Tuesday, October 27, 2009

FIM 2010 CM - configuration

Installation



FIM Server

Install FIM Certificate Management

Please see: the technet article for Forefront Identity Manager - Certificate Management

Prepare for FIM CM setup
1. Modify the Active Directory Schema: Run D:\Certificate Management\x64\Schema\ModifySchema.vbs
2. servermanagercmd -i net-framework web-server web-asp-net
3. Create a User template for FIM CM agent:
- AD CS > Certificate templates
- Duplicate the template "User" > Windows 2008 server template type to "UserFIMAgent"
- Subject Name: Uncheck "Email name", and "Include e-mail in subject name"
4. Allow the PKI to issue following templates:
- Key Recovery Agent
- UserFIMAgent
- Enrollment Agent
5. Publish the spn in the AD:
setspn -A HTTP/fim-dc fim-dc
setspn -A HTTP/fim-dc.contoso.com fim-dc



Run the FIM CM setup

- Virtual Folder: CertificateManagement


Configure FIM CM

- Run Certificate Management config Wizard-
- SQL: FIM-SHAREPOINT\FIMINSTANCE
- templates: UserFIM


Fim client

Install the Forefront Identity Manager CM Client
FIM Websites: fim-dc.contoso.com;fim-dc


Configuration




AD DS:



Create FIM User groups
- FIMcmAdministrators: cyrilv ; administrator
- FIMcmCertMgrs: FIMcmAdministrators ; pascals
- FIMcmUsers: FIMcmCertMgrs ; fabiend ; youssefz



1. SCP permissions
- View > Advanced Features
- contoso.com > System > Microsoft > Certificate Lifecycle Manager > FIM-DC
- grant FIMcmUsers: Read
- grant FIMcertMgrs : CLM Audit and CLM Request Enroll

2. Users and groups permissions
- FIMcmUsers:
- grant FIM CM Request Enroll for SELF and for FIMcmCertMgrs

3. Policy template permissions
- create a new Smart card template: Contoso FIM smart card policy template
- grant FIMcmUsers and FIMcmCertMgrs the permission to Enroll on "Contoso

4. PKI templates:
- grant FIMcmUsers READ and ENROLL rights on the templates issued in Contoso FIM smart card card policy template


Contoso smart card profile template

- http://fim-dc/certificatemanagement/ as CONTOSO\Administrator
- Administration > Manage profile templates
- duplicate the FIM default smart card template
- Enroll policy: grant FIMcmUsers the Workflow initiate request right
- choose the Certificate templates to enroll
- foreach of them: grant FIMcmUsers the right to Enroll on ADCS> Certificates Templates





FIM CM is only supported on Windows Server 2003 or 2008 enterprise (at least for now)

The Card Management functionnality of FIM is only able to run on Windows Server 2003 or Server 2008 computers, not on Windows Server 2008 R2 - at least on this RC1 version-.


FIM CM configuration error: cannot impersonate a user
You have to set the UserFIM template to be less restrictive:
- remove email


Base CSP smart card self-service control is not installed




When loading the FIM CM http://fim-dc.contoso.com/CertificateManagement/ it shows a .NET SQL Connection timeout
Check that the SQL spn is correctly registred:
setspn -l Contoso\SQLsvc
if no result is present, then type:
setspn -a MSSQL/fim-sharepoint:1433 Contoso\SQLsvc
setspn -a MSSQL/fim-sharepoint.contoso.com:1433 Contoso\SQLsvc

If the MS SQL spn is alreday registred, then increase the timeout:
- Server Manager > AD CS > Right clic on CA > propreties > Exit Module > Fim CM Exit Module > Proprieties
- increase the Connect Timeout

Exchange 2010: Allow SMTP relaying

Some old fashioned programs require to send mail without any form of authentication.
I will show you how to set up a SMTP relay with Exchange 2010 for all mail coming from a specific host.

Topology:
- fim-dc: 192.168.6.1
- fim-exchange: 192.168.6.100 (Exchange 2010 installed)

We want to allow all mail sent from fim-dc to be accepted like any other "normal" mail.

Here are the steps to achieve this goal:

- launch the Exchange management console

- in the Server Configuration > Hub Transport, create a new Receive connector


- give the receive connector a name:


- if you want to do any ip filtering on the receiving interface, fill the correct ip (here we would only allow mail to be received on the 192.168.6.100 ip)


- define the remote ip from where we want to relay all SMTP traffic (in our case: 192.168.6.1)


- then click on "New", a powershell command is run. The receive connector is now created.


- we now have to disable all authentication on that receive connector: Right click on its name > propreties > Authentication, and then uncheck all the boxes.


- then we have to grant the Anonymous users the right to connect, in order to send mail to the transport hub.


- done!

Now any mail coming from 192.168.6.1 to 192.168.6.100 will be relayed using SMTP relaying in Exchange 2010!

Thursday, October 22, 2009

List permissions on Active Directory objects

Here is a common need:
" List the permissions for a specific user / security group on a specific Active Directory object. "

You probably already know the dsacls command.
But let us face it: it is too much verbose and hard to filter.

Powershell is the key, once more.
On the Indeted! blog, the author explains us its Get-DsAcl powershell implementation.

Here is an example to display the FIMcmCertmgrs rights on the objects named FIMcmUsers : (which in our case is a security group):


Get-DSAcl -searchRoot "DC=contoso,DC=com" -LdapFilter "(name=FIMcmUsers)" select-string FIMcmCertmgrs

Output:

Monday, October 19, 2009

Microsoft SQL Server: usefull TCP and UDP ports

If you would have to open only 2 ports in your firewall for Microsoft SQL Server to work, it would be:

- inbound TCP 1433: Authenticated SQL inbound connections
- inbound UDP 1434: Unauthenticated server browser queries

For more information, please check Configure the Firewall to allow SQL Server access article on Technet.

Saturday, October 17, 2009

VB RAP test : Forefront Protection engine is improving!

Virus Bulletin, the reference for comparing antivirus solutions, just released its latest VB RAP test results from Apr.09 to Oct. 09.

Microsoft Forefront engine is performing each time better. Comparing to the last RAP test, Forefront engine was
- Proactive detection: 3rd on 37 selected ones and is now 2nd on 38 ones!
- Reactive detection: 13th on 37 selected ones and is now 9th on 38 ones!


Remind that Microsoft Forefront engine is used in several products of Microsoft Forefront Protection Suite:
- Forefront EndPoint Protection 2010
- Forefront Protection 2010 for Exchange servers
- Forefront Protection 2010 for Sharepoint

For more details, check Microsoft Forefront official website

Ensimag - partner network day - presenting my Microsoft internship in IT Security

The Grenoble INP Ensimag's Partner network day happened on the last thursday October 15th 2009.

I described my final project at Microsoft about Forefront Protection Suite and Forefront Identity Manager to some Ensimag students interested in IT Security.
Feel free to download this overview of Fabien Duchene's Final Study Project at Microsoft(french).

Microsoft has many offers for computer science students.
Please check the Microsoft France internships website and the Microsoft careers website.

Tuesday, October 13, 2009

Exchange 2010 RC1 on Windows 2008 R2: error 2147504141

13/10/2009 - UPDATE: on Exchange 2010 RTM, this problem was solved.

As you probably know, Exchange 2007 refused to install if we disabled IPv6. Well Exchange 2010 RC1 did refuse to install if I did not disable it! Argh!

I encountered the error "The execution of: “$error.Clear(); install-ExsetdataAtom -AtomName SMTP -DomainController $RoleDomainController”, generated the following error: “An error occurred with error code ‘2147504141′ and message ‘The property cannot be found in the cache.’.”

The most relevant topic on that 2147504141 Exchange 2010 RC1 setup error is on technet.


Solution: The trick is that you HAVE to disable IPv6 BEFORE starting any Exchange 2010 RC1 setup. This is a known KB952842. Hopefully with virtualization, it is now easier to take a snapshot before starting anything critical.

The answer came from an italian guy's blog post: An error occurred with error code ‘2147504141′

Friday, October 9, 2009

Forefront Identity Manager 2010 RC1 platform

These last few days I have been busy configuring my Forefront Identity Manager 2010 RC1 demonstration platform.



Forefront Identity Manager

FIM, formerly know as "ILM 2" is the Microsoft solution for managing identity in a corporate. FIM 2010 provides IT administrators the ability to delegate administration and creating workflows for common administrative tasks. In addition, FIM 2010 gives to end-users the ability to manage their own identity without the need to call IT service.



Topology

A picture is more efficient than a long speech:





Software

Here are the software requirements for a FIM 2010 architecture:
- Windows 2008 (standard for FIM Service and Portal, Password Synchronization, and enterprise for Certificate Management)
- Active Directory Domain (at least 2003)
- a PKI
- IIS 6.0
- Sharepoint 2007
- Exchange 2007
- SQL Server 2008

And the software I used :
- Windows 2008 R2 standard and 2008 enterprise
- Active Directory Domain Services
- Active Directory Certificate Services
- IIS 7.0
- Sharepoint 2007 SP2
- Exchange 2010 RC1
- SQL Server 2008 SP1
- Forefront Identity Manager 2010 RC1






Steps

FIM Server:



Install Windows 2008 Enterprise


Install Active Directory Domain Services AD DS


Install Active Directory Certificate Services AD CS
Configure PKI so that all servers autoenroll the website and computer certificate templates.


FIM Exchange:

Install Windows 2008 R2
Exchange 2010 pre-requesites
Please have a look at Exchange 2010 RC1/RTM Software Pre-requisites

Install Exchange 2010 RTM
Setup a receive connector allowing SMTP relaying from FIM-DC
Please see How to allow SMTP relaying in Exchange


FIM Sharepoint
Please see the Technet FIM Installation Guide




Install Windows 2008 R2


Sharepoint 2010 requirements
.Net Framework 3.5.1




Install SQL Server 2008 + SP1


- one instance for FIM with Full-Text search enabled: FIMINSTANCE
- one instance for Sharepoint with FTS: MOSSINSTANCE
- after these installs, apply SP1

Install Sharepoint 2007 SP2
- Database server: FIM-SHAREPOINT\MOSSINSTANCE
- User: CONTOSO\SqlUser
- Create a default site collection
- create a default site in that collection


Final steps

- Install and configure Forefront Identity Manager 2010 RC1 Certificate Management



Major experienced problems

Sharepoint Server 2007: Service Pack 2 needed for Windows 2008 R2
Everything is explained on the Sharepoint blog: Install Microsoft Office Sharepoint Server 2007 on Windows Server 2008 R2

Exchange 2010 RC1 on Windows 2008 R2
When I used the RC1 of Exchange 2010, I had some problems. Please see my post on Exchange 2010 RC1 on Windows 2008 R2: error 2147504141 .
Please note that with Exchange 2010 RTM, everything went fine.