Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management

1. Required Slide SESSION CODE: SIA307 Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management Identity and Access Management: Notes from the Field: Microsoft IT's FIM 2010 Certificate Management Deployment Craig Carlston SE System Analyst Microsoft Corporation Brian Komar President IdentIT Inc. brian.komar@identit.ca

2. Agenda • The Microsoft PKI Architecture • Legacy Smart Card Architecture • Legacy Smart Card Management System Details • Benefits of Moving to FIM 2010 Certificate Management • Migration Plan to FIM CM • The Pain Points of the Migration

3. The Microsoft PKI Architecture

4. Microsoft PKI • Nine production forests • Mix of server Operating Systems • Combination of internal and external trust • Centralized CA management • Multiple certificate types • Cross-forest Enrollment where supported

5. Internal Trust Architecture

6. External Trust Architecture

7. Legacy Smart Card Architecture

8. Smart Cards, Readers, and Middleware Smart Cards • Custom built hybrid cards • Photo ID • Indala RFID Cards for Building Access • Gemalto smart card chip • 128K .NET v2 cards (current standard) • Legacy cards (all Base CSP cards) Middleware • Microsoft Base Smart Card Crypto Provider • Mini-drivers specific to actual cards used Smart Card Readers • Built-in readers in our laptops • If no built-in readers: • Omnikey • Gemalto

9. Smart Card Architecture Smart Card Issuance Tools • Lenel • Printing • RFID management • Smart Card Manager v2 • MS Internal Solution • Smart Card Management = Smartcard Deployment Application (SDA) • PIN Management = PIN Tool v2 • Custom smart card admin PIN diversification solution

10. Smart Card Architecture Support Resources • Distributed Issuance Offices (DIOs) • Helpdesk • Client Certificate Services Team

11. Legacy Smart Card Management System Details

12. Smart Card Management Today • Approximately 100,000 active cards • Average 1,000 new cards a month • Average processing time – 10 minutes

13. Challenges With Original Deployment in 2000 • Mobile devices, Macintosh, and UNIX platforms not compatible with smart card EAP/TLS authentication • Smart card distribution process was resource intensive • Managing policy and client groups is complex • Client software version control • Limited reporting

14. Lessons Learned • Immature smart card administrative tools • Secure registration authority for issuance and renewal, if certificates expire users must visit DIO • Remote client troubleshooting • Delegation of administration • Distributed functions without distributed trust

15. Benefits of Moving to FIM 2010 Certificate Management

16. Benefits of FIM CM • Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA) • Improved overall process workflow • New Card Enroll • Lost Card Replace • Card Retire • Certificate Renewal • Detailed auditing and reporting • Support for extended self-service scenarios • PIN unblocks with user’s credentials • Integration with Active Directory and PKI • Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration

17. SecurityPolicy Enrollment Enroll Enrollment Unblock CertificatePolicy CertificationPracticeStatement Management Policies Chance to Review/Revise Corporate Policies to Profile Template Policies Management policies must enforce security policies and certificate policies

18. Migration Plan to FIM CM

19. Migration Plan to FIM CM Goals • Minimize User Impact • Minimize Costs • Maintain same level of security

20. Migration Plan to FIM CM • A FIM CM instance per forest • Custom PIN Tool • Required for smart card-only PIN unblock scenario for elevated access accounts • Allows offline unblock • Used as a sole method for Internet PIN unblock • Previously archived S/MIME encryption certificates imported to FIM CM for continued use

21. FIM CM Architecture at Microsoft

22. Profile Templates • Smart Card Logon and RAS • Most email enabled primary user accounts • Smart Card Logon, RAS, and Data Protection • Email enabled primary accounts with S/MIME • Smart Card Logon No RAS • Alternate Accounts for elevated access

23. Normal User Account Enrollment Workflow FIM and Manual FIM CM Portal • Admin Accounts require face-to-face issuance at DIO User has existing smartcard? • Enrollment Process takes place • Certificates loaded on smart card • PIN is randomized • Admin Key is diversified by custom Admin Key Diversifier application User moves to Unblock workflow to use card No User visits DIOand smart card printed in Lenel Yes User Sent email sending link to FIM CM portal and instructions on self-service enrollment User added to MS-Smartcard-LogonOnly OrMS-Smartcard-LogonandEncrypt (FIM 2010 will ensure user only a member of one group)

24. Unblock Workflow FIM and Manual Custom PIN tool • Admin Accounts require face-to-face issuance at DIO Has User been Vetted? Card Ready for Use Admin Key retrieved from FIM CM database and re-set using Admin Key Generator No User must meet face-to-face to meet CP-defined assurance level requirements • User initiates: • Online Unblock if on corporate network • Offline Unblock if network connectivity not possible Yes User added to MS-Smartcard-UnblockEnabledgroup User opens PIN Tool

25. Custom PIN Tool Craig CarlstonSE Systems AnalystMicrosoft DEMO

26. Normal User Account Replacement Workflow FIM and Manual FIM CM Portal • Admin Accounts require face-to-face issuance at DIO User visits DIOand replacement smart card printed in Lenel • Encryption Certificates: • Previous encryption certificates recovered • External Certificates re-populated • New encryption certificate issued User moves to Unblock workflow to use card DIO employee validates picture on smart card with person receiving replacement smart card New Smart Card Logon certificate issued User connects to FIM CM portal Card distributed to user

27. Pain Points of the FIM 2010 CM Migration

28. 5. FIM 2010 CM Cannot Cross Forest Boundaries • FIM 2010 CM is designed for single forest deployments • Microsoft has multiple forests • If smart cards are deployed in a forest: • Required a FIM 2010 CM instance • Required a CA be available for certificate issuance in the forest • Impacted ability to leverage cross forest enrollment to reduce CAs

29. 4. Could Not Protect the clmAgent Certificate with an HSM • Security policy requires that Admin Key diversification process use an HSM • HSM needed to protect the clmAgent certificate • Found an issue with the HSM vendor that did not allow use of AES encryption with clmAgent certificate. • Acceptable solution allowed HSM protection but dropped down to three distinct key 3DES protection

30. 3. Migrating Encryption Certificates to FIM CM • Smart Card Logon, RAS, and Data Protection profile template required migration of previous S/MIME encryption certificates • CLMUtil used to import encryption certificates into FIM CM database and CA database • Required a new S/MIME CA to import the certificates to • Required a custom tool to automate the import process • Previous encryption certificates • Were revoked at the CA • Imported as External certificates into the FIM CM database • Profile template configured to allow a designated number of external certificates • Enrollment/Replace process includes recovery of external encryption certificates onto the smart card

31. 2. Restrictions Cannot be Imposed Across Profile Templates • Microsoft wishes to ensure that a user account only has a single smart card logon certificate • Easy to do within a single profile template • Cannot be done across profile templates • Solution is to use FIM provisioning to ensure that a user account can only exist in one of two security groups • Each security group is assigned Read and FIM CM Enroll permissions against the designated profile template • A user can move from the non-encryption certificate profile template to the encryption certificate include profile template…. Not the other way • Migration to encryption certificate requires retiring the previous smart card for redeployment

32. 1. Configuring Client Settings Across IE Versions • Three different versions of Internet Explorer are deployed on MS computers • IE 6.0 and IE 8.0 require that the FIM CM portal hostname be in the SiteLock registry key • IE 7 requires that the FIM CM portal hostname be in the SiteLock registry key and the URL be included in Trusted Sites • FIM CM client software must be automatically deployed to the masses • Solution involved a custom script that • Detects the IE version and forest • Runs the FIM CM Client installer package with options to designate the correct settings required for the IE version and forest

33. Deploying the FIM CM Client Software Craig CarlstonSE Systems AnalystMicrosoft DEMO

34. Announcing Deploying FIM 2010 CM with Thales HSMs http://iss.thalesgroup.com/en/l/program/FIM-eBook.aspx ANNOUNCING

35. INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEMicrosoft Forefront Identity Manager 2010 What are IPD Guides? • Guidance & best practices for infrastructure planning of Microsoft technologies Forefront Identity Manager 2010 Guide Benefits • Helps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources • Based on the scope, identifies the FIM infrastructure components required to achieve the project goals • Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! • Go to www.microsoft.com/ipd • Check out the entire IPD series for streamlined IT infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

36. Conclusions • FIM CM will enhance the management of MS IT’s smart card deployment • FIM CM gives MS IT a chance to review all smart card and PKI related policies • Despite pain points, a customized solution can be developed to work for a large organization such as Microsoft • Allows future flexibility as requirements change • Adding certificate templates to deployment is easy • Changing work flows is possible if requirements change

37. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

38. Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

39. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

40. Required Slide Complete an evaluation on CommNet and enter to win!

41. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

42. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. Required Slide