 binaries on DC1.

1. Log on to DC1 as CORP\Administrator.2. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010

Synchronization Service Update (KB978864) and double-click AMD64-all-fimcm_kb978864_d11c069c7099712849e8b21d6f5925dd365c71c3.exe. This will begin the update installation and start the Update Wizard.

3. On the Welcome page, click Update. This will begin the update.4. Once the installation completes, click Finish.

To install the FIM CM Update 1 on DC1

37

Step 9: Perform FIM CM Post-Installation TasksPerforming the FIM CM Post-Installation tasks consists of the following:

Configure the FIM CM Server for delegation Configure the FIM CM Web Pool Agent for delegation Configure IIS for Kerberos Delegation Verify the SPNs on the FIM CM Web Pool Agent Account Allow DC1 to access the FIM CM database on APP1 Obtain the FIM CM Agent account hash. Configure FIM CM Exit Module on DC1 Configure FIM CM Policy Module on DC1 Add the FIM CM Portal URL to Local Intranet Sites for CORP\Administrator

Configure the FIM CM Server for delegation

1. Log on to DC1 as CORP\Administrator.2. Click Start, select Administrative Tools, and click Active Directory Users and

Computers.3. At the top, select View and choose Advanced Features from the drop-down.4. On the left, expand corp.contoso.com, click Computers and on the right, right-click the

FIMCM1 and choose Properties.5. At the top, select the Delegation tab.

WarningIf for some reason you do not see the delegation tab, then check and make sure that this object has the correct SPNs set. The reason you do not see a delegation tab is because the object does not have a value for the servicePrincipalName attribute.

6. Select Trust this computer for delegation for specified services only and the select Use any authentication protocol.

7. Click Add. This will bring up the Add Services window.

Add Services

To Configure the FIM CM Server for delegation

38

8. Click Users or Computers. This will bring up a Select Users or Computers window. Enter DC1 and click Check Names. It should resolve with an underline. Then click OK.

9. You should now see services populated on the Add Services window. Scroll down and select rpcss and click OK.

FIM CM Server Delegation Tab

39

10. Click Apply. Click OK.

Configure the FIM CM Web Pool Agent for delegation

1. In Active Directory Users and Computers, on the left, expand corp.contoso.com, click ServiceAccounts. Right-click the FIM CM Web Pool Agent and choose Properties.

2. At the top, select the Delegation tab.

Warning

To Configure the FIM CM Web Pool Agent for delegation

40

If for some reason you do not see the delegation tab, then check and make sure that this object has the correct SPNs set. The reason you do not see a delegation tab is because the object does not have a value for the servicePrincipalName attribute.

3. Select Trust this computer for delegation for specified services only and the select Use Kerberos only.

4. Click Add. This will bring up the Add Services window.5. Click Users or Computers. This will bring up a Select Users or Computers window.

Enter DC1 and click Check Names. It should resolve with an underline. Then click OK.6. You should now see services populated on the Add Services window. Scroll down and

select HOST and click OK.

FIM CM Web Pool Agent Delegation Tab

41

7. Click Apply. Click OK.8. Close Active Directory Users and Computers.

Configure IIS for Kerberos DelegationBy default an application pool running under a specific service account will not use the service account for Kerberos. This section will configure IIS to force use of Kerberos.

1. Log on to FIMCM1 as CORP\Administrator.2. Navigate to the following directory: C:\Windows\System32\inetsrv\config.

ApplicationHost

3. Locate the ApplicationHost.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program and click OK.

4. Select Notepad and click OK. This will open the config file in notepad.

To configure IIS for Kerberos Delegation

42

5. At the top, select Edit, Find, and enter windowsAuthentication enabled=”true” in the box. Click Find Next.

Find windowsAuthentication enabled

6. If this is a vanilla install of FIM CM there will be only one instance of this. Insert useKernelMode=”true” useAppPoolCredentials=”true” in the line so it looks like the after image.

useAppPoolCredentials

7. On the Find box, click Cancel.8. At the top of Notepad, select Save. Close Notepad.9. Click Start, click All Programs, click Accessories, and click Command Prompt. This

will launch a command prompt window.

43

10. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.

IISReset

Verify the SPNs on the FIM CM Web Pool Agent Account

1. Log on to DC1 as CORP\Administrator.2. Click Start, select Administrative Tools and click ADSI Edit. This will bring up ADSI

Edit.3. At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections

Settings box. Leave the defaults and click OK.4. On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click

DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com and select OU=ServiceAccounts.

5. In the center, right-click CN=FIM CM Web Pool Agent. This will bring up CN=FIM CM Web Pool Agent Properties.

6. Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.

7. In the box, verify the value HTTP/FIMCM1 is

To Verify the SPNs on the FIM CM Web Pool Agent Account rvice

44

8. In the box, verify the value HTTP/FIMCM1.corp.contoso.com.

Verify FIM CM Web Pool Agent SPNs

9. Click OK.10. Click OK.

Allow DC1 to access the FIM CM database on APP1The certificate authority is not automatically granted access to the FIM CM database. In order to allow access we will now add it manually.

1. Log on to APP1 as corp\Administrator.2. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL

To allow DC1 to access the FIM CM database on APP1

45

Server Management Studio. This will launch SQL Server Management Studio.3. On the Connect to Server dialog box, under Server Type select Database Engine.4. On the Connect to Server dialog box, under Server name select APP1.5. On the Connect to Server dialog box, under Authentication select Windows

Authentication.6. Click Connect. This should be successful and the database information will be displayed

on the left. The SQL Server Agent should have a green arrow.7. On the left, expand Security, right-click Logins, and then select New Login. This will

bring up the Login - New screen.8. On the right, in the box next to Login name, enter CORP\DC1$.

Login - New

9. On the left, click User Mapping. Under Users mapped to this login: place a check in

46

FIMCertificateManagement.10. At the bottom, under Database role for FIMCertificateManagement add a check to

clmApp

User Mapping

11. At the bottom click OK. Close SQL Server Management Studio.

Obtain the FIM CM Agent account hashThe certificate authority does not automatically have the FIM CM Agent account hash added to the Policy Module. This must be done manually. In order to accomplish this we will acquire the FIM CM Agent’s certificate hash.

To Obtain the FIM CM Agent account hash47

1. Log on to FIMCM1 as corp\Administrator.2. Navigate to the following directory C:\Program Files\Microsoft Forefront Identity

Manager\2010\Certificate Management\web.

C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web

3. Locate the web.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed programs and click OK.

4. Select Notepad and click OK. This will open the config file in notepad.5. At the top, select Edit, Find, and enter Clm.SigningCertificate.Hash in the box. Click

Find Next.

Find Clm.SigningCertificate.Hash

48

6. When this stops you will see the Clm.SigningCertificate.Hash and a Value next to it. Highlight the hash value, right-click and select copy.

Clm.SigningCertificae.Hash Value

49

7. Now click the Start, select All Programs, select Accessories and select Notepad. This will open up notepad.

8. Paste the hash value into notepad. Then at the top select File and Save. This will bring up the Save As dialog box.

Copy hash value to notepad

50

9. At the top of the Save As dialog box, remove Libraries\Documents and replace it with \\DC1\C$.

10. In the File name: box, enter fimcmagenthash and click Save. This will save the notepad file to the C:\ drive on DC1.

Save hash to DC1

51

11. Close the web.config file.

ImportantBe aware that the value of your certificate hash will differ from the one in the screenshots.

Configure FIM CM Exit Module on DC1Now we need to configure the Certificate Authority Exit Module. This is done by adding a SQL connection string and will allow the CA and the FIM CM database to communicate.

1. Log on to DC1 as corp\Administrator.2. Click Start, click Administrative Tools, and then click Server Manager.3. In Server Manager, expand Roles, expand Active Directory Certificate Services, right-

click corp-DC1-CA and select Properties. This will bring up the corp-DC1-CA properties.

4. At the top, click the Exit Module tab. This may take a second or two to refresh.

To Configure FIM CM Exit Module on DC1

52

FIM CM Exit Module

5. On the Exit Module tab, click on FIM CM Exit Module so that it is selected and then click the Properties button. This will bring up a Configuration Properties dialog box.

6. In the box under Specifiy FIM CM database connection string, enter: Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=APP1

Configuration Properties

53

7. Click Apply. This will bring up a box that says the CA needs to be restarted for the changes to take effect. Click OK.

8. Click OK to close the Configuration Properties

Configure FIM CM Policy Module on DC1Now we need to configure the Certificate Authority Policy Module. This is done by adding the FIM CM certificate hash to .

1. Navigate to the C:\ drive and open the fimcmagenthash.txt file. Highlight the hash, right-click and select copy.

2. Back in the properties of corp-DC1-CA, click the Policy Module tab. This may take a moment to refresh.

FIM CM Policy Module

To Configure FIM CM Policy Module on DC1

54

3. Click the Properties button. This will bring up the Configuration Properties dialog box.4. At the top, click the Signing Certificates tab. Click Add. This will bring up a Certificate

dialog box.5. In the box under Please specify hex-encoded certificate hash:, paste the value you

just copied from the notepad. Click OK. This may take a moment

Certificate

55

6. You should now see the value of the hash under Valid Signing Certificates: Click Apply. This will bring up a box that says the CA needs to be restarted for the changes to take effect. Click OK.

Valid Signing Certificates

7. Click OK to close the Configuration Properties.8. Click OK to close the corp-DC1-CA properties.9. Back in Server Manager, right-click corp-DC1-CA, select All Tasks and Stop Service.

Stop CA Service

56

10. Once the service has stopped, right-click corp-DC1-CA, select All Tasks and Start Service.

11. Once the service has started close Server Manager.

Add the FIM CM Web Portal URL to Local Intranet Sites for CORP\AdministratorIn this step you will add the FIM CM Web Portal URL to the local intranet sites.

1. Log on to FIMCM1 as CORP\Administrator.2. Click Start, click All Programs, and then click Internet Explorer (64-bit).3. At the top of Internet Explorer, under Tools, click Internet Options.4. Click the Security tab and select Local intranet from the Select a zone to view or

change security settings box.5. Click Sites to show a Local intranet window. Click Advanced.6. In the Add this website to the zone: box, type https://fimcm1. Click Add.7. Place a check in Require server verification (https:) for all sites in this zone and click

To add the FIM Portal URL to Local Intranet Sites

57

Close. Click Ok.8. Click OK to close the Internet Options dialog box.

Step 10: Verify the InstallationVerifying the FIMCM1 installation for the Forefront Identity Manager 2010 test lab consists of the following:

Verify the Build Numbers of the FIM CM Policy Module Verify the Build Numbers of the FIM CM binaries Verify the CA is in the CertificateAuthorities SQL Table Obtain a certificate for the Administrator

Verify the Build Numbers of the FIM CM Policy Module

1. Log on to DC1 as CORP\Administrator.2. Click Start, click Administrative Tools, and then click Server Manager.3. In Server Manager, expand Roles, expand Active Directory Certificate Services, right-

click corp-DC1-CA and select Properties. This will bring up the corp-DC1-CA properties.

4. At the top, click the Policy Module tab. This may take a second or two to refresh.5. Look for Version: and note the value. It should be 4.0.3531.2. Click Cancel.

FIM CM Policy Module

To verifying the Build Number of the FIM CM Policy Module

58

Verify the Build Numbers of the FIM CM binaries

1. Log on to FIMCM1 as CORP\Administrator.2. Navigate to the following directory: c:\Program Files\Microsoft Forefront Identity

Manager\2010\Certificate Management\Bin.3. Locate the Microsoft.Clm.Common.dll file, right-click and select Properties. This will

bring up the Properties dialog box.4. At the top, click the Details tab.

To verify the build numbers of the FIM CM binaries

59

5. Look for Product Version and note the value. It should be 4.0.3531.2. Click Cancel.

Microsoft.Clm.Common.dll Properties

6. Locate the Microsoft.Clm.Service.exe file, right-click and select Properties. This will bring up the Properties dialog box.

ImportantThis is the application file that we are checking the version of, not the config file.

7. At the top, click the Details tab.8. Look for Product Version and note the value. It should be 4.0.3531.2. Click Cancel.

60

Verify the CA is in the CertificateAuthority SQL Table

1. Log on to APP1 as corp\Administrator.2. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL

Server Management Studio. This will launch SQL Server Management Studio.3. On the Connect to Server dialog box, under Server Type select Database Engine.4. On the Connect to Server dialog box, under Server name select APP1.5. On the Connect to Server dialog box, under Authentication select Windows

Authentication.6. Click Connect. This should be successful and the database information will be displayed

on the left. The SQL Server Agent should have a green arrow.7. On the left, expand Databases, expand FIMCertificateManagement, expand Tables,

right-click on dbo.CertificateAuthority and select Select Top 1000 Rows. This will populate the middle pane with the SQL query at the top and the results will be at the bottom.

8. In results section, the column ca_server_name should have DC1.corp.contoso.com.9. In results section, the column ca_name should have corp-DC1-CA.

CertificateAuthority Table

To verify the CA is in the CertificateAuthority SQL Table

61

10. Close SQL Server Management Studio.

ImportantIf you do not see the certificate authority information populated, check your connection string on the Exit Module. See: Configure FIM CM Exit Module on DC1. Also verify that the permissions for DC1 are set correctly on the SQL Server. See: Allow DC1 to access the FIM CM database on APP1. Another thing, if you see an Event ID 0 in the Event Viewer, reboot DC1 and then stop and start the CA, then check the table again.

Obtain a certificate for the AdministratorIn this last step we will verify that the Administrator is able to obtain a certificate using FIM CM.

1. Click Start, click All Programs, and then click Internet Explorer (64-bit).2. In Internet Explorer, in the address bar at the top, enter

https://fimcm1/certificatemanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page. Click on click to enter. This will bring you to the main FIM CM page. This may take a moment.

To obtain a certificate for the Administrator

62

FIM CM Home Page

3. Toward the top, on the left, click Manage my info.4. Under Common Tasks click Request a new set of certificates. This will take a

moment and bring up the Enrollment Request Initiation screen.

Request a new set of certificates

63

5. On the Enrollment Request Initiation screen, in the box under Sample Data Item enter Sample Data Item. Click Next.

Enrollment Request Initiation

64

6. This will bring up a box that says The Web site is attempting to perform a digital certificate on your behalf.., Click Yes.

Web Access Confirmation

65

7. This will bring up another box that says The Web site is attempting to perform a digital certificate on your behalf.., Click Yes. This will take a moment as the request is processed.

8. This will bring up another box that says The Web site is attempting to perform a digital certificate on your behalf.., Click Yes. This is the third box with this message.

9. At this point, you should see the Installing Certificates screen and there should be a check under Success.

Installing Certificates

10. Close Internet Explorer.

66