Installing and Configuring CLM 2007 on a Server

Microsoft® Identity Lifecycle Manager "2" Certificate Management Service (ILM CMS) is an identity-assurance management system that maximizes the trust and flexibility associated with digital certificates and smart cards. A server that runs this software is known as a CLM server.

The following topics describe how to install and configure ILM CMS on a server:

• Requirements for Installing CLM 2007

• Before You Install CLM 2007

• Installing SQL Server 2005

• Installing CLM 2007 on a Server

• Configuring CLM 2007 Using the CLM Configuration Wizard

• Configuring the CA for CLM 2007

• Configuring Active Directory Users and Groups

• Configuring CLM 2007 Access Control

Requirements for Installing CLM 2007

To install ILM CMS, you must meet specific hardware and software requirements. Table 1 shows the hardware requirements for a CLM server.

Table 1   Hardware requirements for a CLM server

Hardware	Requirement
Processor	A 1.8 GHz Intel Pentium 4 processor. We recommend that you use an Intel Pentium 4 or AMD Opteron processor.
RAM	1,024 megabytes (MB) of RAM. We recommend that you install 2 gigabytes (GB) or more of RAM.
Hard disk	A 40 GB or larger hard disk. Disk space requirements vary based on use and log file management.
DVD drive	A DVD drive is required to install Microsoft SQL Server™ database software from a DVD-ROM.
Display	A Super VGA (SVGA) display with a resolution of 800 x 600 or higher and 256 colors.
Mouse	A mouse or other input device.
Network	A LAN connection with at least a 56K modem. A network connection is required for distributed management.

Table 2 shows the software requirements for ILM CMS.

Table 2   Software requirements for CLM 2007

Software	Description
Active Directory® directory service	An Active Directory infrastructure with a domain controller running on Microsoft Windows® 2000 or Windows Server® 2003.
Certification authority (CA)	At least one Microsoft® Windows Server® 2003, Enterprise Edition CA.
Microsoft Certificate Lifecycle Manager 2007	At least one instance of the software installed on a server that is running Microsoft® Windows Server® 2003, Enterprise Edition or Microsoft® Windows Server® 2003, Datacenter Edition.
Microsoft SQL Server	ILM CMS supports Microsoft SQL Server 2005, Standard Edition, Service Pack 1 and Microsoft SQL Server 2005, Enterprise Edition, Service Pack 1. ILM CMS also supports Microsoft SQL Server 2000 Service Pack 4.
Internet Information Services (IIS) 6.x	ILM CMS uses IIS as its Web server to run the CLM Web site.
The Microsoft .NET Framework 2.0	ILM CMS is a Microsoft .NET-connected application. You must install the Microsoft .NET Framework 2.0 on the server.
Microsoft Internet Explorer® 6.x	Because ILM CMS requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x is required. In addition, ILM CMS has advanced scripting features that are optimized for Internet Explorer.

The CLM server acts as administrative proxy to the CAs and provides a Web-based user interface (CLM Web site) for ILM CMS.

ILM CMS is integrated with Active Directory and Active Directory Certificate Services. ILM CMS stores profile template configuration information in Active Directory.

ILM CMS stores workflow and audit information in a SQL Server database accessed by the CLM server and the CA modules in ILM CMS. This database is known as the CLM database.

Before You Install CLM 2007

Before you install ILM CMS, you must complete the following prerequisite tasks:

1. Step 1: Modify the Active Directory schema

2. Step 2: Enable the default KeyRecoveryAgent certificate template

3. Step 3: Enable the default EnrollmentAgent certificate template

Step 1: Modify the Active Directory schema

To modify the Active Directory schema, you must be a member of the Schema Admins group for the Active Directory forest.

Before you install ILM CMS, you must apply the schema modifications that are defined in Clm.ldif, which is a Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file. You can use either of the following methods to apply the modifications:

• Run the LDAP Data Interchange Format Data Exchange tool, ldifde.exe.

  ldifde.exe is part of Windows Support Tools, which assist support personnel and network administrators in managing their networks and troubleshooting problems. They are not installed with the Windows operating system; you must install them separately from the Windows XP or Windows Server 2003 installation CD. To install the tools, you run Suptools.msi, which you can find on the Windows installation CD at the following location: Support\Tools.

• Run the ModifySchema.vbs sample script.

  ModifySchema.vbs modifies the schema on the default forest using the current credentials for the user. If your settings differ from the default settings, you must edit the script before you run it.

Clm.ldif and ModifySchema.vbs are on the ILM CMS installation CD at the following location: CLM\Schema.

Step 2: Enable the default KeyRecoveryAgent certificate template

A key recovery agent is a role performed by an information technology (IT) administrator who can decrypt archived private keys for users. KeyRecoveryAgent is the default certificate template for the key recovery agent in ILM CMS. The certificate template is only available if it is enabled on an active enterprise CA in the CA hierarchy.

To enable the default KeyRecoveryAgent certificate template

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In Certification Authority, expand the set of folders for the default CA.

3. In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

4. In New Certificate Template to Issue, select Key Recovery Agent, and then click OK.

Step 3: Enable the default EnrollmentAgent certificate template

An enrollment agent is an IT administrator who requests certificates on behalf of a user. EnrollmentAgent is the default certificate template for the enrollment agent in ILM CMS. The certificate template is only available if you enable it on an active enterprise CA in the CA hierarchy.

To enable the default EnrollmentAgent certificate template

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In Certification Authority, expand the set of folders for the default CA.

3. In the console tree, click Certificate Templates.

4. Right-click Certificate Templates, and then click New Certificate Template to Issue.

5. In New Certificate Template to Issue, click Enrollment Agent, and then click OK.

Installing SQL Server 2005

To get help, you can click Help on many pages of the SQL Server Installation Wizard.

To install SQL Server 2005

1. Insert the SQL Server 2005 DVD into your DVD drive, and then click Run the SQL Server Installation Wizard.

2. If the installation process does not start automatically, run Splash.hta from the root directory of the DVD. To install SQL Server 2005 from a network, run Splash.hta from that network.

3. On the End User License Agreement page, read the license terms, select I accept the terms in the license agreement, and then click Next. To stop the installation, click Cancel.

4. On the SQL Server Component Update page, click Install, and thenclick Finish.

5. On the Welcome page, click Next to scan the installation computer for conditions that could block installation.

6. On the System Configuration Check page, perform any of the following actions, and then click Continue:

   • To interrupt the scan, click Stop.

   • To view scan results by category, click Filter, and then select an option from the Filter list.

   • To view scan results for system configuration, click Report, and then select an option from the Report list.

     You can view the report, save it to a file, copy it to the Clipboard, or attach it to an e-mail message.

7. On the Registration Information page, in Name and Company, type your name and company respectively, and then, click Next.

8. On the Components to Install page, select the component groups that you want to install.

   When you select a component group, you see a description for it in Components to be Installed. You can select any combination of check boxes. When you select SQL Server or Analysis Services, if Setup detects that you are installing to a virtual server, it enables the Install as a Virtual Server check box. You must select this option to install a failover cluster.

   Note

   For information about installing a failover cluster, see How to: Create a New SQL Server 2005 Failover Cluster (Setup) (https://go.microsoft.com/fwlink/?LinkId=76490).

9. To install individual components, click Advanced to open the Feature Selection page, or click Next.

10. If you opened the Feature Selection page, select the components that you want to install, and then click Next.

    To install components to a custom directory, you can select the component, and then click Browse to locate a directory.

11. On the Instance Name page, select a default or named instance for your installation. You have the following options:

    • To use an existing default or named SQL installation instance, select it.

      SQL Server 2005 Setup upgrades the instance, and then offers to install additional components. You cannot have an exiting default instance if you want to install a new default instance.

    • To install a new named instance, click Named Instance, and then type a unique instance name.

    • To install a new named instance side-by-side with an existing instance, click Named Instance, and then type a unique instance name.

      For more information about instance naming rules, click Help.

12. On the Service Account page, specify the user name, password, and domain name for the SQL Server service accounts.

    You can use one account for all the services or you can perform one of the following actions to specify an individual account for each service:

    • To specify an individual account, click Customize for each service account, select a service name, provide logon credentials for the service, and then click Next.

    • To use one account for all services, provide logon credentials for the service, and then click Next.

    Note

    The domain name cannot be a full Domain Name System (DNS) name. For example, if your DNS name is contoso.com, use contoso in the Domain field. SQL Server does not accept contoso.com in the Domain field.

13. On the Authentication Mode page, select one of the following authentication modes to use for your SQL Server installation:

    • Windows Authentication

      This mode creates a system administrator account, which is disabled by default. Whenever possible, use Windows Authentication and a strong password. Do not use a blank password. For information about strong passwords, see Authentication Mode (https://go.microsoft.com/fwlink/?LinkId=80692).

    • Mixed Mode Authentication

      This mode creates a system administrator account. For information about using mixed-mode authentication and enabling the system administrator account after SQL Server 2005 Setup completes, see How to: Change Server Authentication Mode (https://go.microsoft.com/fwlink/?LinkId=83784).

14. If you selected mixed-mode authentication, type and confirm the system administrator (sa) log on information, and then click Next.

    Note

    For SQL Server 2005, the installation may not enforce the strong password requirement on some default configurations of Windows Server 2003 where the computer is not a member of a domain.

15. To specify the collation for your SQL Server installation, on the Collation Settings page, enter your collation settings, and then click Next.

16. If you chose to install Reporting Services, on the Report Server Installation Options page, accept the default selections to configure the report server. If the requirements for installing Reporting Services in the default configuration are not satisfied, you must select the Install but do not configure the server option. To view installation details for this page, click Details, and then click Next.

17. On the Error and Usage Report Settings page, select whether to automatically send error reports for SQL Server 2005 and whether to automatically send feature usage data for SQL Server 2005 to Microsoft, and then click Next.

18. On the Ready to Install page, review the summary of components for your SQL Server installation, and then click Install.

19. To monitor installation, on the Setup Progress page, view the installation information, or click the component or status name to view the installation log.

20. To view the summary log, on the Completing the Microsoft SQL Server Installation Wizard page, click the link provided.

21. To exit Microsoft SQL Server 2005 Setup, click Finish.

22. If you are instructed to restart the computer, do so now.

    Failure to restart the computer may cause failures when you run Setup in the future. For more information, read the installation message.

23. Download and install any SQL Server 2005 or SQL Server 2000 service packs that are available.

Installing CLM 2007 on a Server

You can install ILM CMS and the CA on the same server or on separate servers.

Install CLM 2007 and the CA on the same server

Before you install ILM CMS and the CA on the same server, evaluate the hardware specifications for the server to ensure that it has a capable CPU and enough available hard drive space to accommodate both ILM CMS and the CA. We recommend that you evaluate this deployment scenario on a test server before you implement it on your network.

To install CLM 2007 and the CA on the same server

1. From the ILM CMS installation CD, run CLM.msi.

2. CLM.msi is located at Drive\CLM\. Drive is the name of your CD or DVD drive.

3. On the Welcome to the Installation Wizard page, click Next.

4. On the Certificate Lifecycle Manager License Agreement page, read the license terms, select I accept the terms in the license agreement, and then click Next.

5. On the Custom Setup page, verify that all of the available components are selected.

6. To change where you install the files, click Change, choose a different location, and then click OK.

7. The default location is %ProgramFiles%\Microsoft Certificate Lifecycle Manager.

8. On the Custom Setup page, click Next.

9. On the Virtual Web Folder page, specify a name for a virtual Web folder.

10. This folder will be the address for the CLM Web site. The default virtual Web folder name is Clm.

11. On the Ready to Install Certificate Lifecycle Manager page, click Install.

12. On the Certificate Lifecycle Manager Installation Complete page, clear the Launch the CLM Configuration Wizard check box, and then click Finish.

Install the CLM 2007 Web site on a server separate from the CA

You can install the ILM CMS Web site on a different server than where the CA is installed. You might do this to physically separate the ILM CMS and CA roles.

By default, the CLM Installation Wizard installs the server component, the Web site, and the CA policy and exit modules on the same server. To install the CLM Web site on a server separate from the CA, you must choose a custom setup in the CLM Installation Wizard to install the policy and exit modules on the CA server with the CLM server component.

To install the CA policy and exit modules on the server where you installed the CA

1. Log on to the computer where you want to install the CLM server components and the policy and exit modules.

2. From the ILM CMS installation CD, run CLM.msi.

3. CLM.msi is located at Drive\CLM\. Drive is the name of your CD or DVD drive.

4. On the Welcome to the Installation Wizard page, click Next.

5. On the Certificate Lifecycle Manager License Agreement page, read the license terms, select I accept the terms in the license agreement, and then click Next.

6. On the Product Key page, type a valid product key, and then click Next.

7. If you do not enter a valid product key, the installation software installs ILM CMS as an evaluation copy, which you can use for 180 days.

8. On the Custom Setup page, select CLM CA Files and CLM System Files.

9. To change where you install the files, click Change, choose a different location, and then click OK.

10. The default installation path is %ProgramFiles%\Microsoft Certificate Lifecycle Manager.

11. On the Custom Setup page, in the list next to the Web Files, select This feature will not be available to prevent that Web Files from installing.

12. On the Custom Setup page, click Next.

13. On the Ready to Install Certificate Lifecycle Manager page, click Install.

14. On the Certificate Lifecycle Manager Installation Complete page, click Finish.

To install the Web site on the CLM 2007 computer

1. From the ILM CMS installation CD, run CLM.msi.

2. CLM.msi is located at CDDrive\CLM\. CDDrive is the name of your CD drive.

3. On the Welcome to the Installation Wizard page, click Next.

4. On the Certificate Lifecycle Manager License Agreement page, read the license terms, select I accept the terms in the license agreement, and then click Next.

5. On the Product Key page, type a valid product key, and then click Next.

6. If you do not enter a valid product key, the installation software installs ILM CMS as an evaluation copy, which you can use for 180 days.

7. On the Custom Setup page, in the list next to CLM CA Files, select This feature will not be available to prevent CLM CA Files from installing.

8. On the Custom Setup page, select Web Files and CLM System Files.

9. To change where you install the files, click Change, choose a different location, and then click OK.

10. The default installation path is %ProgramFiles%\Microsoft Certificate Lifecycle Manager.

11. On the Virtual Web Folder page, specify a name for a virtual Web folder.

12. This folder will be the address for the CLM Web site. The default virtual Web folder name is Clm.

13. On the Ready to Install the Certificate Lifecycle Manager page, click Install to begin installation.

14. On the Certificate Lifecycle Manager Installation Complete page, click Finish.

Configuring CLM 2007 Using the CLM Configuration Wizard

To configure the ILM CMS on the CLM server, you run the CLM Configuration Wizard. However, if you plan to run the CLM Configuration Wizard from a user account that is a child domain administrator, you must first assign specific user rights and permissions to the Domain Admins group.

Perform prerequisite configuration tasks

If you do not want to run the CLM Configuration Wizard as a member of the Enterprise Admins group, you must complete prerequisite configuration tasks.

If you want to configure the CLM server as a child domain administrator, you must perform the following procedure to grant the necessary permissions to the Domain Admins group for the Certificate Templates container and the Profile Templates container.

To perform prerequisite tasks to configure the CLM server as a child domain administrator

1. Use the Certification Authority snap-in to grant the following permissions on the Certificate Templates container to the Domain Admins group of the child domain:

   • List Contents

   • Read All Properties

   • Write All Properties

   • Read Permissions

   • Modify Permissions

   • Modify Owner

   • All Validated Writes

2. Use the Certificate Templates snap-in to grant Read and Write permissions on the User, KeyRecoveryAgent, and EnrollmentAgent certificate templates to the Domain Adminsgroup of the child domain.

3. To use the Active Directory Sites and Services snap-in to create a container for profile templates, do the following steps:

   • In Configuration, under Public Key Services, name the container Profile Templates, and then ensure that it is of the Container class.

4. In Active Directory Sites and Services, grant the following permissions on the Profile Templates container to the Domain Admins group of the child domain:

   • List Contents

   • Read All Properties

   • Write All Properties

   • Read Permissions

   • Modify Permissions

   • Modify Owner

   • All Validated Writes

   • Create All Child Objects

5. Grant the Restore files and directories user right to the to the Domain Admins group of the child domain on the root domain controller.

6. Optionally, create the CLM agent accounts, and then grant them Read and Enroll permissions to the User, KeyRecoveryAgent, and EnrollmentAgent certificate templates.

7. Active Directory might require additional permissions based on the service connection point location.

8. If the CLM server and the server on which you installed the CA are in different domains, the domain administrator running the CLM Configuration Wizard might require additional access to modify the CA settings.

Run the CLM Configuration Wizard

To correctly configure ILM CMS, you must run the CLM Configuration Wizard. The CLM Configuration Wizard guides you through the necessary configuration tasks and creates the CLM database. It can also create the required user accounts automatically.

To configure CLM 2007

1. Click Start, point to Programs, point to Microsoft Certificate Lifecycle Manager, and then click Configuration Wizard.

2. On the Welcome to the Configuration Wizard page, click Next.

3. On the CA Configuration page, verify the name of the CA and the Domain Name System (DNS) name for the CA server, and then click Next.

4. If you want to specify a remote CA, do the following steps:

   1. Click Browse, and then select any enterprise CA in the forest shown in the Select Certification Authority dialog box.

   2. Verify the CA and DNS names, and then click OK.

5. On the Set up the SQL Server Database page, configure SQL Server for use with ILM CMS. In Name of SQL Server, type the IP address of the SQL Server database. If the SQL Server database is on the same computer, use the default value, which is (local).

6. On the Set up the SQL Server Database page, configure SQL Server service account.

7. On the Set up the SQL Server Database page, configure the password for the SQL Server administrative account. To use the credentials for the current user, or to specify a user account and password to use to connect to the SQL Server database, perform one of the following actions:

   • To use the account information for the current user, select the Use my credentials to create the database check box.

   • To specify a different user account, clear the Use my credentials to create the database check box, and then type the user account and password used for connections to the SQL Server database.

8. If you installed the SQL Server database on a different server, or if you want to use the credentials for a different user, provide the user account information and password.

9. On the Set up the SQL Server Database page, click Next.

10. On the Database Settings page, under Database name, specify the name for the CLM database.

11. Under Specify a location for the database file, you can enter a location or use the null value. If you use the null value, ILM CMS uses the default location for the SQL Server database file.

    Note

    We recommend that you browse for a database directory only if you installed SQL Server on the same computer as you installed ILM CMS.

12. Under Specify the database user account that Certificate Lifecycle Manager uses to connect to the database, choose one of the following authentication methods:

    • SQL integrated authentication is selected by default, which specifies that you want to use Windows Integrated Authentication for SQL Server. This authentication mechanism gives the Web Pool Agent account the necessary permissions to the CLM database.

    • Click SQL mixed mode authentication if you want to provide a different user account and password for ILM CMS to connect to the SQL Server database. You can use the default name for the user account, which is CLMUser, or you can specify a name for a custom user account. If you use the SQL Mixed Mode Authenticationsetting, the CLM Configuration Wizard also creates a user account named CLMExternal, which is used for creating requests with the CLM SQL API.

13. On the Database Settings page, click Next.

14. On the Set up Active Directory page, type the name of the directory entry that Active Directory uses to store ILM CMS configuration information.

    Use the default values on the Directory Settings page, and then click Next.

15. On the Agents - Microsoft CLM page, peform one of the following actions:

    • To use the default user accounts, leave the check boxes unchanged.

      Table 3 shows the required ILM CMS agent user accounts and their default user names.

    • To create a custom user account, clear the Use the CLM default settings check box, and then click Custom Accounts.

16. On the Agents - Microsoft CLM page, click Next.

17. On the Set up server certificates page, perform one of the following actions:

    • To use the default certificate templates for the key recovery agent, the CLM agent, and the enrollment agent, leave the check boxes unchanged.

      Table 4 shows these certificate templates.

    • To manually create and configure the certificate templates, select the Create and configure certificates manually check box.

18. On the Set up server certificates page, click Next.

19. On the Set up E-mail Server, Document Printing page, type the IP address or DNS name of the Simple Mail Transfer Protocol (SMTP) host that ILM CMS uses to send e-mail notifications.

    The default SMTP IP address is 127.0.0.1, which indicates that ILM CMS uses the local SMTP service.

    Note

    To distribute one-time passwords, ILM CMS requires anonymous SMTP relaying. If you configure SMTP relaying on an SMTP server, you can lock SMTP relaying to a specific IP address. You can also configure SMTP relaying to perform authenticated relaying to an SMTP server where SMTP relaying can resolve a mail exchanger (MX) record. For more information about enabling local SMTP relaying, see Configuring SMTP Virtual Server Relay Restrictions (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=81978).

20. Type the name of the folder where ILM CMS stores files to send to a printer.

    The default folder for these files, Print Documents, is at the following location: %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Print Documents.

21. On the Set up E-mail Server, Document Printing page, click Next.

22. On the Ready to Configure page, verify the selected settings, and then click Configure.

    This might take a few minutes.

23. When the configuration completes, click Finish to exit the CLM Configuration Wizard.

24. To open the CLM Web site, in Internet Explorer, go to https://DNSName/CLM.

    DNSName is the DNS name assigned to the server that hosts ILM CMS.

    Note

    On each computer where you want to use to access the CLM Web site, you must add the CLM Web site to the Trusted Sites Web content security zone in Internet Explorer. Because the CLM Web site enforces the use of trusted sites, it does not function correctly if you do not add the CLM Web site to Trusted Sites.

By default, Active Directory stores the CLM agent user accounts in the CN=Users,DomainName container. DomainName is the Lightweight Directory Access Protocol (LDAP) distinguished name of the default domain. Table 3 shows the required CLM agent user accounts and their default user names. The previous procedure describes how to create these accounts using the CLM Configuration Wizard. ILM CMS uses these agent user accounts to perform administrative operations.

Table 3   Required CLM agent user accounts

CLM agent user account	Description
CLM Agent	Conducts operations for ILM CMS that require specific permissions. ILM CMS uses this agent to sign data. The default account name for this agent is CLMAgent.
Key Recovery Agent	Recovers archived private keys from the CA. The default account name for this agent is CLMKRAgent.
Authorization Agent	Reads security information of user and group entries in Active Directory. The default account name for this agent is CLMAuthAgent.
CA Manager Agent	Performs actions against the certification authority. The default account name for this agent is CLMCAMngr.
Web Pool Agent	Runs ILM CMS in IIS. The default account name for this agent is CLMWebPool. If you use Integrated Windows Authentication, it grants the Web Pool Agent permissions to the CLM database and performs all read/write operations that the CLM server would otherwise perform in the SQL Server database.
Enrollment Agent	Requests certificates on behalf of a user account. The default account name for this agent is CLMEnrollAgent.

Table 4 shows the required certificates and certificate templates for the Key Recovery Agent, the CLM Agent, and the CLM Enrollment Agent.

Table 4   CLM agent user account certificates

Certificate	Certificate template
Key Recovery Agent	Requests the key recovery agent certificate that is used by the CLMKRAgent user account. By default, ILM CMS uses the KeyRecoveryAgent certificate template.
CLM Agent signing	Signs certificate requests. By default, ILM CMS uses the User certificate template.
Enrollment agent	Signs certificate requests by the CLMEnrollAgent user account. By default, ILM CMS uses the EnrollmentAgent certificate template.

Configuring the CA for CLM 2007

For ILM CMS to work correctly, you must configure the CLM exit module and CLM policy module.

Configure the CLM exit module

To configure the CLM exit module, you must have the Manage CA permission for the local CA.

To configure the CLM exit module

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In the Certification Authority snap-in, right-click CAName, and then click Properties.

   CAName is the name of the CA.

3. At the CAName Properties dialog box, click the Exit Module tab, and then click Add.

4. In the Set Active Exit Module dialog box, select CLM Enterprise Exit Module, and then click OK.

5. In the CAName Properties dialog box, on the Exit Module tab, in Exit Modules, select CLM Enterprise Exit Module, and then click Properties.

6. In the Configuration Properties dialog box, type the connection string for the SQL Server that hosts the CLM database, and then click OK.

   If the SQL Server database that you use is not on the same computer as the CLM exit module, enter the name of the remote SQL Server. If you use SQL Integrated Authentication, and ILM CMS is not installed on the same server as the CA, you must perform the following actions on the server running SQL Server. You must assign permissions for the CLM database to the CA account. To do so, perform the following actions:

   1. Log on to the SQL Server Management console as a database administrator.

   2. In the console tree, expand the CLM database, and then click Logins.

   3. On the Action menu, click New Login.

   4. On the General tab, click the ellipses button (…) to find the name of the server where you installed the CA.

   5. Select the name of the server where you installed the CA, and then click OK.

      The selection dialog box closes, and ILM CMS applies the domain name for the server where you installed the CA as the default domain name. Verify that Authentication is set to Windows Authentication and that Security access is set to Grant access; these are the default settings.

   6. Select the Database Access tab, And then click permit for the CLM database.

   7. In Database roles for CLM, select permit for public and clmApp.

      This setting ensures that the CLM exit module has the appropriate permission to write to the CLM database.

7. In the Configuration Properties dialog box, click OK.

8. In the CAName Properties dialog box, click OK.

Configure the CLM policy module

To configure the CLM policy module, you must have the Manage CA permission for the local CA.

To configure the CLM policy module

1. Click Start, point to Administrative Tools, and then click Certification Authority.

2. In the Certification Authority snap-in, right-click CAName, and then click Properties.

   CAName is the name of the CA.

3. In CAName Properties, click the Policy Module tab, and then click Select to designate the Active Policy Module.

4. In the Set Active Policy Module dialog box, select CLM Enterprise Policy Module and then click OK.

5. On the Policy Module tab of the CAName Properties dialog box, click Properties.

6. In the Configuration Properties dialog box, on the General tab, select Pass non-CLM requests to the default policy module for processing.

7. In the Configuration Properties dialog box, on the Default Policy Module tab, click Properties.

8. In the Default Policy Module dialog box, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, and then click OK.

9. In the Configuration Properties dialog box, click OK.

To configure the CLM policy module to only accept signed requests from defined certificates

1. Open Registry Editor.

   To do this click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/CertSrv/clm.policy.

3. Right-click clm.policy, point to New, and then click Multi-String Value.

4. Name the new value CERTVALIDHASHES.

5. Right-click CERTVALIDHASHES, and then click Modify.

6. In Edit Multi-String, type the certificate hashes (without spaces) that are trusted by the CA policy module. (Separate certificate hashes with a semicolon.)

   Note

   ILM CMS uses the CLM Agent account to sign all CA request data.

7. Right-click clm.policy, point to New, and then click DWORD Value.

8. Name the new DWORD value CERTVALIDATIONFLAGS.

9. Right-click CERTVALIDATIONFLAGS, and then click Modify.

10. In Edit DWORD Value, under Value data, type a flag value.

    Table 5 shows the possible values.

Table 5   Possible values for the CERTVALIDATIONSFLAGS key

Value	Setting
CAPICOM_CHECK_NONE	0
CAPICOM_CHECK_TRUSTED_ROOT	1
CAPICOM_CHECK_TIME_VALIDITY	2
CAPICOM_CHECK_SIGNATURE_VALIDITY	4
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS	8
CAPICOM_CHECK_OFFLINE_REVOCATION_STATUS	16
CAPICOM_CHECK_COMPLETE_CHAIN	32
CAPICOM_CHECK_NAME_CONSTRAINTS	64
CAPICOM_CHECK_BASIC_CONSTRAINTS	128
CAPICOM_CHECK_NESTED_VALIDITY_PERIOD	256
CAPICOM_CHECK_ONLINE_ALL	495
CAPICOM_CHECK_OFFLINE_ALL	503

Configure additional policy modules

You may want to configure additional policy modules for ILM CMS to control certificate subjects and to support certificate requests that are generated outside of ILM CMS.

To configure additional policy modules

1. Log on to the CLM server with a user account assigned the Manage CA permission for the local CA.

2. Click Start, point to Administrative Tools, and then click Certification Authority.

3. In Certification Authority, right-click the certification authority and then click Properties.

4. In CAName Properties, on the Policy Module tab, click Properties to install and configure a custom module.

5. In Configuration Properties, on the Custom Modules tab, click the Add button.

6. In Open, locate the Microsoft.CLM.PolicyModulePlugins.dll file, and then click Open.

7. The default location for the file is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\CA.

8. In Clm Policy Module, select a policy module. Table 6 shows the available policy modules.

9. In Custom Module Name, provide a unique name for the policy module, and then click OK.

10. To modify the policy module's properties, in Configuration Properties, select the policy module and click Properties.

Table 6   CLM policy modules

Policy module	Description
Certificate SMimeCapabilities Module 1.0	Limits the available encryption algorithms that you can use when you use a certificate for Secure/Multipurpose Internet Mail Extensions (S/MIME). This module is also called the S/MIME Capabilities policy module.
Certificate Subject Module 1.0	Inserts a custom subject into a certificate. This module is also called the Subject policy module.
SubjectAltName Module 1.1	Inserts a custom field into a certificate's SubjectAltName value. This module is also called the Subject Alternative Name policy module.
Support for non-CLM certificate requests	Registers ILM CMS certificates that are issued outside of ILM CMS. Examples include auto-enrollment and Microsoft Management Console (MMC). This module is also called the Non-CLM Request policy module.

Configure the S/MIME Capabilities policy module

You can use the S/MIME Capabilities policy module to limit the available encryption algorithms that you can use when you use a certificate for S/MIME. Your organization can exclude available algorithms that you might consider weak or unsuitable for use.

To configure the S/MIME Capabilities policy module

1. In the Custom Module Properties dialog box, in Filter, select the certificate template that you want to use for S/MIME.

2. In Provider, click Configure.

3. In the S/MIME Capabilities dialog box, provide the object identifier (also known as OID) of the SMIMECapabilities extension list algorithms that an S/MIME user supports.

Each algorithm has a number that uniquely identifies it. This number, called the object identifier, contains several numbers that are dot-delimited. Table 7 shows the algorithms and their corresponding object identifiers.

Table 7   CLM 2007 algorithms and object identifiers

Algorithm	Object identifier
RC2-CBC	1.2.840.113549.3.2
RC4	1.2.840.113549.3.4
DES-CBC	1.3.14.3.2.7
DES-EDE3-CBC	1.2.840.113549.3.7

Some algorithms have parameters that can be passed to them. Parameters can be any ASN1 object. For example, RC2 can have the key length passed to it.

Table 8 shows example settings.

Table 8   Sample CLM 2007 algorithm settings

Algorithm	Setting	Description
3DES	1.2.840.113549.3.7[]	Specifies 3DES in the SMimeCapabilities extension. The object identifier is for 3DES. The empty square brackets indicate that no parameters are included.
RC2 with a key length of 128	1.2.840.113549.3.2[0x02020080]	Specifies RC2 with a key length of 128. The object identifier is for RC2. The parameter is a sequence of bytes in hexadecimal, where: "0x" is the prefix for any hexadecimal number. "0202" is the ASN1 encoding for a word [2 bytes]. "0080" is the actual parameter that is 2 bytes long. "0080" in hexadecimal is 128 in decimal.
Multiple algorithms	1.2.840.113549.3.2[0x02020080]; 1.2.840.113549.3.4[0x02020080]; 1.3.14.3.2.7[]; 1.2.840.113549.3.7[]	Use semicolons to separate multiple algorithms. This setting specifies the RC2, RC4, DES, and 3DES algorithms respectively. The parameters are, respectively: 128, 128, none, none. The order that the algorithms are listed is their order in the certificate's SMimeCapabilities extension.

Configure the Subject policy module

You can use the Subject policy module to insert a custom subject into a certificate.

To configure the Subject policy module

1. In the Custom Module Properties dialog box, in Filter, select the certificate template to configure.

2. In Provider, click Configure.

3. In the Certificate Subject Name dialog box, type the information that you want to include in the certificate subject, for example, cn={User!givenName} {User!surName}, cn={CLM!UserID}, ou=People, c=CA.

You must use specific tags to dynamically build a certificate subject from the Active Directory user attributes and from the ILM CMS registration data. Table 9 shows these tags.

Table 9   Subject policy module certificate subject tags

Tag	Description
{User!ActiveDirectoryAttribute}	Displays the name of a user in Active Directory using an Active Directory attribute, such as givenName.
{CLM!ItemName}	Displays the name of a ILM CMS data collection item.

Configure the Subject Alternative Name policy module

You can use the Subject Alternative Name policy module to populate custom subject alternative names for certificates.

To configure the Subject Alternative Name policy module

1. In the Custom Module Properties dialog box, in Provider, click Configure.

2. In the Certificate SubjectAltName Configuration dialog box, click Add.

3. In the SubjectAltName Add Entry dialog box, in Type, select a type.

4. Table 10 shows the types that you can choose.

5. In Value, select a format, type information in the Value Template box, and then click OK.

6. Table 11 shows value template types.

7. In the Certificate SubjectAltName Configuration dialog box, click OK.

8. In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.

Table 10 shows the formats for the subject alternative name that ILM CMS supports.

Table 10   Possible SubjectAltName types

SubjectAltName types	Description
RFC822Mailbox	Formats the value as an e-mail address.
DNSName	Formats the value as a DNS name.
OtherName	Enables you to specify the subject alternative name by an object identifier (also known as OID).

You must specify a value for each SubjectAltName type. Table 11 shows the value formats.

Table 11   SubjectAltName type value formats

Format	Description
UTF8String	Typically, this format stores any data that contains Unicode characters, for example, an e-mail address or a URL.
IA5String	Typically, this format is any alphanumeric string. This includes any ASCII characters.

You must enter information in the Value Template box to associate the data to the value of SubjectAltName in the certificate for the user. You can obtain these values from Active Directory or from the CLM database.

Use the following format for the information in the Value Template box: {User!ActiveDirectoryAttribute}. ActiveDirectoryAttribute is the attribute value in Active Directory. Table 12 shows sample values.

Table 12   Sample Active Directory values

Sample Active Directory value	Description
{User!email}	Returns the value for the mail attribute of the user for whom the certificate is being issued.
{CLM!ItemName}	Returns the data collection item in the ILM CMS data.
{CLM!dataItem1}	Adds a data item to the subject alternative name if the enrollment policy included a data collection item, such as an employee number, that was the first collection item.

Configure the Non-CLM Request Policy Module

You can use the CLM Web site to manage certificates when you use ILM CMS to register certificates that are issued outside of ILM CMS.

To configure the non-CLM Request policy module

1. In the Custom Module Properties dialog box, in Provider, click Configure.

2. In the AutoEnroll Plugin Configuration dialog box, in Database Information, type the connection string for the CLM database.

3. In Profile Template, select the profile template to be assigned to non-CLM requests from the list.

4. In Active Certificates, specify the maximum number of certificates, and then click OK.

5. In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.

Deploy multiple CAs for CLM 2007

The CLM Configuration Wizard performs the following primary configuration tasks on CAs automatically:

• Grants the required user rights to the CLM Agent, CA Manager, and Enrollment Agent user accounts.

• Enables key archival for the default Key Recovery Agent certificate.

You can use the CLM Configuration Wizard for the CA that you deploy first. However, when you deploy other CAs, you must manually grant permissions to the CLM Agent, CLM CA Manager, and the CLM Enrollment Agent user accounts.

You must grant each CLM agent user account the required permissions to ensure that the user account is correctly configured for ILM CMS. Table 13 shows the CLM agent user accounts and corresponding required permissions.

Table 13   CLM agent user accounts and required CA permissions

CLM agent user account	Permission
clmAgent (CLM Agent)	Issue and Manage Certificates
clmCAMngr (CLM CA Manager)	Manage CA
clmEnrollAgent (CLM Enrollment Agent)	Read Request Certificates

To assign CA permissions to a CLM agent user account

1. Log on to the CA as a domain administrator.

2. Click Start, point to Administrative Tools, and then click Certification Authority.

3. In the console tree, right-click CAName, and then click Properties.

4. In CAName Properties, click the Security tab.

5. In Group or user names, select the CLM agent user account that you want to adjust permissions for, and then, in Permissions for UserName, select the permission.

6. Table 13 shows the permissions that you must configure for the CLM agent user accounts.

7. Click OK when you are finished.

To deploy subsequent CAs for CLM 2007

1. Log on to the new CA as an administrator assigned the Manage CA permission.

2. Click Start, point to Administrative Tools, and then click Certification Authority.

3. Right-click the CA, and then click Properties.

4. On the Key Recovery Agent tab, select Archive the key, click Add, and then select the key recovery agent certificate issued to the clmkragent user account.

   Note

   This certificate should exist in the personal store of the clmkragent on the CLM Web server.

5. Restart the CA.

Configuring Active Directory Users and Groups

For information about how to perform basic user and group tasks, see the following articles:

• Create a new user account (https://go.microsoft.com/fwlink/?LinkID=88431)

• Add a member to a group (https://go.microsoft.com/fwlink/?LinkID=88434)

• Create a new computer account (https://go.microsoft.com/fwlink/?LinkID=88437)

By default, ILM CMS uses the Active Directory infrastructure and supports three user roles. Table 14 shows these roles.

Table 14    User roles in CLM 2007

User role	Description
user	Any authenticated user in ILM CMS.
certificate manager	A user who is granted at least one ILM CMS management extended permission.
administrator	A certificate manager who is granted permission to edit profile templates.

You should add users and certificate managers to groups to reflect their respective roles. You can create multiple groups for each role, and you can create new application roles by selectively granting ILM CMS management extended permissions. Immediately after you add a certificate managers group to the Security tab for a users group, you must grant the certificate managers group ILM CMS management extended permissions for that users group.

Create a users group for CLM 2007

We recommend that you use a users group to configure ILM CMS permissions and roles. Using a user group ensures that you are setting permissions globally for your users and makes it easier to manage user permissions in Active Directory.

To create a users group for CLM 2007

1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers.

2. In the console tree, click the Users container or the organizational unit (OU) where you want to create the new group.

3. Right-click the Users container or OU, point to New, and then click New Group.

4. In New Group, provide a relevant, unique name for the group.

5. Under Group Scope, select either Global or Universal.

6. Under Group Type, select Security.

You can now grant the group extended permissions and permissions. To finish enrollment, the certificate subscribers group requires Read permission and the ILM CMS Request Enroll extended permission for a certificate template.

Create a certificate managers group

To create a certificate managers group, you create a new group in Active Directory, and then assign this group all or a subset of the available ILM CMS management extended permissions.

To create a certificate managers group

1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers.

2. In the console tree, click the Users container or the OU where you want to create the new group.

3. Right-click the Users container or OU, point to New, and then click New Group.

4. On the New Group dialog box, type a relevant, unique name for the group.

5. Under Group Scope, select either Global or Universal.

6. Under Group Type, select Security.

You can now grant ILM CMS extended permissions to the new group. For information about how to do this, see Configure permissions for the certificate managers group. To grant a certificate managers group the ability to manage ILM CMS functionality for a users group, you must first create a users group.

If your Active Directory deployment contains multiple domains, you can use a combination of universal and global groups. You can do this by granting extended permissions and user rights to the single universal group, and then adding each domain’s global group to the membership of the universal group.

Configuring CLM 2007 Access Control

You must carefully adjust access control in ILM CMS to ensure that the proper users and groups can complete their tasks. You can use the topics in this section to assist you with defining your ILM CMS access control requirements.

• CLM extended permissions

• Configuring access control for users and groups

• Required access control settings for specific users

CLM extended permissions

To enable detailed control of ILM CMS management delegation, ILM CMS uses a set of extended permissions that are added to Active Directory through schema extension. Table 15 shows these extended permissions.

Table 15   CLM 2007 extended permissions added through schema extension

Extended permission	Description
CLM Audit	Enables generation and display of CLM policy templates, defining management policies within a profile template, and generating ILM CMS reports.
CLM Enroll	Enables the user to specify the workflow and the data to be collected while issuing certificates using the template. Note This extended permission only applies to profile templates.
CLM Enrollment Agent	Enables the user or group to request certificates on behalf of another user. The issued certificate’s subject contains the target user’s name, not the requestor’s name. The user or group assigned the CLM Enrollment Agent permission does not perform the enrollment. The enrollment is performed by the Enrollment Agent account on behalf of the user requesting the operation. Note Although the Active Directory extended permission is not implemented in ILM CMS, the enrollment agent role in the CLM Web site is functional.
CLM Request Enroll	Enables the initiation, execution, or completion of an enrollment request.
CLM Request Recover	Enables the initiation of encryption key recovery from the CA. The user or group who is assigned the CLM Request Recover permission does not perform the actual recovery. The recovery is performed by the Key Recovery Agent account on behalf of the user requesting the operation.
CLM Request Renew	Enables the initiation, execution, or completion of a renew request. The renewal request replaces a user’s certificate that is near its expiration date with a new certificate with a new validity period.
CLM Request Revoke	Enables the revocation of a certificate before the expiration of the certificate’s validity period. For example, this can be necessary if a user’s computer or smart card is compromised (stolen).
CLM Request Unblock Smart Card	Enables a smart card’s user PIN to be reset. This enables key material on a smart card to be reestablished.

Extended permissions assignment locations

When you assign permissions in a ILM CMS environment, there are five permission assignment locations that determine a requesting user's authorization level. When you define a management policy workflow, you must determine whether permissions are necessary at each of these locations.

Table 16 shows locations where you can assign extended permissions.

Table 16   Where you can assign extended permissions

Permissions assignment location	Description
Service connection point	Determines whether a user is assigned a management role within the ILM CMS deployment. For example, if a user must initiate requests for other users, the user is assigned the CLM Request Enroll permission at the service connection point.
Profile template object	Determines whether a user is a certificate subscriber or a certificate manager and whether the user can enroll certificates based on the profile template. If a user is required to enroll certificates based on the profile template, the user must be assigned the CLM Enroll permission on the profile template.
Users or groups	Determines a user's user role. A user or group who is assigned a management role within the ILM CMS environment must have permissions assigned on the users and groups that they will manage in the environment. For example, if you want to enable a manager to recover certificates issued to members of the EFS Users group, you must assign either the manager or a group that contains that manager the CLM Request Recover permission on the EFS Users group. Note EFS is Encrypting File System.
Certificate templates	Determines which users or groups can successfully submit enroll and renewal requests to the CA. These users must be assigned the Read permission and the CLM Request Enroll permissions on all certificate templates in a profile template.
Management policy	Determines a user's management role in ILM CMS. The user or group must be assigned the applicable management role in the management policy. For example, if you want the user to approve enrollment requests, you must assign the user the ability to approve enroll requests in the enroll management policy.

Configuring access control for users and groups

To configure access control for ILM CMS, you must perform one of the following tasks:

• Configure permissions for the CLM 2007 users group

• Configure permissions for the certificate managers group

• Configure permissions on a new profile template object

• Configure sharing permissions on a profile template object

Configure permissions for the CLM 2007 users group

The ILM CMS users group requires Read permissions on the profile template.

To set permissions for the CLM 2007 users group

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, locate the OU or container that contains the ILM CMS users group.

3. Right-click the ILM CMS users group, and then click Properties.

4. On the Security tab, click Add, and then add the ILM CMS users group.

5. Set the required permissions for the appropriate ILM CMS transactions, and then click OK.

To view any CLM profile templates, the certificate subscribers group needs Read permissions for ILM CMS enroll transactions on all existing profile template objects in Active Directory.

To grant the CLM 2007 users group Read permission on the profile template objects

1. Click Start, point to Administrative Tools, and then double-click Active Directory Sites and Services.

2. In Active Directory Sites and Services, click View, and then click Show Services Node.

3. This option remains enabled after you close the console.

4. In the console tree, expand Services, expand Public Key Services, and then click Profile Templates.

5. Right-click Profile Templates, and then click Properties.

6. On the Security tab, click Add.

7. In Select Users and Groups, add the certificate subscribers group, and then click OK.

8. On the Security tab, verify that the certificate managers group has Read permissions assigned, and then click OK.

Configure permissions for the certificate managers group

The first three steps of the following procedure depend on where you created the directory entry that Active Directory uses to store ILM CMS configuration information. The following procedure assumes that you used the default directory entry settings.

To grant permissions to a certificate managers group

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. On the View menu, click Advanced Features.

3. Verify that the check box next to Advanced Features is selected.

4. This check mark indicates that the advanced features are enabled in MMC.

5. In the console tree, expand DomainName, and then click the System container.

6. DomainName is the name of the domain.

7. Expand System, expand Microsoft, expand Certificate Lifecycle Manager, and then click CLMServer

8. CLMServer is the NetBIOS name of the server hosting ILM CMS.

9. Right-click CLMServer, and then click Properties.

10. On the Security tab, add the certificate managers group, and then grant the group CLM extended permissions.

11. ManagersGroup is the name of the certificate managers group.

ILM CMS uses software-based certificates and hardware-based certificates. For hardware-based certificates that reside on a smart card, you must set suitable permissions (Allow/Deny) for ILM CMS to function correctly.

For more information about CLM extended permissions, see CLM extended permissions.

To view CLM profile templates, the certificate managers group must have Read permissions on profile template objects in Active Directory.

To assign Read permissions on profile template objects for the certificate managers group

1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

2. On the View menu, verify that Show Services Node is selected.

3. In the console tree, expand Services, and then expand Public Key Services.

4. Right-click Profile Templates, and then click Properties.

5. On the Security tab, click Add.

6. In Select Users and Groups, add the certificate managers group, and then click OK.

7. On the Security tab, verify that the certificate managers group has Read permissions assigned, and then click OK.

Configure permissions on a new profile template object

To set permissions on a new CLM profile template, you must be a member of the Enterprise Admins group or a member of the root domain's Domain Admins group in Active Directory.

To configure permissions on a new profile template

1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

2. On the View menu, verify that Show Services Node is selected.

3. In the console tree, expand Services, expand Public Key Services, and then click Profile Templates.

4. In the details pane, right-click a profile template, and then click Properties.

5. On the Security tab, make any necessary permission changes, and then click OK.

Even though profile templates might contain Version 2 certificate templates that can be created and duplicated in Microsoft® Windows Server® 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Microsoft® Windows Server® 2003, Enterprise Edition or Microsoft® Windows Server® 2003, Datacenter Edition.

To use Active Directory Sites and Services on a computer that is not a domain controller, you install Windows Administration Tools (Adminpak.msi). (An example of a computer that is not a domain controller is one running on Windows 2000 Professional.) Computers running on Windows 2000 can install Adminpak.msi from the Windows 2000 installation CD. Computers running on Windows XP and Windows Server 2003 must install Adminpak.msi from a Windows Server 2003 installation CD or by downloading Adminpak.msi from the Microsoft Web site.

After you duplicate a profile template object, you must add your user or group and verify that the permissions are modified.

Configure sharing permissions on a profile template object

By default, ILM CMS assigns Read permissions to any new groups that you add to the Security tab of a CLM profile template. It is up to you to adjust a security group's permissions based on its relevant roles.

Table 17   Profile template object sharing permissions for CLM 2007 groups

Group	Permission
users group	You must assign the Read permission and the CLM Request Enroll permission to the users group. Subscribers use the permissions to read the properties and settings of the template, and to enroll any certificate templates included in the profile template.
certificate managers group	You must assign the Read permission and the Write permission to the certificate managers group.

Required access control settings for specific users

For ILM CMS to function correctly, you must configure six users. These users can be configured either fully or partially by the CLM Configuration Wizard. If you decide to manually configure the users, or need information about what access control settings the CLM Configuration Wizard affects, you must use the required access control settings. Table 18 shows these settings for specific CLM agent user accounts.

Table 18   Required access control settings for CLM agent user accounts

CLM agent user account	Description
CLM Agent	Provides the following services: Retrieves encrypted private keys from the CA. Protects smart card PIN information in the CLM database. Protects communication between ILM CMS and the CA. This user has the following access control settings: Granted the Allow logon locally user right. Granted the Issue and Manage Certificates user right. Granted Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp. A digital signature and encryption certificate issued and installed in the user store.
Key Recovery Agent	Recovers archived private keys from the CA. This user has the following access control settings: Granted the Allow logon locally user right. Added as a member of the local Administrators group. Granted Enroll permission on the KeyRecoveryAgent certificate template. The Key Recovery Agent certificate is issued and installed in the user store. The certificate must be added to the list of the key tecovery agents on the CA. Granted Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.
Authorization Agent	Determines user rights and permissions for users and groups. This user has the following access control settings: Added to the Pre-Windows 2000 Compatible Access domain group. Granted the Generate security audits user right.
CA Manager Agent	Performs CA management activities. This user must be assigned the Manage CA permission.
Web Pool Agent	Provides the identity for the IIS application pool. ILM CMS runs within a Microsoft Win32® application programming interface process that uses this user’s credentials. This user has the following access control settings: Added to the local IIS_WPG group. Added to the local Administrators group. Granted the Generate security audits user right. Granted the Act as part of the operating system user right. Granted the Replace process level token user right. Assigned as the identity of the IIS application pool, CLMAppPool. Granted Read permission on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\CertSvc\Enterprise\Config registry key. This account must also be trusted for delegation.
Enrollment Agent	Performs enrollment on behalf of a user. This user has the following access control settings: An Enrollment Agent certificate that is issued and installed in the user store. Granted the Allow logon locally user right. Granted the Enroll permission on the Enrollment Agent certificate template (or the custom template, if one is used).