FIM CM - Deployment
Single forest, two sites connected via poor link. Rolling out smart cards across the estate, with local smart card management at each site. Is it advisable to install FIM CM, issuing CA and OCSP infrastructure at each site? Cheers, MMS_guruIdentity & Metadirectory, Hewlett-Packard UK
February 28th, 2011 5:03pm

On Mon, 28 Feb 2011 15:44:31 +0000, MMS_guru wrote: Single forest, two sites connected via poor link. Rolling out smart cards across the estate, with local smart card management at each site. Is it advisable to install FIM CM, issuing CA and OCSP infrastructure at each site? That would make sense yes. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca If God had intended Man to program, we would be born with serial I/O ports.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 5:06pm

The answer is "it depends" 1) You could set up separate profile templates, one for each site, with the servers issuing local certificates 2) I would consider using a DNS name(s) that would point to the locally located server for OCSP and HTTP CRL/AIA download 3) You could do something like this with LBS (should be site aware to point to local server) 4) for getting the certificate, I would not really care which CA issued the cert (small amount of traffic). 5) The important traffic is the validation traffic. If the clients are WinVista or higher, then OCSP is going to really help for traffic (less to download). As I stated earlier, you could use LBS to redirect to the closer server (based on sites) HTH, Brian
March 15th, 2011 8:36pm

In this scenario, would two CLM profile templates be required, each with a cert template pointing to it's local issuing CA? Smartcard logon certs issued by a local CA, with an AIA extension pointing to a local Online Responder - what happens if users travel between the two sites, or relocate from one site to another?Identity & Metadirectory, Hewlett-Packard UK
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2011 11:07pm

Brian, great response, thanks very much. On point (4) is there a certificate renewal consideration? If CA1 in Site 1 issued a logon cert to User 1, & User 1 permanently relocates to Site 2, will the renewal process attempt to renew the cert on CA1, i.e. over the wire? CheersIdentity & Metadirectory, Hewlett-Packard UK
March 16th, 2011 7:19pm

Since we are talking about FIM CM, the renewal will take place at the designated CA in the profile template (for each certificate template included in the profile template). FiM CM hard codes which CA the request is sent to, rather than how autoenrollment will get a certificate from the first CA that responds to a request (RPC response) Brian
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2011 10:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics