FIM Server
Install FIM Certificate Management
Please see: the technet article for Forefront Identity Manager - Certificate Management
Prepare for FIM CM setup
1. Modify the Active Directory Schema: Run D:\Certificate Management\x64\Schema\ModifySchema.vbs2. servermanagercmd -i net-framework web-server web-asp-net
3. Create a User template for FIM CM agent:
- AD CS > Certificate templates
- Duplicate the template "User" > Windows 2008 server template type to "UserFIMAgent"
- Subject Name: Uncheck "Email name", and "Include e-mail in subject name"
4. Allow the PKI to issue following templates:
- Key Recovery Agent
- UserFIMAgent
- Enrollment Agent
5. Publish the spn in the AD:
setspn -A HTTP/fim-dc fim-dc
setspn -A HTTP/fim-dc.contoso.com fim-dc
Run the FIM CM setup
- Virtual Folder: CertificateManagement
Configure FIM CM
- Run Certificate Management config Wizard-
- SQL: FIM-SHAREPOINT\FIMINSTANCE
- templates: UserFIM
Fim client
Install the Forefront Identity Manager CM Client
FIM Websites: fim-dc.contoso.com;fim-dcConfiguration
AD DS:
Create FIM User groups
- FIMcmAdministrators: cyrilv ; administrator- FIMcmCertMgrs: FIMcmAdministrators ; pascals
- FIMcmUsers: FIMcmCertMgrs ; fabiend ; youssefz
1. SCP permissions
- View > Advanced Features- contoso.com > System > Microsoft > Certificate Lifecycle Manager > FIM-DC
- grant FIMcmUsers: Read
- grant FIMcertMgrs : CLM Audit and CLM Request Enroll
2. Users and groups permissions
- FIMcmUsers:
- grant FIM CM Request Enroll for SELF and for FIMcmCertMgrs
3. Policy template permissions
- create a new Smart card template: Contoso FIM smart card policy template
- grant FIMcmUsers and FIMcmCertMgrs the permission to Enroll on "Contoso
4. PKI templates:
- grant FIMcmUsers READ and ENROLL rights on the templates issued in Contoso FIM smart card card policy template
Contoso smart card profile template
- http://fim-dc/certificatemanagement/ as CONTOSO\Administrator- Administration > Manage profile templates
- duplicate the FIM default smart card template
- Enroll policy: grant FIMcmUsers the Workflow initiate request right
- choose the Certificate templates to enroll
- foreach of them: grant FIMcmUsers the right to Enroll on ADCS> Certificates Templates
FIM CM is only supported on Windows Server 2003 or 2008 enterprise (at least for now)
The Card Management functionnality of FIM is only able to run on Windows Server 2003 or Server 2008 computers, not on Windows Server 2008 R2 - at least on this RC1 version-.
FIM CM configuration error: cannot impersonate a user
You have to set the UserFIM template to be less restrictive:- remove email
Base CSP smart card self-service control is not installed
When loading the FIM CM http://fim-dc.contoso.com/CertificateManagement/ it shows a .NET SQL Connection timeout
Check that the SQL spn is correctly registred:setspn -l Contoso\SQLsvc
if no result is present, then type:
setspn -a MSSQL/fim-sharepoint:1433 Contoso\SQLsvc
setspn -a MSSQL/fim-sharepoint.contoso.com:1433 Contoso\SQLsvc
If the MS SQL spn is alreday registred, then increase the timeout:
- Server Manager > AD CS > Right clic on CA > propreties > Exit Module > Fim CM Exit Module > Proprieties
- increase the Connect Timeout