~ Milan Milosavljevic | Microsoft Senior Escalation Engineer
UPDATED 7/14/2016: A newer version of this article is available here: https://blogs.msdn.microsoft.com/ms-identity-support/2016/07/14/faq-for-fim-2010-to-support-sha2-kspcng-and-v3-certificate-templates-for-issuing-user-and-agent-certificates-and-mim-2016-upgrade/
Hi everyone, Milan Milosavljevic here from the Microsoft Platform AD Identity support team. I’d like to take a minute to clarify a couple of common questions we get regarding upgrade support for Microsoft Identity Manager 2016 (MIM 2016). This includes how to handle the deprecation of the Forefront Identity Manager 2010 Certificate Management (FIM CM) management agents as well as SHA2 support.
Q1: Is an in place upgrade from FIM CM 2010 R2 Service Pack 1 to MIM CM 2016 possible?
Answer: Yes, assuming you’re on the latest build of FIM CM 2010 R2 SP1. You only need run the CM installation and make sure to check the migration checkbox in the setup wizard and FIM CM 2010 will be migrated to MIM CM 2016. Prior to performing the upgrade, please make sure that your FIM CM backup is current and complete, including the FIM CM database, agent accounts and certificates/keys, as well as the FIM CM configuration files.
Q2: What is the official recommendation for replacement of FIM CM management agents?
Answer: FIM CM management agents (MAs) have been deprecated in MIM 2016. As an alternative, you can create similar functionality using the FIM CM Provision API (https://msdn.microsoft.com/en-us/library/windows/desktop/bb468091(v=vs.100).aspx) or the FIM CM SQL API (https://msdn.microsoft.com/en-us/library/windows/desktop/bb468093(v=vs.100).aspx).
Q3: Does FIM CM 2010 R2 SP1 support user certificates signed using SHA2?
Answer: Yes. SHA2 support is provided by configuring the issuing CA to issue SHA2 certificates - no additional action is required on FIM CM 2010 or MIM 2016.
Q4: Does FIM CM support FIM CM agent certificates (fimcmagent, fimcmenrollmentagent and fimcmrecoveryagent) signed using SHA2?
Answer: Yes. Please note however that if you want to change hash algorithms for the agents after the upgrade, you will need to replace or renew the certificates. For more information see https://technet.microsoft.com/en-us/library/hh149034(v=ws.10).aspx.
Q5: Does MIM CM support user certificates signed using SHA2?
Answer: Yes, the same way as in FIM CM 2010 R2 SP1.
Q6: Does MIM CM support FIM CM agent certificates (fimcmagent, fimcmenrollmentagent and fimcmrecoveryagent) signed using SHA2?
Answer: Yes, in the same way as FIM CM 2010 R2 SP1.
Milan Milosavljevic | Senior Escalation Engineer | Microsoft
- Configuration Manager: http://blogs.technet.com/configurationmgr/
- Data Protection Manager: http://blogs.technet.com/dpm/
- Orchestrator: http://blogs.technet.com/b/orchestrator/
- Operations Manager: http://blogs.technet.com/momteam/
- Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
- Service Manager: http://blogs.technet.com/b/servicemanager
- Virtual Machine Manager: http://blogs.technet.com/scvmm
- Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
- WSUS: http://blogs.technet.com/sus/
- AD and Azure RMS: http://blogs.technet.com/b/rms/
- Application Virtualization: http://blogs.technet.com/appv/
- MED-V: http://blogs.technet.com/medv/
- Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
- Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
- Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
- Forefront TMG: http://blogs.technet.com/b/isablog/
- Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/