Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide SESSION CODE: SIA307 Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management Identity and Access Management: Notes from the Field: Microsoft IT's FIM 2010 Certificate Management Deployment Brian Komar President IdentIT Inc. brian.komar@identit.ca Craig Carlston SE System Analyst Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda The Microsoft PKI Architecture Legacy Smart Card Architecture Legacy Smart Card Management System Details Benefits of Moving to FIM 2010 Certificate Management Migration Plan to FIM CM The Pain Points of the Migration

The Microsoft PKI Architecture

Microsoft PKI Nine production forests Mix of server Operating Systems Combination of internal and external trust Centralized CA management Multiple certificate types Cross-forest Enrollment where supported

Internal Trust Architecture

External Trust Architecture

Legacy Smart Card Architecture

Smart Cards, Readers, and Middleware Custom built hybrid cards Photo ID Indala RFID Cards for Building Access Gemalto smart card chip 128K .NET v2 cards (current standard) Legacy cards (all Base CSP cards) Middleware Microsoft Base Smart Card Crypto Provider Mini-drivers specific to actual cards used Smart Card Readers Built-in readers in our laptops If no built-in readers: Omnikey Gemalto

Smart Card Issuance Tools Smart Card Architecture Smart Card Issuance Tools Lenel Printing RFID management Smart Card Manager v2 MS Internal Solution Smart Card Management = Smartcard Deployment Application (SDA) PIN Management = PIN Tool v2 Custom smart card admin PIN diversification solution

Support Resources Distributed Issuance Offices (DIOs) Helpdesk Smart Card Architecture Support Resources Distributed Issuance Offices (DIOs) Helpdesk Client Certificate Services Team

Legacy Smart Card Management System Details

Smart Card Management Today Approximately 100,000 active cards Average 1,000 new cards a month Average processing time – 10 minutes

Challenges With Original Deployment in 2000 Mobile devices, Macintosh, and UNIX platforms not compatible with smart card EAP/TLS authentication Smart card distribution process was resource intensive Managing policy and client groups is complex Client software version control Limited reporting

Lessons Learned Immature smart card administrative tools Secure registration authority for issuance and renewal, if certificates expire users must visit DIO Remote client troubleshooting Delegation of administration Distributed functions without distributed trust

Benefits of Moving to FIM 2010 Certificate Management

Benefits of FIM CM Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA) Improved overall process workflow New Card Enroll Lost Card Replace Card Retire Certificate Renewal Detailed auditing and reporting Support for extended self-service scenarios PIN unblocks with user’s credentials Integration with Active Directory and PKI Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration

Chance to Review/Revise Corporate Policies to Profile Template Policies Certificate Policy Certification Practice Statement Security Policy Enrollment Enroll Unblock Management Policies Management policies must enforce security policies and certificate policies

Migration Plan to FIM CM

Migration Plan to FIM CM Goals Minimize User Impact Minimize Costs Maintain same level of security

Migration Plan to FIM CM A FIM CM instance per forest Custom PIN Tool Required for smart card-only PIN unblock scenario for elevated access accounts Allows offline unblock Used as a sole method for Internet PIN unblock Previously archived S/MIME encryption certificates imported to FIM CM for continued use

FIM CM Architecture at Microsoft

Profile Templates Smart Card Logon and RAS Most email enabled primary user accounts Smart Card Logon, RAS, and Data Protection Email enabled primary accounts with S/MIME Smart Card Logon No RAS Alternate Accounts for elevated access

Normal User Account Enrollment Workflow FIM and Manual FIM CM Portal User has existing smartcard? Enrollment Process takes place Certificates loaded on smart card PIN is randomized Admin Key is diversified by custom Admin Key Diversifier application User moves to Unblock workflow to use card No User visits DIO and smart card printed in Lenel Yes User Sent email sending link to FIM CM portal and instructions on self-service enrollment User added to MS-Smartcard-LogonOnly Or MS-Smartcard-LogonandEncrypt (FIM 2010 will ensure user only a member of one group) Admin Accounts require face-to-face issuance at DIO

User added to MS-Smartcard-UnblockEnabled group Unblock Workflow FIM and Manual Custom PIN tool Has User been Vetted? Card Ready for Use Admin Key retrieved from FIM CM database and re-set using Admin Key Generator No User must meet face-to-face to meet CP-defined assurance level requirements User initiates: Online Unblock if on corporate network Offline Unblock if network connectivity not possible Yes User added to MS-Smartcard-UnblockEnabled group User opens PIN Tool Admin Accounts require face-to-face issuance at DIO

Tech Ed North America 2010 Craig Carlston SE Systems Analyst Microsoft 3/31/2017 9:47 PM Custom PIN Tool Craig Carlston SE Systems Analyst Microsoft DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Normal User Account Replacement Workflow FIM and Manual FIM CM Portal User visits DIO and replacement smart card printed in Lenel Encryption Certificates: Previous encryption certificates recovered External Certificates re-populated New encryption certificate issued User moves to Unblock workflow to use card DIO employee validates picture on smart card with person receiving replacement smart card New Smart Card Logon certificate issued User connects to FIM CM portal Card distributed to user Admin Accounts require face-to-face issuance at DIO

Pain Points of the FIM 2010 CM Migration

5. FIM 2010 CM Cannot Cross Forest Boundaries FIM 2010 CM is designed for single forest deployments Microsoft has multiple forests If smart cards are deployed in a forest: Required a FIM 2010 CM instance Required a CA be available for certificate issuance in the forest Impacted ability to leverage cross forest enrollment to reduce CAs

4. Could Not Protect the clmAgent Certificate with an HSM Security policy requires that Admin Key diversification process use an HSM HSM needed to protect the clmAgent certificate Found an issue with the HSM vendor that did not allow use of AES encryption with clmAgent certificate. Acceptable solution allowed HSM protection but dropped down to three distinct key 3DES protection

3. Migrating Encryption Certificates to FIM CM Smart Card Logon, RAS, and Data Protection profile template required migration of previous S/MIME encryption certificates CLMUtil used to import encryption certificates into FIM CM database and CA database Required a new S/MIME CA to import the certificates to Required a custom tool to automate the import process Previous encryption certificates Were revoked at the CA Imported as External certificates into the FIM CM database Profile template configured to allow a designated number of external certificates Enrollment/Replace process includes recovery of external encryption certificates onto the smart card

2. Restrictions Cannot be Imposed Across Profile Templates Microsoft wishes to ensure that a user account only has a single smart card logon certificate Easy to do within a single profile template Cannot be done across profile templates Solution is to use FIM provisioning to ensure that a user account can only exist in one of two security groups Each security group is assigned Read and FIM CM Enroll permissions against the designated profile template A user can move from the non-encryption certificate profile template to the encryption certificate include profile template…. Not the other way Migration to encryption certificate requires retiring the previous smart card for redeployment

1. Configuring Client Settings Across IE Versions Three different versions of Internet Explorer are deployed on MS computers IE 6.0 and IE 8.0 require that the FIM CM portal hostname be in the SiteLock registry key IE 7 requires that the FIM CM portal hostname be in the SiteLock registry key and the URL be included in Trusted Sites FIM CM client software must be automatically deployed to the masses Solution involved a custom script that Detects the IE version and forest Runs the FIM CM Client installer package with options to designate the correct settings required for the IE version and forest

Deploying the FIM CM Client Software Tech Ed North America 2010 3/31/2017 9:47 PM Deploying the FIM CM Client Software Craig Carlston SE Systems Analyst Microsoft DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Announcing Deploying FIM 2010 CM with Thales HSMs Tech Ed North America 2010 3/31/2017 9:47 PM Announcing Deploying FIM 2010 CM with Thales HSMs http://iss.thalesgroup.com/en/l/program/FIM-eBook.aspx ANNOUNCING © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDE Microsoft Forefront Identity Manager 2010 What are IPD Guides? Guidance & best practices for infrastructure planning of Microsoft technologies Forefront Identity Manager 2010 Guide Benefits Helps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources Based on the scope, identifies the FIM infrastructure components required to achieve the project goals Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! Go to www.microsoft.com/ipd Check out the entire IPD series for streamlined IT infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

Conclusions FIM CM will enhance the management of MS IT’s smart card deployment FIM CM gives MS IT a chance to review all smart card and PKI related policies Despite pain points, a customized solution can be developed to work for a large organization such as Microsoft Allows future flexibility as requirements change Adding certificate templates to deployment is easy Changing work flows is possible if requirements change

Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 3/31/2017 9:47 PM Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview  SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Track Resources Learn more about our solutions: Try our products: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration   You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

Tech Ed North America 2010 3/31/2017 9:47 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Required Slide Tech Ed North America 2010 3/31/2017 9:47 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.