Ammar hasayen microsoft ILM/FIM 2007 guide

Microsoft Certificate Life
Cycle Manager 2007
MICROSOFTILM2017
AMMAR HASAYEN
AMMARHASAYEN@OUTLOOK.COM| ammarhasayen.com/blog

Table of Contents
1 Certificate Templates ..............................................................................................3
1.1 CONTOSO SM Encryption Class 1 V1 .....................................................................3
1.2 CONTOSO SM Signing Class II V1..........................................................................6
2 Pre-CLM Installation ................................................................................................9
2.1 Hardware and setup................................................................................................9
2.2 Modify AD Schema .................................................................................................9
2.3 Enable the default KeyRecoveryAgent certificate template .............................9
2.4 Create AD Accounts for CLM.................................................................................10
3 CLM Installation (Same server as CA)..............................................................10
3.1 Installation Walk Through ......................................................................................10
3.2 Configuring CLM 2007 Using the CLM Configuration Wizard ...................................12
3.3 CLM IIS Site needs SSL Certificate........................................................................15
4 Post Installation Tasks .........................................................................................16
4.1 Export the CLM Users certificates ..........................................................................16
4.2 Configuring the Certificate Lifecycle Manager 2007 Service.....................................16
4.3 Configure the CLM policy module ..........................................................................17
4.4 Configure the CLM Exit module .............................................................................18
4.5 Configure additional policy modules .......................................................................18
4.6 Create CLM Users and Groups ..............................................................................19
4.7 CLM Site..............................................................................................................19
4.8 Understand CLM Rights and Permissions ..............................................................20
5 Configuring Profile Templates ...........................................................................23
5.1 Smart Card Profile Templates................................................................................23
6 Appendix ..................................................................................................................39
6.1 Appendix A : CONTOSO Encryption Class IS V1 ....................................................39
6.2 CONTOSO Signing/Authentication Class IIS V1 .....................................................44
6.3 CLM System users ...............................................................................................50
6.4 Installing and Configuring Certificate Lifecycle Manager 2007 Client ........................50
6.5 What will happen if................................................................................................52

1 Certificate Templates
1.1 CONTOSO SM Encryption Class 1 V1
This certificate Template is used as per the following:
 Smart Card Enrollment
 Encryption Purposes ( mainly Encrypted File System EFS and S/MIME )
 Application Policies :
o CONTOSO Encryption V1
o CONTOSO Smart Card V1
o CONTOSO S/MIME
o Encrypted File System.
o Secure Email.
 Issuance Policies :
o CONTOSO Encryption Class I V1
 HTTP:/ / WWW.CONTOSO.COM/ CPS/ EC1V1.ASPX
 OID: 1.3.6.1.4.1.311.21.8.6743696.8165912.14631066.14816360.14281341.2
o CONTOSO Smart Cards V1
 HTTP:/ / WWW.CONTOSO.COM/ CPS/ SCV1.ASPX
 OID :1.3.6.1.4.1.311.21.8.6743696.8165912.14631066.14816360.14281341.2
Certificate Template Settings:
1. General Tab :
a. Name : CONTOSO Encryption Class IS V1 ( Class IS : stands for Class one with Smart
Card issuing)
b. Validity Period : 5 years

c. Renewal period : 6 weeks
d. Publish Certificate in Active Directory : Enabled
e. Do not Automatically re-enroll if a duplicate certificate exist in active directory : NOT
enabled.
2. Request Handling:
a. Purpose :Encryption
b. Archive subject’s encryption private key :Enabled
c. Include Symmetric algorithms allowed by the subject: Enabled.
d. Minimum key size :1024
e. Allow Private Key to be exported: Enabled.
f. Enroll subject without requiring any user input : Enabled.
g. CPS: Requests can use any CSP available on the subject’s computer
3. Subject Name:
a. Built from Active Directory
b. Subject Name Format :Fully distinguished name
c. Include email name in the subject name (enabled)
d. User Principle name (UPN) : enabled
4. Extensions :
a. Application Policies :
i. CONTOSO Encryption V1.
ii. CONTOSO Smart Card V1.
iii. CONTOSO S/MIME.
iv. Encrypted File System.
v. Secure Email.
b. Issuance Policies :
i. CONTOSO Encryption Class I V1
1. HTTP:/ / WWW.CONTOSO.COM/ CPS/ EC1V1.ASPX

2. OID:
ii. CONTOSO Smart Cards V1
1. HTTP:/ / WWW.CONTOSO.COM/ CPS/ SCV1.ASPX
2. OID
c. Key Usage :
(Allow key exchange only with key encryption)
d. Issuance Requirements :
Un-check (disable) all settings in order for Microsoft CLM to work correctly.

1.2 CONTOSO SM Signing Class II V1
This certificate Template is used as per the following:
 Smart Card Enrollment
 Authentication /Signing Purposes :
o Email Signing – Non Repudiation
o VPN Dial-in Access
o Wireless Security Access
o Smart Card logon
o Web Authentication /Client Authentication.
 Application Policies :
o CONTOSO Signing and Non Repudiation V1
o CONTOSO Client Authentication V1
o Client Authentication
o Smart Card Logon.
o Secure Email.
 Issuance Policies :
o CONTOSO Client Authentication Class II V1
 HTTP:/ / WWW.CONTOSO.COM/ CPS/ CAC2V1.ASPX
 OID:
o CONTOSO Signature and Non Repudiation Class II V1
 HTTP:/ / WWW.CONTOSO.COM/ CPS/ SNRC2V1.ASPX
 OID:
o CONTOSO Smart Cards V1
 HTTP:/ / WWW.CONTOSO.COM/ CPS/ SCV1.ASPX
 OID :

Certificate Template Settings:
5. General Tab :
a. Name : CONTOSO Authentication/Signing Class IIS V1 ( Class IIS : stands for Class
two with Smart Card issuing)
b. Validity Period : 5 years
c. Renewal period : 6 weeks
d. Publish Certificate in Active Directory : Enabled
e. Do not Automatically re-enroll if a duplicate certificate exist in active directory: NOT
enabled.
6. Request Handling:
a. Purpose: Signature and smart card logon.
b. Delete revoked or expired certificates (do not archived): Enabled.
c. Minimum key size :1024
d. Prompt the user during enrollment : Enabled.
e. CPS: Requests can use any CSP available on the subject’s computer
7. Subject Name:
a. Built from Active Directory
b. Subject Name Format :Fully distinguished name
c. Include email name in the subject name (enabled)
d. User Principle name (UPN) : enabled
8. Extensions :
a. Application Policies :
i. CONTOSO Signing and Non Repudiation V1
ii. CONTOSO Client Authentication V1
iii. Client Authentication
iv. Smart Card Logon.
v. Secure Email.

b. Issuance Policies :
i. CONTOSO Client Authentication Class II V1
1. HTTP:/ / WWW.CONTOSO.COM/ CPS/ CAC2V1.ASPX
2. OID:
ii. CONTOSO Signature and Non Repudiation Class II V1
1. HTTP:/ / WWW.CONTOSO.COM/ CPS/ SNRC2V1.ASPX
2. OID:
iii. CONTOSO Smart Cards V1
1. HTTP:/ / WWW.CONTOSO.COM/ CPS/ SCV1.ASPX
2. OID :
c. Key Usage :
(Digital signature)
d. Issuance Requirements :
Un-check (disable) all settings in order for Microsoft CLM to work correctly.

2 Pre-CLM Installation
2.1 Hardware and setup
 Install CA and CLM on the same server ( it is less complex this way)
 Install SQL 2005 with SP2
 .NET Framework 2.0
 IIS 6.0
 Modify AD Schema
 Windows Server 2003 SP2 Support Tools
2.2 Modify AD Schema
1. Log on to the CA server using Enterprise Administrator Account .Make sure that the windows server
2003 support tools are installed.
2. Open the Clm.ldif found on CLMSchema. Of the installation files using notepad and
replace (DC=company) with (DC=CONTOSO).Copy the modified Clm.ldif on the root
of the C drive.
3. Run the LDAP Data Interchange Format Data Exchange tool, ldifde.exe against Clm.ldif found
on CLMSchema. Of the installation files.To do this :
a. Go to Start>>All programs>>Windows support tools>>Command prompt
b. Run this command: ldifde -i -f c:Clm.ldif
2.3 Enable the default KeyRecoveryAgent certificate template
1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In Certification Authority, expand the set of folders for the default CA
3. In the console tree, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
4. In New Certificate Template to Issue, select Key Recovery Agent, and then click OK.
2.4 Create AD Accounts for CLM
Create the following Accounts in AD:
1. clmAgent
2. clmKRAgent
3. clmAuthAgent
4. clmCAMngr
5. clmWebPool
6. clmEnrollAgent
Password : PASSWORD
3 CLM Installation (Same server as CA)
3.1 Installation Walk Through
1. Run the MSI located on … ILM FP1CLMClm_en-US.msi
2. Choose to install all components :
a. CLM Web files
b. CLM CA files
c. CLM System files

3. On the Virtual Web folder page ,leave the default and click next
Note: If the installation failed with a message indicating that ASP.NET 2.0 must be installed on the
server, then open CMD ,browse to(C:WINDOWSMicrosoft.NETFrameworkv2.0.50727) and type
(aspnet_regiis.exe –i)

3.2 Configuring CLM 2007 Using the CLM Configuration Wizard
1. Click Start, point to Programs, point to Microsoft Certificate Lifecycle Manager, and then click
Configuration Wizard.
2. On the CA Configuration page, verify the name of the CA and the Domain Name System (DNS)
name for the CA server, and then click Next
3. In the Setup the SQL database server, write down the name of the SQL server and an account with
access to create a database.
4. On the Database settings, use (SQL Mixed mode authentication) and reset the (CLMUSER)
password to (PASSWORD) .
Note: CLM Configuration Wizard also creates a user account named CLMExternal, which is used for
creating requests with the CLM SQL API.
5. On the Set up Active Directory page ,leave defaults and click Next.
6. On the Agents--Microsoft CLM page , uncheck the (Use the CLM default settings) and click (Custom
Accounts).

Note:
On all user tabs, choose (use existing accounts) and provide the passwords for the accounts that you
created earlier.
7. On the (Setup server Certificates) ,leave the defaults and click next.

8. On the (Setup Email server, Document Printing) page ,type the IP of the SMTP virtual server (
Anonymous access should be allowed on the SMTP Virtual server)

3.3 CLM IIS Site needs SSL Certificate
Order a certificate for the CLM IIS Site in order for the site to open (This is required procedure).

4 Post Installation Tasks
4.1 Export the CLM Users certificates
Log on to the CLM server using (clmAgent ,clmKRAgent,clmEnrollAgent) and export the corresponding
certificates from the user store. Make sure to keep those private keys in a safe place for CLM Recovery
operations.
CLM Agent 80 2b a7 a4 8c 3e 4f 62 80 e1 ad fc f7 15 f9 ec 94 c3 e5 07
clmenrollagent c9 1a a4 3c 27 62 91 1d ca 87 f6 10 7d 3d 5d 5a f8 53 48 42
clmkragent df 05 f0 0a 93 c6 aa fb 62 3b 6c 35 eb 02 4b 0c 04 2c f4 be
4.2 Configuring the Certificate Lifecycle Manager 2007 Service
4.2.1 Create a new domain user account
Create a service account named (ServiceCLM01) in Active Directory.
4.2.2 Grant required user rights to the domain user account
Create a GPO named (CLM) on active directory and link it to the OU where the CLM machines is located
and grant the following rights to the (ServiceCLM User account):
1. Act as part of the operating system
2. Generate security audits
3. Replace a process level token

4.2.3 Add the domain user account to the required groups
Add (ServiceCLM) account to those groups :
1. Local Administrators
2. IIS_WPG
4.2.4 Configure the CLM Service to use the domain user account
Configure the (Certificate Lifecycle Manager Service) to use the new account and make it start
automatically.
4.2.5 Additional Task
You may have to assign the CLM Request Renew extended permission to the (ServiceCLM) user account
if you want to benefit from the automatic renewal option.
What all this about is that the CLM service can perform advance tasks (i.e using external APIs) .One of
those tasks could be the ability of CLM service to remind users who enrolled certificates using OTP ,about
their issued certificate expiration time (i.e send them a reminder email) .
In order for the CLM service to do this, It may be required to grand the CLM Service account some additional
permissions and rights (i.e CLM Request renew).
4.3 Configure the CLM policy module
1. Click Start, point to Administrative Tools, and then click Certification Authority
2. In the Certification Authority snap-in, right-click CAName, and then click Properties
3. In CAName Properties, click the Policy Module tab, and then click Select to designate the Active
Policy Module
4. In the Set Active Policy Module dialog box, select CLM Enterprise Policy Module and then click
OK.

5. On the Policy Module tab of the CAName Properties dialog box, click Properties
6. In the Configuration Properties dialog box, on the General tab, select Pass non-CLM requests to
the default policy module for processing
7. In the Configuration Properties dialog box, on the Default Policy Module tab, click Properties
8. In the Default Policy Module dialog box, select Follow the settings in the certificate template, if
applicable. Otherwise, automatically issue the certificate, and then click OK
9. In the Configuration Properties dialog box, click OK.
4.4 Configure the CLM Exit module
1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. In the Certification Authority snap-in, right-click CAName, and then click Properties
3. At the CAName Properties dialog box, click the Exit Module tab, and then click Add
4. In the Set Active Exit Module dialog box, select CLM Enterprise Exit Module, and then click OK.
5. In the CAName Properties dialog box, on the Exit Module tab, in Exit Modules, select CLM
Enterprise Exit Module, and then click Properties
6. In the Configuration Properties dialog box, check the connection string for the SQL Server that
hosts the CLM database, and then click OK.( If the SQL Server database that you use is not on the
same computer as the CLM exit module, make sure that the connection string contains the name
of the remote SQL Server.)
Connect Timeout=15;User ID=clmUser;Integrated Security=False;Persist Security
Info=True;Password=Recovery9;Initial Catalog=CLM;Data Source=udcdb04in4;
4.5 Configure additional policy modules
4.5.1 Configure the Non-CLM Request Policy Module
3. Log on to the CLM server with a user account assigned the Manage CA permission for the local
CA.
4. Click Start, point to Administrative Tools, and then click Certification Authority

5. In Certification Authority, right-click the certification authority and then click Properties
6. In CAName Properties, on the Policy Module tab, click Properties to install and configure a custom
module
7. In Configuration Properties, on the Custom Modules tab, click the Add button
8. In Open, locate the Microsoft.CLM.PolicyModulePlugins.dll file, and then click Open
9. The default location for the file is %ProgramFiles%Microsoft Certificate Lifecycle ManagerCA
10. In Clm Policy Module, select (Support for non-CLM certificate requests)
4.6 Create CLM Users and Groups
(CLM 2007 does not support domain local groups)
Create the following groups in AD:
 CLM01 Adminisrators
Members of this group will have the highest level of rights and permissions on the CLM Administrative site.
 CLM01 Subscribers
Contain nested groups named (CLM01 XXX Subscribers)
 CLM01 XXX Subscribers (Where XXX is CONTOSO station code )
Any user that will be enrolled a certificate and is managed by XXX station IT Team. This group is nested
inside the (CLM01 Subscribers group)
 CLM01 Roles
For example ,this can be CLM01 Auditors ,or CLM Unblock.Members of this group will have one of the
CLM Extended permissions.
4.7 CLM Site
When installing CLM ,you are prompted to choose a name for the CLM Virtual IIS Path (default is
https://CLM_Server.domain.com/CLM) .Depending on the rights granted to the user ,this link can contain
either the CLM Client site ,or both the CLM Client site and the CLM Administrative site. Those sites are
used as per the following:
1. CLM Client Site : any user that is enrolled a certificate from CLM can access this site. This site
shows the user what certificates he is enrolled ,and details about his smart card(s) .Users accessing
this site can do also one of the following (depending on the profile template management policy) :
a. Request smart cards

b. Enroll for a smart card by providing One Time Passwords (OTP)
2. CLM Administrative Site: only users granted one of the CLM Extended permissions can access this
site.
Golden rule here: Accessing CLM sites requires Read permission on the CLM SCP.
4.8 Understand CLM Rights and Permissions
4.8.1 CLM Extended Permissions
I will try to explain the CLM permission in my way. I will classify any user participating in CLM to three
categories :
1. CLM Subscribers: Those are end users receiving certificates /Smart Cards from CLM.CLM
Subscribers could log to the CLM Client Portal and view/execute/request certificates and smart
cards.
2. CLM Administrators: Those users have full permissions on the CLM service.CLM Administrators
can access both CLM Sites (Client and administrative).
3. CLM Managers: Those users are granted one of the CLM Extended permissions (described
later).Such users can access both CLM Sites (Client and administrative).
CLM Permissions are named CLM Extended Permission .CLM Extended permissions are not assigned to
end users even if they are enrolled for certificates from CLM.
CLM Permissions are:
1. CLM Audit : Can view all settings of the CLM administrative site.
2. CLM Enroll –Only assigned at the profile Templates .Any user that will be enrolled a certificate ,
should be assigned this right/
3. CLM Enrollment Agent: Enables the user or group to request certificates on behalf of another
user.
4. CLM Request Enroll
5. CLM Request Renew
6. CLM Request Recover
7. CLM Request Revoke
8. CLM Request Unblock Smart Card

4.8.2 Extended permissions assignment locations
1. Service connection point :This is (Active Directory Users and Computers >>System Container
>>Microsoft >>Certificate Lifecycle Manager >>CLM Server Name )
2. Profile template object :This is (Active Directory Site and Services >> Services >> Public Key
Services >>Profile Templates >>Profile Template Name
3. Users or groups : This is ( DACL of a user or a group)
4. Certificate templates : This is (CA Certificate Templates)
5. Management policy : This is (CLM Administrative Site >>Administration >> Manage Profile
Templates )
4.8.3 Assigning CLM Extended permissions
 (Profile Templates) location:
 AnyuserparticipatingonCLM shouldhave Readpermissiononthe ProfileTemplates
Container.
 If the enduseristo e enrolledfrom specificprofiletemplate ,he shouldbe assigned(Read
and CLM Enroll)
 To administersspecificprofile template,CLMManagersshouldhave (ReadandWrite).
 Service ConnectionPoint (SCP) :
 Anyuserwho shouldaccessCLMSite (ClientorAdministrative)shouldhave Read
permissiononthe SCP. Thisof course includesCLMSubscribers.
 Otherthan, onlyCLM Managers are assignedpermissionshere bygivingthemCLM
Extended permissions here.
 CLM Managementpolicy:
 Here you can configure whatCLMManagers can do andwhere. A new role can be assigned
here and thatis the ( Approve Requests).

 To make a userable to(Approve Requests) ,youshouldconfigure the managementpolicy
of a profile template torequire manager’sapproval ,andthenaddthe usertothe (Approve
Requests).
 Anotherimportantpointhere iswhocaninitiate requests.Mainlytwokindof userscan
performthis:
o If you enable (Self service) onthe enroll policy, the endusercan initiate the enroll
requestwithoutbeingassignedanyextrapermission,evenif theyare notincludedon
the (workflow:initiateRequest) onthe Enroll policy.
o CLM Manager whoisassignedthe following:
 CLM RequestEnroll onSCP
 CLM Requeston(Usersandgroup)
 Includedonthe (Workflow: initiateRequest) onthe profiletemplate’s
managementpolicy.
It isimportantto note that anyuser participatingonCLMshouldhave Readonthe Profile Templates
Container.
 CLM01 Administrators
1. Profile templatescontainer : Full Control permission on the container and all child objects + (Read
and Write and CLM Enroll) to any new Profile Template.
2. Service connection point : Full Permissions
3. CLM01 Subscribers DACL : Full CLM Extended Permissions
 CLM01 Managers
1. Profile templates container : Full Control permission on the container and all child objects
2. Service connection point : Read permission and one of the CLM Extended permissions
3. CLM01 Subscribers DACL : Read permission and one of the CLM Extended permissions
 CLM01 XXX Subscribers
1. Profile templates container : Read permission
2. Profile templates container >>Specific Profile Template : Read and CLM Enroll

5 Configuring Profile Templates
Profile Templates can be configured by logging to the CLM administrative site go to
(Administration>>Manage Profile Templates)
5.1 Smart Card Profile Templates
On the Profile Template List, choose (CLM Sample Smart Card Logon Profile Template)and click (Copy
a selected profile template).Name it (XXX SC ES AutoEnroll V1), where:
 XXX: CONTOSO Station code.
 ES: Encryption /Signing Purposes.
 V1: Version one.
 Description: This Template is to enroll XXX smart cards with encryption and signing/Authentication
certificates .Certificates are enrolled by IT team on behalf of the user.
5.1.1 Profile Details :
5.1.1.1 General Settings
 Don’t choose (Generate encryption keys on server)
 (Maximum number of external certificates): 1000
 Supports smart cards :Yes if this profile is to enroll smart cards
5.1.1.2 Certificate Templates
Choose Certificate templatesthatwill be enrolledusingthisprofile template
 CONTOSOSMSigningClassII V1.
 CONTOSOSMEncryptionClass1V1.

5.1.1.3 Smart Card Configuration
 ProviderInformation: MicrosoftSmart Card Base CSP.
 Processing: choose :
o Initialize card before use: This will delete anykeys onthe smartcard and any certificate
information.
o Reuse Retiredcard.(Thisoptionsmeansthatif the smart card of User X is retired,CLM
managercan use this smartcard to enroll UserY certificates,thusthe ownershipof the
card is foruser Y) .Thisalsoappliesforthe case inwhicha retiredsmartcard will be
usedforthe same userbut to enroll foradifferentprofile template. Whatisimportant
to knowhere isthat youcan see the full historyof the usage of the card and how many
timesitisretiredandwhat certificateswere includedoneachcard before itwasretired.
o Install certificate authority certificates
o Certificate label text: {Template!cn} - {User}
o Maximumnumber of certificates: 5 (Thisiscustom settingsthatI puthere)
(Limitsthe total numberof certificatesthatCLM 2007 allowsona smart card.)
 MicrosoftSmart Card Base CSP :Leave defaults
 Administrative PIN: leave defaults
 UserPIN: User Provided. (Thismeansthatthe personwhoisenrollingthe smartcard ,will be
promptedforuserPIN).
 Printing.Keepdefaults –Disabled.
5.1.2 Enroll Policy
 Use SelfServe: Means that the end user can initiate certificate requests from the CLM Client portal
(even if they are not included on the Enroll Policy >> Workflow: Initiate Enroll Requests).
 Require enrollment agent: This option is used if the administrator will enroll certificate on behalf
of the end user. To enable this option, you should always perform this step.
 Number of Approval: how many managers should approve the request.
 Number of active of suspended profiles /smart cards allowed = 1
This means that any user can enroll only once for THIS profile template .If the user has already
active smart card that is enrolled from THIS profile template and then the user tries to enroll from
this profile using another smart card, it will not allow him.

There are many scenarios for user enrollment:
1. User X can initiate enrollment requests and enroll smart cards directly by doing the following:
a. Give user X Read permissions on the Profile Templates Container.
b. Give user X (Read+ CLM Enroll) on the specific Profile Template.

c. Configure the Profile Template Management Policy to enable (Self Service) ,and put the
(Number of approval to 0 ). You don’t need to add the User X to (Workflow: Initiate Enroll
Requests) users. Uncheck the (Require Enrollment Agent) option
d. Configure the Certificates Templates included on that profile template from the CA server
so that User X has (Read and Enroll)

e. User X should have CLM Client installed on his machine ,and has a smart card inserted on
his machine’s smart card reader ,and then open a browser and type
https://CLMServer.contoso.com/CLM. Click (Request a permanent Smart Card).

2. User X initiate the (Request smart card) request “User X Request a smart card from the CLM Client
interface”. Helpdesk now can approve the request and get a OTP .Helpdesk will send the OTP to
User X. User X then will use the OTP to enroll for a smart card.
c. Configure the Profile Template Management Policy to enable (Self Service), and put the
(Number of approval to 1 “any non-zero value can work” ). You don’t need to add the User
X to (Workflow: Initiate Enroll Requests) users. Now add the Helpdesk group to the
(Workflow: Approve Enroll Requests). Uncheck the (Require Enrollment Agent) option
d. Configure the Certificates Templates included on that profile template from the CA server
so that User X has (Read and Enroll)
e. User X should have CLM Client installed on his machine, and has a smart card inserted on
his machine’s smart card reader, and then open a browser and type
https://CLMServer.contoso.com/CLM. Click (Request a permanent Smart Card).User X will
see that his request is in (Pending) State.

f. Helpdesk to act as approval user in CLM workflow should have the following permissions:
i. Read on the Profile Templates Container.
ii. Read and CLM Audit on the SCP (This object and all child objects)
g. Helpdesk now can open https://CLMServer.contoso.com/CLM >>Manager
Operations>>Requests>>Pending >>Approve.
h. User X will now log to the CLM Client site again https://CLMServer.contoso.com/CLM and
choose (Request My Request) >>choose the request with status (Approved) and click the
[Execute]

Note: If in the Profile template management policy, you configured the (One-Time Password) option
to require one or more (Password provider initialization data), then helpdesk on step (g) will get
OTP. Helpdesk will then ship the OTP to the user X. User X then will log on to the CLM Client site
as per the step (h) and will choose (Complete a request with one-time password) instead of (Show
my Request history).
3. User X initiate a request for smart card , helpdesk check the request and enroll the smart card from
their machines and then ship the smart card /User PIN to User X
c. Configure the Profile Template Management Policy as follow :
i. Enable (Use Self Service)
ii. Enable (Require Enrollment Agent)
iii. Un-check the allow comments/priority to be collected.
iv. Set the Number of approval to zero.
v. On the (Data Collection), don’t require any Items to be collected.

vi. On the (Workflow: Enroll Agent For Enroll Requests) ,add the helpdesk group.
vii. You don’t have to add any one on the (Workflow: Initiate Enroll Requests).
Note: Remember always the golden rule (if you enable the “Use Self Serve” ,then the end user can initiate
requests even if they are not included on the “Workflow: Initiate Enroll Requests” )
d. On the CA Certificate templates >>Issuance Requirement Tab >>require one authorized
signature with an application policy of the Certificate Request Agent.

e. User X doesn’t have to have CLM Client installed on his machine, and opens his browser
and type https://CLMServer.contoso.com/CLM. Click (Request a permanent Smart
Card).User X will see that his request is in (Pending) State.
f. Help desk should have the following permissions:
i. Included in both (Workflow: Initiate Enroll Requests ) and (Workflow: Enroll Agent
For Enroll Requests)
ii. Has both (CLM Request Enroll) and (CLM Enrollment Agent) on SCP.
iii. Has both (CLM Request Enroll) and (CLM Enrollment Agent) on the Certificate
Subscribers group in active directory (users who receive certificates)
iv. Has (Read and Enroll) on the Specific Profile Templates (reachable from AD Site
and services.

g. Helpdesk machines will have CLM Client installed and with smart cards and smart readers.
Helpdesk will log on to the CLM Administrative site and will check his approved requests
,and then click Execute.
h. Helpdesk will then ship the smart card to the end user.
4. Helpdesk Enroll User X for certificates directly without having the user to initiate the request.
c. Configure the Profile Template Management Policy as follow :
i. Enable (Require Enrollment Agent)
ii. Un-check the allow comments/priority to be collected.
iii. Set the Number of approval to zero.
iv. On the (Data Collection), don’t require any Items to be collected.

v. On the (Workflow: Enroll Agent For Enroll Requests), add the helpdesk group.
vi. You don’t have to add any one on the (Workflow: Initiate Enroll Requests).
Note: Remember always the golden rule (if you enable the “Use Self Serve” ,then the end user can initiate
requests even if they are not included on the “Workflow: Initiate Enroll Requests” )
d. On the CA Certificate templates >>Issuance Requirement Tab >>require one authorized
signature with an application policy of the Certificate Request Agent.

e. Help desk should have the following permissions:
i. Included in both (Workflow: Initiate Enroll Requests ) and (Workflow: Enroll Agent
For Enroll Requests)
ii. Has both (CLM Request Enroll) and (CLM Enrollment Agent) on SCP.
iii. Has both (CLM Request Enroll) and (CLM Enrollment Agent) on the Certificate
Subscribers group in active directory (users who receive certificates)
iv. Has (Read and Enroll) on the Specific Profile Templates (reachable from AD Site
and services.
f. Helpdesk machines will have CLM Client installed and with smart cards and smart readers.
Helpdesk will log on to the CLM Administrative site and click (Enroll a user for a new set of
certificates or a smart card)

g. Helpdesk will then ship the smart card to the end user.
5.1.3 Online Update.
Online update can be performed using one of the following three usages:
 Certificate Content Change
 Certificate Template Change
 Certificate Expiry.
Two important points here:
 Online updates can be executed from the end user side only
 If you perform online update for the permanent card ,a request to update the Duplicate card is
automatically made.
5.1.3.1 Certificate Content Change
This means you want to enroll for new certificates. So what happen to the existing certificates is:
 If we are talking about signing certificates >> revoke and delete from the certificate
 If we are talking about encryption certificates (archived ones) ,then it depends:
o You can revoke them
o You can keep them active
Example 2 : If you have card with E1 (Encryption Key 1) and S1 (Signing key 1) ,and you configured the
online update to revoke archived certificates ,then updating the card with (content change) will :
 Revoke and delete S1
 Issue new S2
 Revoke and keep E1
 Issue E2
Note: If you have duplicate card ,it will be automatically pending for the same online update request ,and
the duplicate card will be issued always a new encryption key (not the same one issued to the permanent
card) .The following example will help in clearing this issue.

Example: If you have card 1 with (E1,S1) and duplicate card with (E1,S2) ,and You configured the online
update to revoke archived certificates ,then updating any one of the cards with (content change) will
automatically cause the other card to be in pending state for update ,and the following will happen:
 On card 1:
o E1 Revoked and kept on the card
o S1 revoked and deleted
o Issue new E2
o Issue new S3
 On card 2:
o E1 revoked and kept on card
o Issue new E3
o Issue new S4
Example: If you have card 1 with (E1,S1) and duplicate card with (E1,S2) ,and You configured the online
update not to revoke archived certificates ,then updating any one of the cards with (content change) will
automatically cause the other card to be in pending state for update ,and the following will happen:
 On card 1:
o E1 active not revoked (not touched)
o Issue new E2
o Issue new S3
 On card 2:
o E1 active not revoked (not touched)
o Issue new E3
o Issue new S4

5.1.3.2 Template Change
This is a very interesting feature .Suppose you have configured a profile template on CLM with two
certificate templates on it, and you already enrolled a number of users smart cards using this template. Now
you decided to add/delete certificate templates from the CLM profile template .In order to update already
enrolled smart cards about this change ,you choose to update them using (Template Change).
 If you add certificate template to a profile template: then already existing certificates on the card
are not touched.
 If you deleted a certificate template from the profile template: then certificates on the card enrolled
from that certificate templates are revoked and deleted from the card (even if it is archived
certificates)
Example: if a card 1 has (E1, S1) and duplicate card 2 has (E1, S2) ,and you add a certificate template “K”
to the profile template ,then:
 Card 1 will have E1,S1,K1
 Card 2 will have E1,S2,K2.
Example: if a card 1 has (E1,S1) and duplicate card 2 has (E1,S2) ,and you deleted certificate template “E:
from the profile template ,then:
 Card 1 will have S1
 Card 2 will have S2
Note: E1 is revoked.

6 Appendix
6.1 Appendix A : CONTOSO Encryption Class IS V1
1. General Tab

6.2 CONTOSO Signing/Authentication Class IIS V1
1. General :

6.3 CLM System users
 CLM Agent: Conducts operations for CLM 2007 that require specific permissions. CLM 2007
uses this agent to sign data.
 CLMKRAgent : Recovers archived private keys from the CA.
 CLMAuthAgent: Reads security information of user and group entries in Active Directory.
 CLMCAMngr: Performs actions against the certification authority.
 CLMWebPool: Runs CLM 2007 in IIS. . If you use Integrated Windows Authentication, it grants
the Web Pool Agent permissions to the CLM database and performs all read/write operations that
the CLM server would otherwise perform in the SQL Server database.
 CLMEnrollAgent: Requests certificates on behalf of a user account.
6.4 Installing and Configuring Certificate Lifecycle Manager 2007 Client
Microsoft Certificate Lifecycle Manager 2007 Client assists in client-side, smart card
management activities, such as changing the personal identification number (PIN) on a smart
card.
6.4.1 Hardware and software requirements
1. Microsoft Windows XP Service Pack 2 and higher O.S
2. Microsoft Base cryptographic service Provider (CSP)
3. A smart card reader and one or more smart cards
6.4.2 Installing CLM Client
1. From the CLM 2007 installation CD, run CLMClient.msi. (CLMClient.msi is located at
[CDDrive]CLMClient. )
2. On the Welcome to the Installation Wizard page, click Next

3. On the Certificate Lifecycle Manager License Agreement page, read the license agreement, select
I accept the terms in the license agreement, and then click Next.
4. On the Setup Type page, under Setup Type, select Complete and click Next
5. On the Ready to Install Certificate Lifecycle Manager Client page, click Install.
6. On the Certificate Lifecycle Manager Client Installation Complete page, click Finish.
7. Add the CLM Web site to Trusted Sites in Internet Explorer.
The default configuration for Trusted Sites prompts the user prior to loading controls that are not marked
safe for scripting. Because Certificate Lifecycle Manager 2007 Client is not marked safe for scripting, you
must enable Initialize and script ActiveX controls not marked as safe for scripting, if you do not want
Internet Explorer to prompt users when a control loads.
To export comma-delimited report data, in Internet Explorer, you must enable the Automatic prompting
for file downloads policy setting. If you enable this policy setting, Internet Explorer prompts you when you
export the report
To enable comma-delimited report data to be exported :
1. In Internet Explorer, on the Tools menu, click Internet Options
2. In Internet Options, click the Security tab.
3. Under Security level for this zone, click Custom Level
4. In Security Settings - Internet Zone, under Downloads, click Enable for Automatic prompting
for file downloads
6.4.3 Registry Modification
1. Enable Private Key Import
 Go to
HKey_Local_MachineSoftwareMicrosoftCryptographyDefaultsProviderMicrosof
t Base Smart Card Crypto Provider.
 Modify the AllowPrivateExchangeKeyImport to value of 1
 Modify the AllowPrivateKeySignatureImport to value of 1.

6.5 What will happen if
6.5.1 Duplicate an active smart card
CLM will recover the same Encryption certificates (if archived) and will always issue new signing certificates.
E1
S1
PERM CardActive
E1
S2
DUB CardActive
6.5.2 Retire a Duplicate smart card
1. Revoke all certificates on the Duplicate Card – Duplicate smart card will not be anymore assigned
to the user – smart card doesn’t have any certificates as they are deleted.
2. Disable the permanent Smart Card (which will revoke all certificates on the card) –Permanent smart
card will still assigned to the user –smart card still have certificates but are revoked so they can be
used to recover encrypted files.
6.5.3 Retire the Permanent smart card that has Duplicate card
1. Revoke all certificates on the Permanent Card – Permanent Card will not be anymore assigned to
the user – smart card doesn’t have any certificates as they are deleted.

2. Disable the Duplicate Smart Card (which will revoke all certificates on the card) –Duplicate smart
card will still assigned to the user –smart card still have certificates but are revoked so they can be
used to recover encrypted files.

E1
S1
PERM CardActive
E1
S2
DUB CardActive
E1
S2
DUB CardActive
Retire
E1
PERM CardDisabled
DUB CardRetired
S1
Retire
PERM CardRetired
DUB CardDisabledActive
PERM Card
E1
S2
E1
S1

6.5.4 Disable Duplicate Card
This will disable both the Duplicate and the Permanent Cards.
6.5.5 Disable the Permanent smart card that has Duplicate card
This will disable both the Duplicate and the Permanent Cards.

E1
S1
PERM CardActive
E1
S2
DUB CardActive
E1
S2
DUB CardActive
Disabled
E1
PERM CardDisabled
S1
Disabled
Active
PERM Card
E1
S1
Disabled
DUB Card
E1
S2
PERM Card
Disabled
DUB Card
E1
S2
E1
S1
Disabled

6.5.6 Replace Cards
Conditions:
 Workflow: Duplicate Revocation Settings : Not configured
 Workflow: Revocation Settings:
o Set old card or profile status to disabled
o Revoke old certificates.
 Workflow: General:
o Re-issue archived Certificates.
1. If the user has Permanent card and Duplicate card, and you replaced the permanent card >>Then
the permanent card will be set to Disabled ,and all certificates inside it are revoked. Any Encryption
archived certificate on the Duplicate Card will be set to Revoked. The replaced card will have the
old encryption revoked certificate, a new signing certificate and a new encryption certificate.
2. Replacing the Duplicate card is the same as replacing the Permanent card.
Note: What you can do here if you have smart card 1 and Duplicate smart card 2, and you lost smart
card 1, is to replace smart card 1 with smart card 3, and then retire smart card 2, and then duplicate
smart card 3 on smart card 2.
Another scenario is if you have smart card 1 and duplicate smart card 2 ,and you lost smart card 1 ,and
you can live with one smart card .Then you have to Disable the smart card one and then lay with
the online update options.

E1
S1
PERM Card
Active
E1
S2
DUB Card
Active
E1
PERM Card
Disabled
S1 S2
DUB Card
Active
E1
S3
REP Card
Active
E1
E2
S3
REP CardActive
E1
E2 Duplicate
S3
DUB CardActive
E1
E2
E1
S1
PERM Card
Active
Replace
E1
PERM Card
Active
S1 S2
DUB Card
Disabled
E1
S3
REP Card
Active
E1
E2
E1
S2
DUB Card
Active
Replace

6.5.7 Online Update Case 1 (deletes revoked on content change only)
Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is
configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate
Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates
(Encryption Certificate Template and Signing Certificate Template)
Action: Administrator performed online update for the PERM card and chooses (Certificate Content
Change) and chooses to update only (Signing Certificate Template).
What will happen:
Online Update cannot be done fully from the administrator workstation. Thus , the (Update Initiator) will
initiate the request of Online Update for a smart card , after this action is approved in a workflow as
described in the management policy workflow ,the user will should login to the CLM Client site and should
check his requests. He will see two approved Requests for Online Update (one for each card).The
user then should insert his permanent smart card and choose to execute the first approved online update
,and then insert the second duplicate smart card and choose to execute the second approved online update.
The user will end up with two smart card with the encryption certificate non touched .But both signing
certificates on the smart cards will be revoked and deleted and new ones issued and printed on the smart
cards as shown on the figure below.

E1
S1
PERM Card
Active
E1
S2
DUB Card
Active
Online Update
Signing Certificate only
On PERM Card
E1
S3
PERM Card
Active
E1
S4
DUB Card
Active
S1,S2 are Revoked and deleted from the smart cards
6.5.8 Online Update Case 2
Assumptions:

Action: Administrator performed online update for the PERM card and chooses (Certificate Content
Change) and chooses to update only (Encryption Certificate Template).
What will happen:
Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will
initiate the request of Online Update for a smart card, after this action is approved in a workflow as described
in the management policy workflow, the user will should login to the CLM Client site and should check his
requests. He will see two approved Requests for Online Update (one for each card).The user then
should insert his permanent smart card and choose to execute the first approved online update ,and then
insert the second duplicate smart card and choose to execute the second approved online update.
The user will end up with two smart card with the signing certificates non touched .But the encryption
certificate (E1) will be revoked and kept on the smart cards for recovery usage. Now, a new encryption
certificates E2,E3 will be issued and printed on the cards as shown on the figure below.
The user will end up with two cards and with two encryption certificates E1 and E2 .To solve this ,you can
now retire Smart card DUB (this will revoke and delete S2,E2) and then duplicate the PERM card .After all
is done ,the DUB card will have ( S3,E2, and the revoked E1).

E1
S1
PERM Card
Active
E1
S2
DUB Card
Active
Online Update
Encryption Certificate only
On PERM Card
E1
PERM Card
Active
DUB Card
Active
E1 revoked ..Issue new E2,E3
To solve having E2 and E3 on the two cards,you can retire DUB now and Duplicate the PERM
S1 S2
E2 E3
E1

Assumptions:
Action: Now the administrator deleted the signing certificate from the profile template and initiated an online
update of the smart card (doesn’t matter if it is the PERM card or the DUB card).
What will happen:
The user will end up with two smart card with the signing certificates revoked and deleted .The encryption
certificate is not touched.

E1
S1
PERM Card
Active
E1
S2
DUB Card
Active
Online Update
Delete Signing Certificate From Profile Template
E1
PERM Card
Active
DUB Card
Active
S1,S2 are revoked and deleted from the smart cards.
E1

Assumptions:
Action: Now the administrator deleted the Encryption certificate from the profile template and initiated an
online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).
What will happen?
The user will end up with two smart card with the Encryption certificates revoked and deleted .The signing
certificates is not touched.

E1
S1
PERM Card
Active
E1
S2
DUB Card
Active
Online Update
Delete Encryption Certificate From Profile Template
S1
PERM Card
Active
DUB Card
Active
E1 is revoked and deleted from the smart cards.
S2

Ammar hasayen microsoft ILM/FIM 2007 guide

Recommended

Recommended

More Related Content

Similar to Ammar hasayen microsoft ILM/FIM 2007 guide

Similar to Ammar hasayen microsoft ILM/FIM 2007 guide (20)

More from Ammar Hasayen

More from Ammar Hasayen (20)

Recently uploaded

Recently uploaded (20)

Ammar hasayen microsoft ILM/FIM 2007 guide