434 Part III: Deploying Application-Specific Solutions Enabling Kerberos Delegation of the clmWebPool Account The clmWebPool account is used to impersonate subscribers and managers that connect to the CLM Web portal. The impersonation is enabled by using Kerberos delegation. To enable Kerberos delegation, the clmWebPool account must be trusted for delegation. To enable Kerberos delegation, use the following procedure: 1. Log on at a domain controller or a computer with domain controller utilities loaded. 2. From the Administrative Tools menu, open Active Directory Users And Computers. 3. In Active Directory Users And Computers, on the View menu, ensure that Advanced Features is enabled. 4. In the console tree, click Users, and then in the details pane, double-click clmWebPool. Note If you used a custom clmWebPool account, you may be choosing a different account name and probably a different container or organizational unit. 5. In the clmWebPool Properties dialog box, on the Delegation tab, verify that Trust This User For Delegation To Any Service (Kerberos Only) is selected, and then click OK. 6. Close Active Directory Users And Computers. Verifying the clmWebPool Service Principal Names The clmWebPool account must register an SPN that matches the URL that users will use to connect to the CLM Server. For example if you wish the users to connect to http://clm.contoso.com/clm rather than http://clmserver.contoso.com/clm, you must register the clm.contoso.com SPN on the clmserver computer account. You can add the name by using the SETSPN utility, as shown in the following procedure: 1. Open a command prompt. 2. At the command prompt, type setspn –a HTTP/clm.contoso.com Contoso\clmWebPool, and then press Enter. 3. At the command prompt, type setspn –l, and then press Enter. 4. Ensure that the output shows the following names: ❑ HTTP/clm.contoso.com ❑ HTTP/CLMSERVER.contoso.com ❑ HTTP/CLMSERVER Note The three names are the custom name you added in step 2, the default DNS name, and the default NetBIOS name of the CLM server. Chapter 17: Identity Lifecycle Manager 2007 Certificate Management 435 5. Close the command prompt. Important Make sure that the clm.contoso.com DNS resource record is created to allow resolution of the clm.contoso.com Web site. Enabling the Certificate Lifecycle Manager Service An optional service that is included with CLM is the Certificate Lifecycle Manager service. The service is installed but not enabled during the installation and configuration of CLM. Certificate Lifecycle Manager Service Functionality This service runs on the CLM server and provides the following functions: ■ Certificate renewal notification Allows CLM to automatically issue a renewal request for certificates that are within the certificate template’s specified renewal time. ■ Disabling temporary smart cards CLM permits the issuance of temporary smart cards if a smart card is left at home. The Certificate Lifecycle Manager Service enables automatic disabling of these temporary smart cards or their associated primary cards. ■ External API processing The CLM External SQL API allows custom applications to submit CLM requests through external processes. ■ Online updates The Online Updates function is similar to the Certificate Renewal function in that it can be used to update certificates before they expire, if the certificate content changes, if the certificate templates included in a profile change, or if an applet is added or removed from a profile template. ■ Custom plug-ins The Certificate Lifecycle Manager Service can also be used to process custom plug-ins developed by customers. Certificate Lifecycle Manager Service Configuration Once you have completed the installation of CLM, you can enable the Certificate Lifecycle Manager service by performing the following tasks. To configure the Certificate Lifecycle Manager service, you must perform the following tasks: 1. Create a new domain user account with a non-expiring, complex password. 2. Configure the Certificate Lifecycle Manager Service to use this user account for processing. 3. Grant the user account the following user rights: ❑ Act as part of the operating system ❑ Generate security audits ❑ Replace a process level token 4. Add the account to the CLM server’s local Administrators and IIS_WPG groups. 436 Part III: Deploying Application-Specific Solutions 5. If using SQL integrated authentication, assign the user account the clmApp role for the CLM database. 6. Configure the Certificate Lifecycle Manager Service to start automatically. 7. If the Certificate Lifecycle Manager Service is running, restart it. 8. Grant the necessary CLM Extended Permissions to the Certificate Lifecycle Manager Service’s service account to perform tasks within each required workflow. Note For example, to have the Certificate Lifecycle Manager Service initiate a renewal workflow, the associated service account must be assigned the CLM Request Renew and CLM Request Enroll permissions on both the service connection point and on the target group containing the subscribers. The service account must also have the Read and CLM Enroll permissions on the profile template and be specified as a Renew Initiator in the actual renew policy of the profile template. CA Component Installation Once you have installed and configured the CLM Server, you must install the custom policy and exit modules at each CA computer that will issue certificates managed by CLM. Note In our example, only one CA is used: – ca1.contoso.com. If there were multiple CAs, the following procedure must be executed once per CA. To install the CLM custom modules, use the following procedure: 1. Extract the contents of the ILM 2007 Feature Pack 1 download to C:\ilm_CD. 2. Open the C:\ilm_CD\CLM folder. 3. Double-click CLM.MSI to begin the installation process. 4. On the Welcome To The Installation Wizard page, click Next. 5. On the Certificate Lifecycle Manager License Agreement page, click I Accept The Terms In The License Agreement, and then click Next. 6. On the Product Key page, type your product key, and then click Next. 7. If you did not provide a license key, in the Certificate Lifecycle Manager Installation Program Information message box, click OK to accept the 180-day evaluation period notice. 8. On the Custom Setup page, click the drop-down arrow next to Web Files, and then click This Feature Will Not Be Available. 9. On the Custom Setup Type page, click Next. Chapter 17: Identity Lifecycle Manager 2007 Certificate Management 437 10. On the Ready To Install Certificate Lifecycle Manager page, click Install. 11. When the installation is complete, on the Certificate Lifecycle Manager Installation Complete page, click Finish. CLM Policy Modules The installation of the CLM Modules at a CA installs four custom policy modules for use in profile templates. Table 17-6 shows the four custom modules that are installed at the CA and the purpose of each module. Once the CLM Modules are installed, you must configure the CLM Exit Module to connect to the SQL Server hosting the CLM database. This is accomplished in three separate procedures: ■ Creating a login account for the CA computer account at the SQL Server ■ Verifying the Service Principal Names of the SQL Server Service ■ Defining a connection string at the CA Creating a SQL Login for the CA Computer Account 1. Ensure that you are logged on at the SQL Server as a member of the local Administrators group. 2. From the Microsoft SQL Server 2005 menu, open SQL Server Management Studio. 3. In the Connect To Server dialog box, accept the default authentication options, and then click Connect. 4. In the console tree, expand Security, and then click Logins. 5. Right-click Logins, and then click New Login. Table 17-6 Custom CLM Policy Modules Module name Description Certificate SMimeCapabilities Module 1.0 Used to limit the available algorithms that can be used with Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates Certificate Subject Module 1.0 Used to insert a custom subject into a certificate’s Subject field SubjectAltName Module 1.1 Used to insert a custom subject alternative name (SAN) into a certificate Support for non-Clm certificate requests Used to register certificates issued to users outside of CLM, for example, autoenrollment or the IIS Certificate Request wizard 438 Part III: Deploying Application-Specific Solutions 6. In the Login – New dialog box, on the General page, provide the following information: ❑ Name: contoso\ca1$ ❑ Authentication: Windows Authentication ❑ Default Database: CLM 7. On the User Mapping page, enable the CLM database, and then enable the clmApp And Public Roles. 8. In the Login – New dialog box, click OK. 9. Close Microsoft SQL Server Management Studio. Verifying the SQL Service SPN The authentication between the CA computer account and the SQL Server is a mutual authen- tication. For SQL Server to authenticate, the service account assigned to the SQL Server Ser- vice must have the MSSQLSvc/DNSName:1433 name registered. ■ If the service runs as the Local System account, the name is registered by the computer running SQL Server’s computer account. In our example, you would verify this by run- ning setspn –l Contoso\clmdc at a command prompt and ensuring that the MSSQLSvc/sql.contoso.com:1433 registration exists. ■ If the service runs as a specific user account, the name is registered by the user account designated in the properties of the service. In our example, you would verify this by run- ning setspn –l Contoso\SqlService (assuming this is the name of the service account) at a command prompt and ensuring that the MSSQLSvc/sql.contoso.com:1433 registration exists. Defining a Connection String at the CA Once you have verified that the CA computer account is granted a login at the SQL Server and that the SQL Server has the correct SPN registered, you can then define the connection string in the properties of the CLM Exit Module. To modify the connection string, use the following procedure: 1. Ensure that you log on to the CA computer as a member of the local Administrators group. 2. From the Administrative Tools menu, open Certification Authority. 3. In the console tree, right-click Contoso Issuing CA, and then click Properties. 4. In the Contoso Issuing CA Properties dialog box, on the Exit Module tab, select the Certificate Lifecycle Manager Exit Module, and then click Properties. 5. In the Configuration Properties dialog box, in the Specify Certificate Lifecycle Manager Database Connection String text box, type Connect Timeout=15;Persist Security Chapter 17: Identity Lifecycle Manager 2007 Certificate Management 439 Info=True;Integrated Security=sspi;Initial Catalog=CLM;Data Source=sql. contoso.com; and then click OK. Note The connection string assumes that the CLM server uses Windows Authentica- tion to communicate with the computer running SQL Server. 6. In the Microsoft Certificate Lifecycle Manager message box, click OK to acknowledge that Certificate Services must be restarted. 7. In the Contoso Root CA Properties dialog box, click OK. 8. In the Certification Authority console, on the toolbar, click Stop This Service. 9. After Certificate Services has stopped, on the toolbar, click Start This Service. 10. From Administrative Tools, open Event Viewer. 11. In the console tree, select Certificate Lifecycle Manager. 12. Select the most recent event in the details pane. 13. Ensure that the event states that the Exit Module loaded using settings from SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Contoso Root CA\ ExitModules\Clm.Exit. Warning One initial warning will exist. When you first install the CLM CA modules, there is no connection string set. If you have an error in your connection string or errors in either SQL Server or CLMDC SPNs, additional errors will exist. 14. Close all open windows. At this point, the CLM server is ready to define profile templates and management policies for software certificate issuance. Note If you are deploying smart cards with CLM, additional software must be installed at the client computers. The installation procedures are discussed in Chapter 21. Deploying a Code Signing Certificate The following example walks you through the configuration of a profile template for software- based Code Signing certificates. The example includes only two of the available management policies: Enroll and Revoke. 440 Part III: Deploying Application-Specific Solutions Note Other management policies may be relevant for your organization. Only two are presented here for illustrative purposes. Defining Certificate Template Permissions To issue the Code Signing certificates, you must ensure that the Code Signing certificate template is available at the Contoso Issuing CA. Before you publish the certificate template, you must ensure that the target group (contoso\CodeSigners) is assigned the Read and Enroll permissions on the certificate template. This will allow the members of the group to enroll certificates based on the certificate template. Creating a Profile Template The first step in creating a profile template is to copy an existing profile template. CLM allows you only to copy existing profile template to create new profile templates. To create a profile template named “Code Signing Certificates,” use the following procedure: 1. Open Windows Internet Explorer. 2. In Internet Explorer, open http://clm.contoso.com/clm. 3. Click the Microsoft Certificate Lifecycle Manager graphic. 4. On the Home page, in the Administration section, click Manage Profile Templates. 5. On the Profile Template Management page, in the Profile Template List section, select the check box next to CLM Sample Profile Template, and then click Copy A Selected Profile Template. 6. On the Duplicate Profile page, in the Profile Template Name section, in the New Profile Template Name box, type Code Signing Certificates, and then click OK. 7. Minimize Internet Explorer. Defining Profile Template Details Once you create the Code Signing Certificates profile template, you must configure the details of the profile template by using the following procedure: 1. In the left pane, in the Select A View section, ensure that Profile Details is selected. 2. On the Edit Profile Template [Code Signing Certificates] page, in the General Settings section, click Change General Settings. 3. On the Edit Profile Template [Code Signing Certificates] page, in the Name And Description section, in the Description box, type Allows issuance and management of Code Signing certificates. Chapter 17: Identity Lifecycle Manager 2007 Certificate Management 441 4. On the Edit Profile Template [Code Signing Certificates] page, leave all other settings at their default value, and then at the bottom of the page, click OK. 5. On the Edit Profile Template [Code Signing Certificates] page, in the Certificate Templates section, click Add New Certificate Template. 6. Make the following changes in the Edit Profile Template [Code Signing Certificates] page: ❑ Certificate Authorities: Enable Contoso Issuing CA ❑ Certificate Template: Enable CodeSigning 7. At the bottom of the Edit Profile Template [Code Signing Certificates] page, click Add. 8. In the Certificate Templates section, select the User check box, and then click Delete Selected Certificate Templates. 9. In the Microsoft Internet Explorer dialog box, click OK to delete the selected items. This ensures that the profile template will issue certificates based only the Code Signing cer- tificate template. The certificates will be issued by the Contoso Issuing CA. Enrollment Now that the profile template exists, you can start to define management policies. This example assumes that the manager-initiated workflow shown in Figure 17-5 is used for the Enroll management policy. Figure 17-5 Enroll management policy workflow In this example, the Code Signing certificate request is initiated by a member of the CertMgrs group. After initiating the action, the CertMgrs must respond to a data collection item. Once the data is collected, a one-time password is distributed to the subscriber. The subscriber inputs the one-time password into the CLM Subscriber portal, and then a certificate is issued to the subscriber. Manager Actions CertMgrs Initiate Certificate Request CertMgrs Responds to Data Collection Transfer OTP Distributed by E-mail to Subscriber Subscriber Actions Subscriber Executes Request, and Certificate Is Issued 442 Part III: Deploying Application-Specific Solutions Assigning Permissions To enable the enrollment workflow described, we must assign the necessary permissions. Table 17-7 shows the permissions required for the enrollment workflow. Defining the Management Policy The last permission assignment requires configuring the Enroll policy for the profile template. Configuration of the Enroll policy starts with the general settings. This includes setting whether self-service is enabled, how many approvals are required, and whether the user is limited to a specific number of active profiles. 1. In the left pane, in the Select A View Section, click Enroll Policy. 2. On the Edit Profile Template [Code Signing Certificates] page, in the Workflow: General section, click Change General Settings. 3. Make the following changes on the Edit Profile Template [Code Signing Certificates] page: ❑ Enable Policy: Enabled ❑ Use Self Serve: Disabled ❑ Require Enrollment Agent: Disabled ❑ Allow Comments To Be Collected: Disabled ❑ Allow Request Priority To Be Collected: Disabled ❑ Default Request Priority: 0 ❑ Number Of Approvals: 0 ❑ Number Of Active Or Suspended Profiles/Smart Cards Allowed: Set Value: 1 4. At the bottom of the Edit Profile Template [Code Signing Certificates] page, click OK. Once you have configured the general settings, you can now start configuring the workflow. The first step is to specify who can initiate the enrollment request. As shown previously in Table 17-7 Enroll Policy Permissions Location Permission assignment requirements Service Connection Point Assign the Contoso\CertMgrs group Read and CLM Request Enroll permissions. User or Group Assign the Contoso\CertMgrs group Read and CLM Request Enroll Permissions on the Contoso\CodeSigners group. Profile Template Assign the Contoso\CertMgrs and the Contoso\CodeSigners groups Read permissions and CLM Enroll permissions on the Code Signing Certificates profile template. Certificate Template Assign the Contoso\CodeSigners group Read and Enroll permissions on the Code Signing certificate template. Chapter 17: Identity Lifecycle Manager 2007 Certificate Management 443 Figure 17-5, the enrollment request is initiated by members of the Contoso\CertMgrs group. Use the following procedure: 1. In the Workflow: Initiate Enroll Requests section, click Add New Principal For Enroll Request Initiation. 2. On the Edit Profile Template [Code Signing Certificates] page, in the Permission section, click Lookup. 3. In the Microsoft Certificate Lifecycle Manager 2007 – Webpage Dialog dialog box, in the Name box, type CertMgrs, and then click Search. 4. In the returned listing of groups and users, click CONTOSO\CertMgrs. 5. In the Permission section, ensure that the Enroll Initiate Permission drop-down list is set to Grant, and then click OK. 6. In the Workflow: Initiate Enroll Requests section, select the check box next to NT AUTHORITY\SYSTEM, and then click Delete Principals For Enroll Request Initiation. Note The NT AUTHORITY\SYSTEM account can be deleted with no issues because it is only a placeholder account. 7. In the Microsoft Internet Explorer dialog box, click OK to confirm the deletion. If the workflow requires data collection, you must now specify the actual data collection items. For each data collection item, you must define what the data collection item is, its data type, who collects the data, and how the data is validated. In our example, we will record the employee’s badge number (a numeric value). Use the following procedure: 1. On the Edit Profile Template [Code Signing Certificates] page, in the Data Collection section, select the check box next to Sample Data Item, and then click Delete Data Collection Items. 2. In the Microsoft Internet Explorer dialog box, click OK to confirm the deletion. Note Sample Data Item is an example of a data collection item and should always be deleted. 3. In the Data Collection section, click Add New Data Collection Item. 4. In the Data Item Name And Type section, apply the following settings: ❑ Name: Employee Badge Number ❑ Description: Number is located on the back of the employee badge ❑ Type: Numeric [...]... of management policies Additional Information ■ RFC 36 47 “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework” (http://www.ietf.org/rfc/rfc36 47. txt) ■ Identity Lifeycle Manager 20 07 Web site (http://www .microsoft. com/ilm) ■ “Installing and Configuring CLM 20 07 on a Server (http://technet2 .microsoft. com/ ILM/en/library/423113e7-9ac7-4009-a708-156f25afecc11033.mspx?mfr=true)... ILM/en/library/423113e7-9ac7-4009-a708-156f25afecc11033.mspx?mfr=true) ■ Microsoft Certificate Lifecycle Manager 20 07 (CLM 20 07) Technical Library (http://technet2 .microsoft. com/ILM/en/library/a4d5346d-418c-497c-bbabff49e94e982b1033.mspx?mfr=true e) Chapter 18 Archiving Encryption Keys You can archive the private keys for encryption certificates at either a Windows Server 2003 or Windows Server 2008 enterprise certification authority... versions of the Windows operating system 7 Ensure that the Certificate Installed page appears, indicating that the certificate has been installed successfully 8 Close Windows Internet Explorer If you requested the certificate on Windows Vista using the Certificate Request wizard, certificate autoenrollment will automatically detect when the pending certificate is issued and install the certificate on... process can be performed at a command prompt by running the certutil.exe utility Note The Key Recovery Tool used in Windows Server 2003 is no longer available The tool can still be used to recover certificates archived at Windows Server 2003 enterprise CAs but is not supported for Windows Server 2008 CAs The certutil.exe command is used by both the certificate manager and the key recovery agent when... assigned Read and Enroll permissions for the Key Recovery Agent certificate template 2 Open Windows Internet Explorer Note You must use Windows Internet Explorer for the certificate request because the Certificate Enrollment Wizard in Windows 2000 and Windows XP does support pended requests The Certificate Services Web Enrollment pages provide content to allow you to check the status of a pending certificate. .. steps: 1 A certificate manager for the CA that issued the certificate determines the certificate s serial number, which uniquely identifies an issued certificate and finds the certificate and private key in the database 2 The certificate manager extracts the encrypted private key and certificate from the CA database The BLOB file is encrypted with the public key of one or more Key Recovery Agent certificates... tree, right-click Certificates – Current User, point to All Tasks, and then click Automatically Enroll And Retrieve Certificates 3 On the Before You Begin page, click Next 4 On the Request Certificates page, select the check box for all pending certificate requests, and then click Enroll 5 In the Windows Security dialog box, type the PIN for your smart card, and then click OK 6 On the Certificate Installation... the certificate and private key into his or her certificate store by using the Certificate Import Wizard Requirements for Key Archival The following conditions must be met to enable key archival at a Windows Server 2003 or Windows Server 2008 CA: ■ One or more users must acquire a certificate with the Key Recovery Agent application policy or the Enhanced Key Usage (EKU) object identifier (OID) This certificate. .. right-click Personal, point to All Tasks, and then click Request New Certificate 4 On the Before You Begin page, click Next 5 On the Request Certificates page, in the list of certificates, enable the custom Key Recovery Agent certificate template, and then click Enroll 6 When prompted, in the Windows Security dialog box, type the PIN for your smart card 7 On the Certificate Installation Results, the status... Exchange certificate 5 The client encrypts the private key corresponding to the request with the CA Exchange certificate s public key, builds a Certificate Management Message over the Cryptographic Message Syntax (CMC) request, and sends a CMC full PKI request to the CA Note If the user is using Windows Vista or Windows Server 2008, the private key may be encrypted using Advanced Encryption Standard . (http://www .microsoft. com/ilm) ■ “Installing and Configuring CLM 20 07 on a Server (http://technet2 .microsoft. com/ ILM/en/library/423113e7-9ac7-4009-a708-156f25afecc11033.mspx?mfr=true) ■ Microsoft Certificate. Open a command prompt. 2. At the command prompt, type setspn –a HTTP/clm.contoso.com ContosoclmWebPool, and then press Enter. 3. At the command prompt, type setspn –l, and then press Enter. 4 available at a Windows Server 2003 or Windows Server 2008 enterprise CA running on the Enterprise or Datacenter edition. An organization should specify key archival and recovery in its security policy.