Installing MIM CM 2016 for Multiple Forests–Part 1


Howdy Folks. MIM 2016 went GA some time ago and one of the new features of MIM for the Certificate Management component was the support for cross forest issuance of certificates\smart cards. Though most enterprises comprise of a single forest, in the time of mergers and acquisitions many enterprises would consist of multiple forests in an account\resource forest configuration with a trust or even multiple forests in an enterprise.

Today I will walk you through the requirements and additional configurations to enable cross forest issuance of certificates\smart cards between two forests in the lab environment. This blog assumes that an environment consisting of two forests with a two-way trust is already setup. The resource forest has a certificate authority, SQL server and MIM CM server.

Servers : Certificate authority, SQL and MIM CM server in the resource forest.

Step 1 - Schema extension in both forests.

Execute below file on the schema master of the resource forest .

C:\MIM\Certificate Management\x64\Schema\resourceForestModifySchema.vbs

Execute below file on the schema master of the account forest.

C:\MIM\Certificate Management\x64\Schema\userForestModifySchema.vbs

Schema change is typically a one way operation and requires a forest recovery to roll back so make sure you have necessary backups.

Step 2 – Prepare the certificate templates.

Prepare three certificate templates for the MIM CM agent accounts as per the guidelines in below article.

Prepare the MIM CM Agent Certificate Templates.

Step 3 – Install MIM CM on the Certificate Authority.

Browse to \MIM\Certificate Management\x64\ and execute setup.exe. Make sure MIM CM CA Files option is enabled while running the wizard on the Certificate authority as shown in the image below.

image

Step 4 – Install IIS on the MIM CM Portal server.

Install Web server(IIS) role from server manager.

Select below options along with the options that are by default enabled when installing IIS in the role services section of the wizard.

a. Common HTTP Features – HTTP Redirection

b. Health and Diagnostics – Request Monitor

c. Performance – Dynamic Content Compression

d. Security – Basic Authentication, Windows Authentication

e. Application Development – .NET Extensibility 4.5, ASP, ASP.NET 4.5, ISAPI Extensions.

f. Management Tools – IIS Management Console, IIS 6 Management Compatibility (All)

Step 5 – Install CM component on the MIM CM server.

Browse to \MIM\Certificate Management\x64\ and execute setup.exe. Make sure MIM CM Portal option is enabled while running the wizard on the server as shown in the image below.

image

Below is the virtual folder for your MIM CM portal. You can add a custom name if you’d like. Make sure you have the same name if installing multiple MIM CM portal servers.

image

Step 6 – Configure MIM CM.

Click Start and you will see the Certificate Management configuration wizard under newly installed applications. Execute it as an administrator. When running the configuration wizard, make sure you are running it as an account that has permissions to write to configuration and domain partition of resource forest. An enterprise admin is recommended.

image

You can use multiple CAs to issue certificates using MIM CM. Select one CA which will be the first CA and you can add the rest later.

image

Enter the name of the SQL server and the credentials which has rights to create the database.

image

Select the database name. You can use the default name or a friendly name. Again, make sure you are using the same name for the database if installing multiple MIM CM servers.

image

Since we have a two-way trust, we will see the trusted forest. Once we click on the checkbox next to the forest name it shows green as shown below. It will fail if there are issues with the trust, DNS or if the schema is not extended. Also you can change the Service Connection Point name to reflect the common name if you have two servers by clicking on change and setting the common name.

image

Select Windows Integrated Authentication.

image

Select the agent accounts to be used. You can create custom accounts and add them here by unchecking ‘Use the FIM CM default settings’ and clicking on custom accounts or you can let the MIM CM configuration wizard create the accounts automatically. If creating multiple MIM CM servers, we would recommend to create the accounts before hand.

image

Select the corresponding templates created in step 2.

image

Specify the name of SMTP server you want to use for email registration.

image

Click the configure button to start the configuration.

image

It will give a popup to require SSL. This can be done later by binding a certificate to IIS.

image

Click on the finish button to complete the configuration.

image

Once above steps are complete, we need to perform post-install tasks as was done for FIM CM. Refer to below article to complete the post-installation tasks for MIM CM.

Post-installation tasks

Your MIM CM server is configured for cross forest enrollment but we still have some more configuration to do on the Certificate Authority and Active Directory before we can issue the certificates\smart cards across the forest. That will be part 2 of this blog.

Lishweth KM


Comments (2)

  1. Sunv says:

    Hi,

    Thank you for this very good post, the first and only one on MIM CM 2016 on the entire web!!

    Did you had any chance to work with the remoting API on this version and Windows Server 2012? We have developped an application which was working just fine with CLM 2007, then with FIM CM 2010 but now we are getting some error when trying to run the app on
    the same IIS, same application pool (so In-Process calls):

    - With UseRemoting = true, we get the famous "System.ArgumentNullException: Value cannot be null. Parameter name: channelProperties"
    - When setting UseRemoting = true, we get the "System.InvalidOperationException: Application attempted to use .config file settings, but it hasn't been parsed yet."

    Any idea?

    Thanks

  2. Lishweth says:

    Hey Sunv,

    Sorry, I have not had a chance to work on the remoting API yet.

Skip to main content