Strong user authentication is one of the most fundamental identity management services: It's a key building block for securing access to resources and for the safe exchange of identity data between organizations.
User authentication solutions that bundle multiple authentication factors (e.g., knowledge of a PIN or password, biometric data such as a fingerprint, possession of some device) make up the bulk of today's strong authentication market offerings. Popular examples of strong authentication solutions are smart cards and USB tokens.
If you've tried to deploy smart cards or USB tokens in a Microsoft public key infrastructure (PKI) environment, you know that Windows lacks advanced smart card and USB token deployment, management, and maintenance features. Now Microsoft is tackling this space with Certificate Lifecycle Manager (CLM), which can also add value for certificate management in Windows PKI deployments that don't use smart cards or USB tokens.
CLM's most important characteristics are its ability to ease the deployment
and administration of certificates, smart cards, and USB tokens, and its flexibility.
Let's look first at how CLM eases administration and what makes it such an adaptable
tool. Then I'll explain the CLM components and architecture.
Origin and Competition
CLM is Microsoft's rebranded and revamped version of idNexus, a product the
company obtained through the acquisition of Alacris in 2005. At the time of
writing, CLM Beta 1 was available for download and Microsoft was considering
making CLM available as a Microsoft System Center software offering—Microsoft
wasn't intending to include the CLM code in Windows Server distributions (unlike
the Windows PKI services) or to bundle it with the company's main identity management
solution, Microsoft Identity Integration Server (MIIS).
Deploying CLM is relatively straightforward: The CLM installation program comes with a wizard that automatically configures the main CLM components.
Examples of competing products that offer similar functionality are Intercede's
MyID Corporate (http://www.intercede.co.uk),
Athena Smartcard Solutions' AthenaCard Management System (CMS— http://www.athena-scs.com),
the Aladdin Token Management System (TMS—http://www.aladdin.com),
and the SafeNet Card Management System (CMS— http://www.safenet-inc.com).
Easy Administration
CLM offers a single point of administration for certificate, smart card, and
USB token management. From the CLM Web-based management interface (shown in
Figure 1), you can manage the lifecycle of
the certificates and smart cards of users defined in your Active Directory (AD).
In Windows PKI environments that don't have CLM deployed, you must use multiple Microsoft Management Console (MMC) snap-ins and command-line tools to get the same administrative jobs done. For example, without CLM, to define certificate properties, you must use the MMC Certificate Templates snap-in, but to approve or deny user certificate requests, you would use the MMC Certification Authority snap-in or the certutil.exe command-line tool.
With CLM, you can enroll users for certificates or a smart card, approve or
deny certificate requests, revoke certificates, unblock smart cards, define
certificate properties, and generate reports related to the use of certificates
and smart cards—all from a single interface.