The Sensitive API group includes the methods of the Microsoft.Clm.Provision.ExecuteOperations class. These methods have access to the administrator personal identification number (PIN), the user PIN, the administrator authentication key for the Microsoft® Smart Card Base Cryptographic Service Provider (Base CSP), or the Base CSP challenge response information. The following methods are included in this group:

• ConfirmActiveAdminPin
  
  
• GetActiveAdminPin
  
  
• GetAdminKey
  
  
• GetBaseCspResponse
  
  
• GetProposedAdminPin
  
  
• GetUserPin
  
  
• SetProposedAdminPin
  
  

For a call to a method in this group to succeed, the caller of the method must be authorized to call the methods in the Sensitive API group.

To authorize a user or group of users to call the methods in the Sensitive API group, you must follow these steps to configure FIM CM:

1. Open the Web.config file that is associated with the CLM 2007 virtual Web folder.
   
   The default location for this file is %Programfiles%\Microsoft Certificate Lifecycle Manager\Web\Web.config.
   
   
2. Locate the configuration section for the Sensitive API group, which resembles the following:
   
   

   	Copy Code
   <add key="Clm.ProvisionApi.SensitiveApiGroup" value="" />

   By default, FIM CM does not authorize users to call the methods in the Sensitive API group.
   
   
3. Set the value to the name of a security group that contains the users to authorize to call the methods in the Sensitive API group.
   
   You must specify the security group in the domainname\groupname format, as shown in the following example:
   
   

   	Copy Code
   <add key="Clm.ProvisionApi.SensitiveApiGroup" value="Contoso\SensitiveApiUserGroup" />

4. Save the Web.config file.
   
   

Reference

Concepts

Other Resources