Forefront Identity Management – Certificate Management (FIM CM 2010) – Part 3

FIM CM Agents

The powerful of FIM CM and its ability to proxy requests to the CA and to proxy identities is done by the concept of FIM CM Agents. Those agents are usernames in your directory that are used by FIM CM to perform its tasks. You have to configure the web.config file to associate some of the FIM CM agent accounts with their certificates.

Note: FIM CM Initial Configuration Wizard will allow you to automatically create and configure those accounts for you. It is highly recommended that you choose to create them manually and even enroll them for certificates manually. This is very important for later manageability especially when those account certificates are about to expire. You have to create those accounts in Active Directory prior of installation.


FIM Agent

The first agent account used by FIM CM is called simply (FIM Agent) which is a very important account. Configuring this account correctly from the first time will ensure smooth deployment of FIM CM in your corporate.

FIM Agent is enrolled for Signing and Encryption Certificate usually from the (User) certificate template. I choose to duplicate the (User) template and configure the key to be exportable.

Once you get a certificate for encryption and signing, you have to log on to the FIM CM server with the FIM Agent account, and install the certificate in the user personal certificate store.

FIM Agent user is used for the following tasks :

  • Protect communication between the FIM CM server and the CA.
  • Revoke Certificates.
  • Encrypt Smart Card Admin Keys in the FIM CM database.
  • Encrypt (Data Collection) that is requested by the FIM CM portal, in the FIM CM database.


You need to make sure that the thumprint of the FIM Agent certificate is placed in the following sections in the FIM CM web.config file :

  1. <add key=”Clm.SigningCertificate.Hash” value
  2. <add key=”Clm.Encryption.Certificate.Hash” value
  3. <add key=”Clm.SmartCard.ExchangeCertificate.Hash” value


The second account is the FIM KRA account. This account is used to recover archived keys from the CA database .You should enroll this account a certificate from the template Key Recovery Agent and configure the CA server to use it for key recovery. This account should be member of the local administrators group on the FIM CM server


FIM Enroll Agent

This account is the account that will perform the actual enrollment of certificates. You should enroll this account a certificate form the (Enrollment Agent) certificate template and you would place the certificate keys to an HSM for enhance protection. This account is what makes it possible to proxy identities when enrolling through the FIM CM portal because the FIM CM admins will not be enrolled for enrollment certificate in this case, instead, they will be assigned a management role in the FIM CM profile template while FIM CM Enroll Agent is the actual user that will perform the enrollment.

The FIM Enroll Agent should have (Read, Request Certificates) on the CA server.

The thumbprint of the FIM KRA agent should be inserted in the following filed of the FIM CM web.config file:

(<add key=”Clm.EnrollAgent.Certificate.Hash” value ).


FIM Authentication Agent

This agent doesn’t need a certificate to function. The main purpose of this account is to provide a security context for FIM CM services to read configuration data in Active Directory.

The account should be granted the following permissions and rights :

  • “Generate Security Alerts” right in the FIM CM server
  • Member of the (Pre-Windows 2000 Compatible Access) group in AD.
  • “Read” Permission on the CA certificate Templates
  • “Read” and “Write” on the FIM Profile Templates
  • “Create Child Objects” on the Profile Template Container”

Note: If you don’t want some of the legacy profile templates to appear on your FIM CM admin portal, just remove the “Read” permission of the FIM Auth Agent from those profile templates.


FIM CA Manager

This agent is used by FIM CM to perform CA management tasks like issuing CRLs or delta CRLs when a smart card or certificate is retired or disabled for example.

This account should have “Read” and “Manage CA” rights on the CA


FIM Web Pool Agent

This is one of the most important agents in FIM CM deployment, as it runs the application pool identity for FIM CM portal. This account is used also to access the FIM CM database.

This account should have the following rights and permissions

  • “Generate Security Alerts” right on the FIM CM server.
  • Member of the local administrators group on the FIM CM server.
  • Member of the (IIS_USRS) local group in the FIM CM server.
  • “Act as part of the operating system” right in the FIM CM server.
  • “Replace process level token” right in the FIM CM server.
  • “Read” on the FIM CM Registry Keys.
  • Trusted for delegation for the CA server.


FIM Agents all together


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s