Howdy Folks. MIM 2016 went GA some time ago and one of the new features of MIM for the Certificate Management component was the support for cross forest issuance of certificates\smart cards. Though most enterprises comprise of a single forest, in the time of mergers and acquisitions many enterprises would consist of multiple forests in an account\resource forest configuration with a trust or even multiple forests in an enterprise.
Today I will walk you through the requirements and additional configurations to enable cross forest issuance of certificates\smart cards between two forests in the lab environment. This blog assumes that an environment consisting of two forests with a two-way trust is already setup. The resource forest has a certificate authority, SQL server and MIM CM server.
Servers : Certificate authority, SQL and MIM CM server in the resource forest.
Step 1 – Schema extension in both forests.
Execute below file on the schema master of the resource forest .
Execute below file on the schema master of the account forest.
Schema change is typically a one way operation and requires a forest recovery to roll back so make sure you have necessary backups.
Step 2 – Prepare the certificate templates.
Prepare three certificate templates for the MIM CM agent accounts as per the guidelines in below article.
Step 3 – Install MIM CM on the Certificate Authority.
Browse to \MIM\Certificate Management\x64\ and execute setup.exe. Make sure MIM CM CA Files option is enabled while running the wizard on the Certificate authority as shown in the image below.
Step 4 – Install IIS on the MIM CM Portal server.
Install Web server(IIS) role from server manager.
Select below options along with the options that are by default enabled when installing IIS in the role services section of the wizard.
a. Common HTTP Features – HTTP Redirection
b. Health and Diagnostics – Request Monitor
c. Performance – Dynamic Content Compression
d. Security – Basic Authentication, Windows Authentication
e. Application Development – .NET Extensibility 4.5, ASP, ASP.NET 4.5, ISAPI Extensions.
f. Management Tools – IIS Management Console, IIS 6 Management Compatibility (All)
Step 5 – Install CM component on the MIM CM server.
Browse to \MIM\Certificate Management\x64\ and execute setup.exe. Make sure MIM CM Portal option is enabled while running the wizard on the server as shown in the image below.
Below is the virtual folder for your MIM CM portal. You can add a custom name if you’d like. Make sure you have the same name if installing multiple MIM CM portal servers.
Step 6 – Configure MIM CM.
Click Start and you will see the Certificate Management configuration wizard under newly installed applications. Execute it as an administrator. When running the configuration wizard, make sure you are running it as an account that has permissions to write to configuration and domain partition of resource forest. An enterprise admin is recommended.
You can use multiple CAs to issue certificates using MIM CM. Select one CA which will be the first CA and you can add the rest later.
Enter the name of the SQL server and the credentials which has rights to create the database.
Select the database name. You can use the default name or a friendly name. Again, make sure you are using the same name for the database if installing multiple MIM CM servers.
Since we have a two-way trust, we will see the trusted forest. Once we click on the checkbox next to the forest name it shows green as shown below. It will fail if there are issues with the trust, DNS or if the schema is not extended. Also you can change the Service Connection Point name to reflect the common name if you have two servers by clicking on change and setting the common name.
Select Windows Integrated Authentication.
Select the agent accounts to be used. You can create custom accounts and add them here by unchecking ‘Use the FIM CM default settings’ and clicking on custom accounts or you can let the MIM CM configuration wizard create the accounts automatically. If creating multiple MIM CM servers, we would recommend to create the accounts before hand.
Select the corresponding templates created in step 2.
Specify the name of SMTP server you want to use for email registration.
Click the configure button to start the configuration.
It will give a popup to require SSL. This can be done later by binding a certificate to IIS.
Click on the finish button to complete the configuration.
Once above steps are complete, we need to perform post-install tasks as was done for FIM CM. Refer to below article to complete the post-installation tasks for MIM CM.
Your MIM CM server is configured for cross forest enrollment but we still have some more configuration to do on the Certificate Authority and Active Directory before we can issue the certificates\smart cards across the forest. That will be part 2 of this blog.