File and Installation Information
Components for both Windows Active Directory and Forefront Identity Manager must be installed to enable this new functionality.
Installation Instructionsf
Domain Controller Overview
Requirements
- You must have a Windows Server 2008 R2-based or Windows Server 2008-based Domain Controller.
- You must own the PDC Emulator role in the domain.
- FIM accesses the PDC emulator for all password reset operations.
- Each domain hosting users who will reset their passwords through FIM must have the DC with the PDC Emulator role updated with this hotfix build.
- You must have Lightweight Directory Access Protocol (LDAP) over SSL Communications between the FIM Synchronization Service and the domain controller installed.
- For LDAP over SSL to work correctly, the DC must have a server certificate (Domain Controller certificate template).
- Basics of the certificate requirements is documented in the following KB article:321051 How to enable LDAP over SSL with a third-party certification authority.
- Instructions for configuring Active Directory Certificate Services are in Appendix 1 of this document.
Installing the hotfix update for Windows
Use the Run as Administrator option when you run the appropriate executable documented in the following table on the domain controller.
Filename | Platform |
Windows6.1-KB2386717-ia64.msu | ia64 |
Windows6.1-KB2386717-x64.msu | x64 |
Windows6.1-KB2386717-x86.msu | x86 |
Windows6.0-KB2386717-x64.msu | x64 |
Windows6.0-KB2386717-x86.msu | x86 |
To make sure that the hotfix is installed as expected, LDP.exe can be used to check for the new LDAP control that is installed with the hotfix. LDAP control information is returned in the “supportedControl” attribute in the RootDSE.
New Control OID: "1.2.840.113556.1.4.2066"
Please see Appendix 4 for more information about checking the RootDSE for this new control that uses ldp.exe.
FIM 2010 Server Components
Download and then install the following FIM 2010 server components:
- FIM Synchronization Service
- FIM Service
- FIM Portal
Configuration Steps
LDAP over SSL Connections
The basic requirements for establishing an LDAP connection over SSL to a domain controller:
- The domain controller must have a certificate issued to it based on the Domain Controller certificate template.
Note Appendix 1 has information on how to perform this in a simple scenario. - The FIM Service server must trust the CA that issued the certificate to the Domain Controller.
Note Information on how to perform this is in Appendix 1 of this document.
Enabling Password Policy Enforcement in FIM 2010
Enabling password history enforcement in FIM 2010 is finished by making a registry setting. This must be configured for each Active Directory management agent on which we want to enable password policy enforcement.
Important By default, this setting is disabled for all Active Directory management agents.
Note In the following Registry Key example, <ma name> should be replaced with the name of the Active Directory MA to be configured.
Registry Key:SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>Registry Value:Set
ADMAEnforcePasswordPolicy = 1 to enforce password history. All other values are interpreted as turning off the new functionality.
Testing and Troubleshooting
The appendixes at the end of this document provide additional information that may be helpful when you configure a simple test environment. There are also links for troubleshooting LDAP over SSL connections.
Appendix 1: Set Up A Simple Test Configuration
Note The steps in this appendix are not meant to be used in a Production environment. The planning and deployment of certificates in the production environment should be carefully considered for the whole security infrastructure of the network.
Enable LDAP SSL in a Test Environment that uses Active Directory Certificate Services to issue the server cert to the domain controller.
Install Active Directory Certificate Services
- Open Server Manager.
- Select Roles, and then click Add Roles in the center pane.
- In the Select Server Roles window, select Active Directory Certificate Services, and then click Next.
- Select Certification Authority and Certification Authority Web Enrollment in the role services list, and then click Next.
- In the Specify Setup Type window, select the Enterprise option, and then click Next.
- In the Specify CA Type window, select the Root CA option and then click Next.
Configuring the Domain Controller Certificate Template to enable Enrollment
- Check the Domain Controller certificate template Security properties to make sure Domain Controllers have the Enroll permission.
- In the Server Manager, expand the Active Directory Certificate Services role.
- Click to select Certificate Templates.
- In the list of certificate templates, click to view the properties of the Domain Controller certificate template.
- Click the Security tab.
- Click the Domain Controllers security identity.
- Confirm the Enroll permission is granted.
- Make sure that the Domain Controller certificate template is published in the Certification Authority.
- In the Active Directory Certificate Services tree, expand the Certification Authority tree that has the same name as given to the Certification Authority on setup.
- Under the Certification Authority tree, click the Certificate Templates container
- Check the right side pane to make sure that the Domain Controller certificate template is listed.
- If the Domain Controller certificate template is not listed, follow these steps:
- Right-click the Certificate Templates folder again.
- Rest your mouse on New.
- Click to select Certificate Template to Issue.
- In the Enable Certificate Templates dialog box, click to select Domain Controller certificate template.
- Click OK to save the changes
You are now ready to request a new certificate for your domain controller based on the Domain Controller certificate template.
Requesting a Certificate for the Domain Controller
On the Domain Controller
- Run the mmc.exe utility.
- In the File menu, select Add/Remove snap-in.
- Select Certificates.
- When you are prompted, select Computer Account and then click Next.
- Select the local computer account and then finish adding the snap-in.
- In the Certificates (local computer) snap-in, expand the tree.
- Click to select the Personal folder.
- From the Action menu, select All Tasks / Request New Certificate.
- On the screen that asks you to select the Certificate Enrollment Policy, accept the default and then click Next.
- Click the check-box next to Domain Controller and then click Enroll.
Click the check-box next to “Domain Controller” and then click the “Enroll” button
Trusting the Root CA on the FIM Sync computer
On the Certification Authority computer
- Run the mmc.exe utility.
- In the File menu, select Add/Remove snap-in.
- Select Certificates.
- When you are prompted, select Computer Account and then click Next.
- Select the local computer account and then finish adding the snap-in.
- In the Certificates (local computer) snap-in, expand the tree.
- Click to select the Personal folder.
- Click the Certificates folder under the Personal folder.
- Locate the certificate that is issued to the CA name by the CA name.
- Right-click the certificate and select All Tasks / Export
- Accept the default settings until you are prompted for a file name.
- Provide a path and file name for saving the certificate.
- Complete the export process.
- Copy the resulting certificate file to the server that hosts the FIM Synchronization Service.
On the FIM Synchronization Service computer
- Run the mmc.exe utility.
- In the File menu, select Add/Remove snap-in.
- Select Certificates.
- When you are prompted, select Computer Account and then click Next.
- Select the local computer account and then finish adding the snap-in.
- In the Certificates (local computer) snap-in, expand the tree.
- Click to select the Trusted Certificate Root Authorities folder.
- Right-click and on the shortcut menu select All Tasks / Export
- Locate where you save the root CA certificate in the previous steps.
- Complete the import process.
You are now ready to test the LDAP over SSL connection between the FIM Synchronization Service server and the PDC Emulator domain controller.
Checking the LDAP over SSL connection to the PDC
Install the Remote Domain Admin Tools
- Open a cmd.exe prompt by using the Run as administrator option
- Type the following command, then press the ENTER key.
Note A restart may be required.
ServerManagerCmd –install rsat-adds
Ldp.exe is now available
Using Ldp.exe to test the LDAP over SSL connection
- Start Ldp.exe.
- On the File menu, click Connect.
- Type the dnsHostName (FQDN) of the domain controller that owns the PDC Emulator role.
- Change the Port number to 636.
- Click to enable SSL.
- Click OK.
On the right side pane of ldp.exe, it should provide rootDSE information for the successful connection.
If you notice that the connection does not occur, please use the following KB article to troubleshoot:
938703 How to troubleshoot LDAP over SSL connection problems
Test the LDAP SSL Connection by using Ldp.exe
Resulting Text in the LDP results window:
Notice how the server name in the
ldap_sslinit() method matches the dnsHostName that is returned in the rootDSE information. The following certificate screen shot shows the name that the certificate is issued to matches this name as well. It is very important for all of these to match. Otherwise the LDAP connection fails and “schannel” logs an error in the event log.
Output from the right side pane of LDP.exe after you make the connection
DC Certificate for Comparison
Notice that the server certificate is also issued to the same dnsHostName. Having all of these match is very important to make an LDAP SSL connection.
Appendix 2: Frequently Asked Questions
Question Will this work if I install a Windows Server 2008 R2 domain controller as the PDC Emulator in a Windows Server 2003 or Windows Server 2008 domain?
Answer Yes. This functionality is enabled by an LDAP control that is hosted on the PDC emulator. As long as that control is found on the PDC emulator, this will work as expected.
Question If I install this update on an existing FIM deployment, will it break the current Self-Service Password Reset configuration?
Answer No. By default, this new functionality is disabled in the Active Directory management agent. The following registry information is used to enable the new functionality.
Registry KeySYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>Registry Value Name | Values | Class | Created by | Explain |
ADMAEnforcePasswordPolicy | dword | HKLM | Admin | 1- true, everything else is false
Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.
Note:
This setting is only supported on FIM build version 4.0.3561.2 and later versions.
Note:
This is only supported where the domain controller is as follows: · Windows Server 2008 R2 with KB2386717 · Windows Server 2008 R2 SP1 · Windows Server 2008 with KB2386717 |
Question What is the change to the WMI MIIS_CSObject.SetPassword method to enable this functionality?
Answerstring SetPassword( [in] string NewPassword,
[in] bool ForceChangeAtLogon,
[in] bool UnlockAccount
[in] bool ValidatePasswordPolicy
);
Parameters
Appendix 3: Additional Resources
Current documentation for LDAP over SSL configuration & Troubleshooting
For more information about how to enable LDAP over SSL with a third-party certification authority, click the following article number to view the article in the Microsoft Knowledge Base:
321051 How to enable LDAP over SSL with a third-party certification authority
For more information about how to troubleshoot LDAP over SSL connection problems, click the following article number to view the article in the Microsoft Knowledge Base:
938703 How to troubleshoot LDAP over SSL connection problems
For more information about Windows LDAP over SSL Requirements, visit the following Microsoft website:
Appendix 4: Using LDP.exe to check for the new LDAP Control
- Start Ldp.exe.
- On the File menu, click Connect.
- Type the dnsHostName (FQDN) of the domain controller that owns the PDC Emulator role.
- Click OK.
- Check the right side pane for the “supportedControls” attribute.
- Check the values of supportedControls for the object identifier: "1.2.840.113556.1.4.2066".
On the right side pane of ldp.exe, it should provide rootDSE information for the successful connection.