Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide

Published byMaura Batson Modified over 10 years ago

Similar presentations

Presentation on theme: "Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide"— Presentation transcript:

1 Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide SESSION CODE: SIA307 Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management Identity and Access Management: Notes from the Field: Microsoft IT's FIM 2010 Certificate Management Deployment Brian Komar President IdentIT Inc. Craig Carlston SE System Analyst Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda The Microsoft PKI Architecture Legacy Smart Card Architecture
Legacy Smart Card Management System Details Benefits of Moving to FIM 2010 Certificate Management Migration Plan to FIM CM The Pain Points of the Migration

3 The Microsoft PKI Architecture

4 Microsoft PKI Nine production forests Mix of server Operating Systems
Combination of internal and external trust Centralized CA management Multiple certificate types Cross-forest Enrollment where supported

5 Internal Trust Architecture

6 External Trust Architecture

7 Legacy Smart Card Architecture

8 Smart Cards, Readers, and Middleware
Custom built hybrid cards Photo ID Indala RFID Cards for Building Access Gemalto smart card chip 128K .NET v2 cards (current standard) Legacy cards (all Base CSP cards) Middleware Microsoft Base Smart Card Crypto Provider Mini-drivers specific to actual cards used Smart Card Readers Built-in readers in our laptops If no built-in readers: Omnikey Gemalto

9 Smart Card Issuance Tools
Smart Card Architecture Smart Card Issuance Tools Lenel Printing RFID management Smart Card Manager v2 MS Internal Solution Smart Card Management = Smartcard Deployment Application (SDA) PIN Management = PIN Tool v2 Custom smart card admin PIN diversification solution

10 Support Resources Distributed Issuance Offices (DIOs) Helpdesk
Smart Card Architecture Support Resources Distributed Issuance Offices (DIOs) Helpdesk Client Certificate Services Team

11 Legacy Smart Card Management System Details

12 Smart Card Management Today
Approximately 100,000 active cards Average 1,000 new cards a month Average processing time – 10 minutes

13 Challenges With Original Deployment in 2000
Mobile devices, Macintosh, and UNIX platforms not compatible with smart card EAP/TLS authentication Smart card distribution process was resource intensive Managing policy and client groups is complex Client software version control Limited reporting

14 Lessons Learned Immature smart card administrative tools
Secure registration authority for issuance and renewal, if certificates expire users must visit DIO Remote client troubleshooting Delegation of administration Distributed functions without distributed trust

15 Benefits of Moving to FIM 2010 Certificate Management

16 Benefits of FIM CM Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA) Improved overall process workflow New Card Enroll Lost Card Replace Card Retire Certificate Renewal Detailed auditing and reporting Support for extended self-service scenarios PIN unblocks with user’s credentials Integration with Active Directory and PKI Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration

17 Chance to Review/Revise Corporate Policies to Profile Template Policies
Certificate Policy Certification Practice Statement Security Policy Enrollment Enroll Unblock Management Policies Management policies must enforce security policies and certificate policies

18 Migration Plan to FIM CM

19 Migration Plan to FIM CM Goals
Minimize User Impact Minimize Costs Maintain same level of security

20 Migration Plan to FIM CM
A FIM CM instance per forest Custom PIN Tool Required for smart card-only PIN unblock scenario for elevated access accounts Allows offline unblock Used as a sole method for Internet PIN unblock Previously archived S/MIME encryption certificates imported to FIM CM for continued use

21 FIM CM Architecture at Microsoft

22 Profile Templates Smart Card Logon and RAS
Most enabled primary user accounts Smart Card Logon, RAS, and Data Protection enabled primary accounts with S/MIME Smart Card Logon No RAS Alternate Accounts for elevated access

23 Normal User Account Enrollment Workflow
FIM and Manual FIM CM Portal User has existing smartcard? Enrollment Process takes place Certificates loaded on smart card PIN is randomized Admin Key is diversified by custom Admin Key Diversifier application User moves to Unblock workflow to use card No User visits DIO and smart card printed in Lenel Yes User Sent sending link to FIM CM portal and instructions on self-service enrollment User added to MS-Smartcard-LogonOnly Or MS-Smartcard-LogonandEncrypt (FIM 2010 will ensure user only a member of one group) Admin Accounts require face-to-face issuance at DIO

24 User added to MS-Smartcard-UnblockEnabled group
Unblock Workflow FIM and Manual Custom PIN tool Has User been Vetted? Card Ready for Use Admin Key retrieved from FIM CM database and re-set using Admin Key Generator No User must meet face-to-face to meet CP-defined assurance level requirements User initiates: Online Unblock if on corporate network Offline Unblock if network connectivity not possible Yes User added to MS-Smartcard-UnblockEnabled group User opens PIN Tool Admin Accounts require face-to-face issuance at DIO

25 Tech Ed North America 2010 Craig Carlston SE Systems Analyst Microsoft
3/31/2017 9:47 PM Custom PIN Tool Craig Carlston SE Systems Analyst Microsoft DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Normal User Account Replacement Workflow
FIM and Manual FIM CM Portal User visits DIO and replacement smart card printed in Lenel Encryption Certificates: Previous encryption certificates recovered External Certificates re-populated New encryption certificate issued User moves to Unblock workflow to use card DIO employee validates picture on smart card with person receiving replacement smart card New Smart Card Logon certificate issued User connects to FIM CM portal Card distributed to user Admin Accounts require face-to-face issuance at DIO

27 Pain Points of the FIM 2010 CM Migration

28 5. FIM 2010 CM Cannot Cross Forest Boundaries
FIM 2010 CM is designed for single forest deployments Microsoft has multiple forests If smart cards are deployed in a forest: Required a FIM 2010 CM instance Required a CA be available for certificate issuance in the forest Impacted ability to leverage cross forest enrollment to reduce CAs

29 4. Could Not Protect the clmAgent Certificate with an HSM
Security policy requires that Admin Key diversification process use an HSM HSM needed to protect the clmAgent certificate Found an issue with the HSM vendor that did not allow use of AES encryption with clmAgent certificate. Acceptable solution allowed HSM protection but dropped down to three distinct key 3DES protection

30 3. Migrating Encryption Certificates to FIM CM
Smart Card Logon, RAS, and Data Protection profile template required migration of previous S/MIME encryption certificates CLMUtil used to import encryption certificates into FIM CM database and CA database Required a new S/MIME CA to import the certificates to Required a custom tool to automate the import process Previous encryption certificates Were revoked at the CA Imported as External certificates into the FIM CM database Profile template configured to allow a designated number of external certificates Enrollment/Replace process includes recovery of external encryption certificates onto the smart card

31 2. Restrictions Cannot be Imposed Across Profile Templates
Microsoft wishes to ensure that a user account only has a single smart card logon certificate Easy to do within a single profile template Cannot be done across profile templates Solution is to use FIM provisioning to ensure that a user account can only exist in one of two security groups Each security group is assigned Read and FIM CM Enroll permissions against the designated profile template A user can move from the non-encryption certificate profile template to the encryption certificate include profile template…. Not the other way Migration to encryption certificate requires retiring the previous smart card for redeployment

32 1. Configuring Client Settings Across IE Versions
Three different versions of Internet Explorer are deployed on MS computers IE 6.0 and IE 8.0 require that the FIM CM portal hostname be in the SiteLock registry key IE 7 requires that the FIM CM portal hostname be in the SiteLock registry key and the URL be included in Trusted Sites FIM CM client software must be automatically deployed to the masses Solution involved a custom script that Detects the IE version and forest Runs the FIM CM Client installer package with options to designate the correct settings required for the IE version and forest

33 Deploying the FIM CM Client Software
Tech Ed North America 2010 3/31/2017 9:47 PM Deploying the FIM CM Client Software Craig Carlston SE Systems Analyst Microsoft DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Announcing Deploying FIM 2010 CM with Thales HSMs
Tech Ed North America 2010 3/31/2017 9:47 PM Announcing Deploying FIM 2010 CM with Thales HSMs ANNOUNCING © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDE Microsoft Forefront Identity Manager 2010
What are IPD Guides? Guidance & best practices for infrastructure planning of Microsoft technologies Forefront Identity Manager 2010 Guide Benefits Helps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources Based on the scope, identifies the FIM infrastructure components required to achieve the project goals Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! Go to Check out the entire IPD series for streamlined IT infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

36 Conclusions FIM CM will enhance the management of MS IT’s smart card deployment FIM CM gives MS IT a chance to review all smart card and PKI related policies Despite pain points, a customized solution can be developed to work for a large organization such as Microsoft Allows future flexibility as requirements change Adding certificate templates to deployment is easy Changing work flows is possible if requirements change

37 Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 3/31/2017 9:47 PM Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview  SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Track Resources Learn more about our solutions: Try our products:
Try our products:

39 Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

42 Tech Ed North America 2010 3/31/2017 9:47 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 Required Slide Tech Ed North America 2010 3/31/2017 9:47 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Tech Ed North America 2010 3/31/2017 9:47 PM Required Slide"

Similar presentations

© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.

© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
31.03.2011-ZMQS- 1. 2 31.03.2011 -ZMQS- 3 31.03.2011.

ZMQS ZMQS
Single Sign-on Integration (SSI)

Single Sign-on Integration (SSI)
Soumya Das Bhaumik Program Manager Microsoft Corporation SESSION CODE: VIR322.

Soumya Das Bhaumik Program Manager Microsoft Corporation SESSION CODE: VIR322.
Brian Harry Technical Fellow Microsoft Corporation SESSION CODE: DPR206.

Brian Harry Technical Fellow Microsoft Corporation SESSION CODE: DPR206.
Webinar: Backup Windows Server to The Cloud (Free) WE Will Start at 12:00 (Noon) EST More Jobs Owner - Bay State Integrated Technology, Inc. (www.BayStateTechnology.com)

Webinar: Backup Windows Server to The Cloud (Free) WE Will Start at 12:00 (Noon) EST More Jobs Owner - Bay State Integrated Technology, Inc. (
Welcome To SPARROW Website URL

Welcome To SPARROW Website URL
Symon Perriman Program Manager II Clustering & High-Availability Microsoft Corporation SESSION CODE: VIR303.

Symon Perriman Program Manager II Clustering & High-Availability Microsoft Corporation SESSION CODE: VIR303.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Eligibility, Benefits, and Pre-certifications

Eligibility, Benefits, and Pre-certifications
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Using Family Connection Online Resource for Planning & Advising.

Using Family Connection Online Resource for Planning & Advising.
Welcome to Access Online for State of Iowa Cardholders.

Welcome to Access Online for State of Iowa Cardholders.
Ben Bernstein, Program Manager, UAG DirectAccess Tom Shinder, Knowledge Engineer, UAG DirectAccess Microsoft Corporation SESSION CODE: SIA310.

Ben Bernstein, Program Manager, UAG DirectAccess Tom Shinder, Knowledge Engineer, UAG DirectAccess Microsoft Corporation SESSION CODE: SIA310.

Similar presentations

Ads by Google