locked
FIM CM Bulk Smart Card Issuance Client and Printing Smart Cards RRS feed

  • Question

  • Hi,

    From what we are reading, the Bulk Smart Card Issuance Client can be used to Issue and Print Smart Cards - what does MS mean by 'print smart cards'?

    Do they mean 'print on smart cards' like for instance users photo's?

    Or would we still need to utilize something like ID Works Software?

    Thanks

    Monday, April 25, 2011 7:10 AM

Answers

  • On Mon, 25 Apr 2011 07:10:16 +0000, S.Kwan wrote:

    From what we are reading, the Bulk Smart Card Issuance Client can be used to Issue and Print Smart Cards - what does MS mean by 'print smart cards'?

    Do they mean 'print on smart cards' like for instance users photo's?

    Or would we still need to utilize something like ID Works Software?

    Printing a smart card means the combination of printing something on the
    surface of a card, like a photo, or a logo, or something like that and
    writing one or more certificates on the card, so yes, you'd need something
    like ID Works, or the Gemalto solution (whose name currently escapes me).


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    It is now pitch dark.  If you proceed, you will likely fall into a pit.

    • Marked as answer by D Wind Tuesday, April 26, 2011 5:47 AM
    Monday, April 25, 2011 10:46 AM

All replies

  • On Mon, 25 Apr 2011 07:10:16 +0000, S.Kwan wrote:

    From what we are reading, the Bulk Smart Card Issuance Client can be used to Issue and Print Smart Cards - what does MS mean by 'print smart cards'?

    Do they mean 'print on smart cards' like for instance users photo's?

    Or would we still need to utilize something like ID Works Software?

    Printing a smart card means the combination of printing something on the
    surface of a card, like a photo, or a logo, or something like that and
    writing one or more certificates on the card, so yes, you'd need something
    like ID Works, or the Gemalto solution (whose name currently escapes me).


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    It is now pitch dark.  If you proceed, you will likely fall into a pit.

    • Marked as answer by D Wind Tuesday, April 26, 2011 5:47 AM
    Monday, April 25, 2011 10:46 AM
  • Thank you Paul
    Tuesday, April 26, 2011 5:48 AM
  • We recently got it working.

    You need specific printers, and specific middleware.

    And there was a missing configuration step in the documentation that has since been addressed.

    See:

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-print-a-smart-card-using-fim-certificate-management-and-id-works-software-v6-5-or-v5-1.aspx?Sort=MostUseful&PageIndex=1

    But

    One of the things to look out for is that you’re going to have trouble getting support.  I personally love FIM-CM.  We have had to do a lot of customizations, but FIM-CM lets you do it (love notifications).  But in the area of printing, it takes a printer to test printing.  And these things (the higher capacity ones) come in around 10k each.  So a lot of places don't have them.

    If you can let the support people reach in, it’s not a problem.  But if you’re like us here at (CENSORED), we aren’t allowed to do that. 


    Wednesday, April 27, 2011 1:12 AM
  • With FIM-CM you are limited to which software Middleware and printers you can use (at least the version I am running FIM 2010).

    We are running ID Works Enterprise Edition 5.1 on a windows 7 x32 workstation.

    CM now supports ID Works Enterprise Edition 6.51 which supposedly can work on an x64 system but we haven’t tried it.

    One thing to note is the cm software patch.  The CM Update allows the bulk client to be installed on windows 7.  But you can't install the client on windows 7 to apply the patch that lets it run on 7.  The work around is the Microsoft released a copy of the bulk client with the patch already applied.  This worked fine for the install.  But we got errors when we tried to connect to the CM Servers.  It couldn't find the templates.  Turns out the dlls in the patched bulk client were newer than the .dlls on the CM server, and this was breaking the notification.  We patched the CM server, and everything was good. 

    For Printers we got 2 SP75 plus Datacard printers.  We wanted the higher capacity, and the ability to laminate both sides of the card.  We got two for coverage so we will have one when we have to send one in for repair.  (Not saying that the printers are "bad” but they take a lot of abuse printing, and need a lot of care).

    Although the Plus printers aren’t listed in the supported printers, we got confirmation from MS that the Plus worked (they replaced the older ones), but that the newer 95's probably wouldn't.  (I think they are a different kind of printer).

    One more data point to add.  Work out your Pin Policy before you buy your cards.

    We got our cards first, and then figured out our PIN policy.  If we knew our PIN Policy at purchase time, the manufacture (Gemalto) could have set it.   We have been working on ways to set it using CM.  But have finally given up.  We figured out how to set the PIN policy using APDU commands, and CM can do application management via APDU commands.  But it looks like it can only do that for Java Cards, and not the .net cards (yet, we keep hoping).  So we are going to set the Pin Policy before we bulk print.  And when we order our next set of cards, we will order them with the PIN policy set.

    Over all I am very happy with CM.  and there is a lot more information on setting it up now than there was a two years ago (thanks a lot to Paul Adare and Brian Komar,  who I am beginning to think are the same person.  Has anyone actually seen both of them at the same time? 

    Wednesday, April 27, 2011 5:58 PM
  • I can confirm that we are two separate people <G>

    Brian

    Thursday, June 23, 2011 4:46 PM
  • Look into using the FIM External SQL API for scripting bulk submission of the enrollment requests.

    Brian

    Thursday, June 23, 2011 4:47 PM
  • Where does this middleware come from. Is it simply the smart card coupler drivers? Can anybody point me in the right direction for the middleware? Thanks very Much.
    Monday, July 16, 2012 5:51 PM
  • You need to look at the vendor for the smart card.

    If it is a Java-based card/PKCS#11 card, you must **Buy** the middleware required for the card. This includes the CSPs and the PKCS#11 libraries used to manage the smart card

    If it is a Microsoft Base CSP smart card, then you must download the Mini-driver for the card from Windows Catalog

    Brian

    Monday, July 16, 2012 10:18 PM
  • Thanks Brian,

    I have a full understanding of DataCard Printers, Couplers and ID Works. It's the smart card, middleware and FIM I'm weak on. I believe you opened the door for me. Thanks again.

    Jeff

    Tuesday, July 17, 2012 2:24 PM
  • Brian,

    We have HID Crescendo C700 series smart cards and C700 middleware. Have there been any updates to what middleware is supported by FIM CM 2010? Thanks

    Jeff

    Tuesday, July 17, 2012 7:53 PM
  • Brian or Anyone,

    We have successfully encoded the smartcard and can print data from FIM CM. If we add the photo to the ID Works card template it errors out and will not print. Take photo off and data such as name, title, dept will print. Any ideas or help.

    Thanks

    Jeff

    Tuesday, November 13, 2012 10:02 PM
  • Jeff,

    AET safesign Middleware will support the HID cresendo C700 series

    Rgrds

    Ganeshkumar

    Wednesday, May 22, 2013 6:39 AM
  • Hey Script Kitty, sorry for hijacking this thread, but I have a question about another thread you participated in and I can't reply to that thread. The thread in question is http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/b3e57622-64a6-402f-ae25-20dfaf0c6374 and my question to you is did you ever get a fix for the problem with PINs being returned as all "1's"? A hotfix maybe? I realize it is now 2 1/2 years later, but we're hitting exactly the same problem with FIM 2010 R2 SP1.

    Hopefully you're getting alerts to this thread. :-)

    • Proposed as answer by Script Kitty Wednesday, September 18, 2013 11:59 PM
    • Unproposed as answer by Script Kitty Thursday, September 19, 2013 12:00 AM
    Wednesday, June 5, 2013 2:06 PM
  • Hi Paul (I still think you and Brian are the same guy by the way).

    Just now saw this posting.  (I don't get out much).

    no,  the getuserpin is still busted,  every time I talk the CM guys I beat them up about this.

    We did figure out a work around that works pretty well for us though.   we use the document print function. and print out a file on the server with the user name and user PIN (that works).  we then have a notification tied to the Print function that wakes up, and looks for documents in that folder,  if it finds them, it lifts the PINS out encrypts them and sticks them in a database.  we then have a web page out there that the users log into and can retrieve the pins.

    It's not as good as having GetuserPin working.  but it works.  looks like there are a lot of "fixes" needed if you try and run smartcard required like we did. 

    on a side note,  I ended up doing the Smart Card renews using a terminal server solution.  and I think it worked really well.  put the client on one server, and replaced the Shell with a modified browser session.  then just had the people remote in with their Smartcards,  made it a lot easier, and they users said it was really easy.


    Meow

    Thursday, September 19, 2013 12:05 AM
  • I hope AET Safesign middleware will supports this

    Ganesh

    Wednesday, February 4, 2015 9:40 AM