This topic explains the Forefront Identity Manager Certificate Management (FIM CM) ICardInitialization Customization Interface, including usage scenarios and guidance on where to find sample code and documentation on related technologies.

Issuing New Smart Cards

When first purchased, smart cards arrive in a default state. In this state, such critical parameters as the card's identification code and master administrative key are normally set to a vendor-specified default value. Obviously, cards in such a state cannot be relied upon to serve as secure identifiers.

As part of being issued to users, new smart cards must go through a process of initialization.

Cards can also be re-initialized when they are "retired," or reset to this default state to prepare them to be reissued.

For smart cards managed by the Microsoft Base Cryptographic Service Provider (Base CSP), this process involves:

  1. The creation and assignment of unique identifiers, or CardIDs, for each card. This CardID is then stored in a file on the smart card.

    Some smart cards are assigned a unique serial number by the vendor. This serial number is distinct from the CardID. Additionally, the vendor may have already assigned a CardID file to the card. In this case, FIM CM will not replace the CardID that already exists.
  2. The creation of a number of files and directories on the smart card

  3. The generation of unique administrative authentication key for each smart card. This process, called key diversification, involves deriving an individual administrative key for each smart card from a shared master administrative key located on the FIM CM server, and then storing that key on the smart card.

Example scenarios for Extending Smart Card Initalization

FIM CM has built-in functionality to initialize Base CSP smart cards. However, there are scenarios when developers must extend or override this default processing, and the ICardInitialization Customization Interface provides for scenarios such as (but not limited to) the following:

Custom CardID Generation

Tailspin Toys uses unique employee IDs from their legacy human resources management system, and they wish to explicitly base their smart cards' unique identifiers on these employee IDs. Tailspin can build an assembly that overrides GenerateCardId, implement their custom technique for generating identifiers, and return custom CardIDs to FIM CM.

Custom Administrative Key Diversification

Contoso Pharmaceuticals is implementing FIM CM but has deployed Base CSP smart cards that rely on a proprietary method of diversifying their administrative keys. Contoso can support these cards with an assembly that overrides GetDiversifiedAdminKey and returns the custom keys that FIM CM will, in turn, write and use to authenticate to the smart cards.

Linking Initialization to Other Procedures

City Power & Light has an extensive set of physical access protocols linked to employee smart cards. Employees use their cards for building access, authentication to workstations, configuration of power generating equipment, and even tracking of HR information and pay balances at the cafeteria. City Power & Light can use an assembly that overrides GenerateCardId to complete each of those procedures during the card initialization process.

Implementing ICardInitialization Classes

In order to extend the built-in functionality of the FIM CM's card initialization process, developers should create a .NET assembly DLL that implements the ICardInitialization interface.

Creating Extension Assemblies

  1. First, you must include a reference to the assembly that contains the ICardInitialization interface. In Visual Studio.NET, create a new .NET DLL project. In the Solution Explorer, right-click References and select Add Reference…. Navigate to the location of the Microsoft.Clm.Common.dll assembly included with FIM CM, and click OK.

  2. Next, write and compile your assembly, using the information in this documentation. Test the assembly thoroughly.

  3. Once you have a working assembly, deploy it to the FIM CM server's c:\program files\microsoft forefront identity manager\certificate management\bin and c:\program files\microsoft forefront identity manager\certificate management\web\bin directories.

  4. Configure FIM CM to begin calling into your assembly. For ICardInitialization extensions, this is done via the FIM CM administrative interface, on the Profile Details Page, under Smart Card Configuration. Navigate to Microsoft Smart Card Base CSP, and to Smart Card Initialization Provider. For more information on configuring these items, see FIM Certificate Manager Technical Library.

More information on developing an extension assembly is available in Developing with the ICardInitialization Interface.

Assemblies written to interoperate with FIM CM must be developed using Microsoft .NET Framework 3.5 or higher. The version of this product released with ILM 2007 required .Net Framework 2.0 or higher.

ICardInitialization Classes at a Glance

Microsoft.Clm Namespace

Technology Area Class/Interface/Property

Smart card initialization



Administrative Keys

Key Diversification

Challenge-response calculation

ICardInitialization, ICardContext, SymmetricKey

See Also