Hi Everyone, We are investigating the use of FIM CM in our organization and we are trying to find out if the following scenarios are possible. We plan to use the auto enroll feature in Active Directory to provision new user certificates but we would like to use FIM CM to revoke and recover user certificates. The question is, if AD provisions the certificates, will FIM CM then be able to "see" them in order to revoke or recover them? Many of the provision examples with MAs show requests being submitted to FIM CM but then a user has to manually go in and finish the request. We would like to fully automate the process with no end user intervention. Is this possible with FIM CM MAs, the API or some other method? Finally, we would like to use FIM CM to provision certificates for non-AD user objects such as servers, computers and other devices. The FIM CM portal seems to be strictly set up for user objects. Can FIM CM be used to enroll, revoke and recover certificates for servers and computers? Thanks again!

On Mon, 16 May 2011 01:00:51 +0000, FIM_Admin wrote: 1. We plan to use the auto enroll feature in Active Directory to provision new user certificates but we would like to use FIM CM to revoke and recover user certificates.? The question is, if AD provisions the certificates, will FIM CM then be able to "see" them in order to revoke or recover them? Yes, but only for software based certificates, not smart card certificate. FIM CM ships with 4 custom policy modules. The one you want to look at here is the Support for non-FIM CM certificate requests. http://technet.microsoft.com/en-us/library/gg418616(WS.10).aspx 2. Many of the provision examples with MAs show requests being submitted to FIM CM but then a user has to manually go in and finish the request.? We would like to fully automate the process with no end user intervention.? Is this possible with FIM CM MAs, the API or some other method? The FIM CM MA, as you've discovered, is fairly limited. You can have a look at the Provision API for FIM CM. Also, Craig Martin is doing some really interesting work with FIM, FIM CM, and Powershell but there doesn't appear to be any downloads available as of yet: http://fimcmextensions.codeplex.com/ 3. Finally, we would like to use FIM CM to provision certificates for non-AD user objects such as servers, computers and other devices.? The FIM CM portal seems to be strictly set up for user objects.? Can FIM CM be used to enroll, revoke and recover certificates for servers and computers? Sort of. The requirement for FIM CM to be able to manage a certificate or smart card is that the request has to be submitted in the security context of an AD user account. So for example SSL certificates can be managed as they are normally submitted by a user, but things like IPSec and domain controller certs cannot be as they are submitted in the security context of a computer account. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Shift to the left! Shift to the right! Pop up, push down, byte, byte, byte!

Thanks for the help!

The requirement for FIM CM to be able to manage a certificate or smart card is that the request has to be submitted in the security context of an AD user account. So for example SSL certificates can be managed as they are normally submitted by a user, but things like IPSec and domain controller certs cannot be as they are submitted in the security context of a computer account. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Shift to the left! Shift to the right! Pop up, push down, byte, byte, byte! Ok. So the requirement in the quote above is acctually more about how the Subject is set rather than in which security context it is requested (since that can change)? Btw, thank you all for putting up with me and being so quick to answer, I love this forum :-)Tom Aafloen, IT-security Consultant Onevinn AB

On Thu, 12 Jan 2012 12:56:12 +0000, Tom Aafloen wrote: Ok. So the requirement in the quote above is acctually more about how the Subject is set rather than in which security context it is requested (since that can change)? No, that's not the case, for example, a smart card enrollment will pull the SAN value from AD, any autoenrolled user cert will also pull Subject or SAN values from AD, both of those are managed just fine by FIM CM. Bottom line is that in order for FIM to be able to manage a cert, the cert must have been requested by a user account, not a computer account. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca Manual Writer's Creed: Garbage in, gospel out.

So for example SSL certificates can be managed as they are normally submitted by a user, but things like IPSec and domain controller certs cannot be as they are submitted in the security context of a computer account. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Shift to the left! Shift to the right! Pop up, push down, byte, byte, byte! A question: SSL certificates are usually submitted by a user, but is then exported to a pfx and then imported into the webservers computer store. Why can't the same method be used for other "computer certificates", as long as the user gets permission on the template? One issue is that the subject should be the computer name, but that could be specified by the user as the time of request. Am I missing something?Tom Aafloen, IT-security Consultant Onevinn AB

You can manage any certificates where the subject is provided in the request, not just SSL certificates. What you cannot manage are computer certificates where the subject is populated by the AD object (workstation authentication, domain controller, etc). HTH, Brian

Not even if I would: Make a copy of the Domain Controller template Change Subject name to Supply in request Give a user Enroll rights Request a cert from the new template as that user and manually enter the Domain Controllers AD-name as subject Export it from the user store and import to DCs computer store? I have no idea why anyone would do this, just trying to understand the limitations of the templates :-)Tom Aafloen, IT-security Consultant Onevinn AB

On Thu, 12 Jan 2012 12:17:11 +0000, Tom Aafloen wrote: Not even if I would: * Make a copy of the Domain Controller template * Change Subject name to Supply in request * Give a user Enroll rights * Request a cert from the new template as that user and manually enter the Domain Controllers AD-name as subject * Export it from the user store and import to DCs computer store? I have no idea why anyone would do this, just trying to understand the limitations of the templates? :-) That's what Brian was saying. In that case FIM CM would be able to manage those certs. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca Computer programmers do it byte by byte.