none
Synchronize GAL with Published Certificate RRS feed

  • Question

  • Hello there,

    I have 2 Exchange organizations running Exch 2007 and Exch 2010 in seperate AD. Both GALs contains published certificate for the purpose of sending secured email within their own system.

    Now the 2 organizations are merged. I need to synchronize the GAL between the 2 systems. I plan to deploy FIM 2010. Another requirement is to allow users to exchange secured email between the organizations. Question, 

    1. Is FIM able to synchronize the published certificate? 

    2. If the answer is no, is there any other solution to achieve that?

    Thanks in advance. 

    Friday, July 15, 2011 8:48 AM

Answers

  • I understand that sometimes the certificate is published to userSMIMECertificate attribute. Can it be synchrinized?

    The userCertificate & userSMIMECertificate attributes may be used to store the digital certificate,
    although there are design considerations to be made here, details on TechNet here.

    From a FIM perspective, they are just attributes & can be synchronised as per any other attribute.

    Cheers
    Tom Houston, HP Enterprise Services - UK Identity Management Practice
    Monday, July 18, 2011 8:43 AM
  • I would recommend moving away from UserSmimeCertificate, as it is an ancient attribute that was used to identify if the user had a X.509V3 (Issued by a CA) or an X.509v1 certificate (issued by Exchange 5.0 KMS). The certificate in the UserSMIMECertificate attribute is wrapped in a PKCS7 envelope, which is only possible with a v3 certificate.

    It is preferred to only populate the userCertificate attribute (block the Publish to Gal button to accomplish this)

    Brian

    Tuesday, July 19, 2011 8:48 PM

All replies


  • Hi Ligion,
    1. Is FIM able to synchronize the published certificate?
    FIM can be configured to synchronise the userCertificate attribute between two AD forests.

    Cheers
    Tom Houston, HP Enterprise Services - UK Identity Management Practice
    Friday, July 15, 2011 9:17 AM

  • Hi Ligion,
    1. Is FIM able to synchronize the published certificate?
    FIM can be configured to synchronise the userCertificate attribute between two AD forests.

    Cheers
    Tom Houston, HP Enterprise Services - UK Identity Management Practice


    Hi, Thomas,

    Thanks for reply.

    I understand that sometimes the certificate is published to userSMIMECertificate attribute. Can it be synchrinized?

    Best Regards

    Monday, July 18, 2011 6:09 AM
  • I understand that sometimes the certificate is published to userSMIMECertificate attribute. Can it be synchrinized?

    The userCertificate & userSMIMECertificate attributes may be used to store the digital certificate,
    although there are design considerations to be made here, details on TechNet here.

    From a FIM perspective, they are just attributes & can be synchronised as per any other attribute.

    Cheers
    Tom Houston, HP Enterprise Services - UK Identity Management Practice
    Monday, July 18, 2011 8:43 AM
  • Many thanks, Thomas.
    Tuesday, July 19, 2011 5:56 AM
  • I would recommend moving away from UserSmimeCertificate, as it is an ancient attribute that was used to identify if the user had a X.509V3 (Issued by a CA) or an X.509v1 certificate (issued by Exchange 5.0 KMS). The certificate in the UserSMIMECertificate attribute is wrapped in a PKCS7 envelope, which is only possible with a v3 certificate.

    It is preferred to only populate the userCertificate attribute (block the Publish to Gal button to accomplish this)

    Brian

    Tuesday, July 19, 2011 8:48 PM
  • As Brian states, & assuming that you are using Outlook as your e-mail client,
    further info regarding disabling the "Publish to GAL" button on TechNet here...

    Cheers


    Tom Houston
    Wednesday, July 20, 2011 7:59 AM