To follow up my previous post, where I show nothing but love to CLM, I’m now going to declare my biggest pet peeves with the product.
The Bad:
- Licensing! CLM falls under the same license model as ILM. Which makes sense considering the goal of ILM V2 is to make ILM and CLM the same product (ok, too many three letter abbreviations). In short, this means that to run CLM you need to purchase an ILM server license plus CLM user CALs if you are planning of having CLM manage user certificates. To make matters worse, you also need a Windows Sever 2003 Enterprise and a SQL Server 2005 (Standard or Enterprise) license (granted you might already have those). Ouch! For more details see: Link
- The CLM Bulk Issuance Client only supports Datacard smart card printers and their ID Works 5.1 Enterprise Identification Software. You would think that with all of their focus on getting smart card vendors to support their Smart Card Base CSP. Microsoft should have also taken the time to standardize the support for other smart card printers or at least support Datacard’s latest version of ID Works. Hopefully the product team will have some development cycles to address this.
- CLM doesn’t work on Vista because it doesn’t support CertEnroll. Not a biggie for clients that don’t have large deployments of Vista. And, there are rumors that Vista support will come with the CLM feature pack. But, there is nothing more frustrating than rolling out Vista only to find that nothing really supports it (***grumbles*** about his TV tuner card that still refuses to run on 64-bit Vista).
- Permissions in CLM are a pain to manage and troubleshoot. Call this a love/hate relationship. I love it that the product group had the guts, for the most part, to stick with an Active Directory base permissions model. What I don’t like is that there are 5 different locations that CLM permissions needs to be set (Service Connection Point, Profile Template Object, Users/Groups, Certificate Templates, CLM Management Policies). While I have no problem whipping the rights into shape most IT Pros will have some problems with managing the permissions. Let’s put some kind of front-end on the permission model please! BTW - Thanks for the better error messages.
- Only a single CA can issue a specific certificate template within a profile template. The reasoning being, if you didn’t keep this one-to-one mapping, then key recovery would fail because CLM doesn’t “really” keep track of which CA contains the archived keys. This also means that you can never change the CA in the profile template that includes encryption certificates. Err… why? Dear product group please correct this interesting behavior by just keeping track of the CA that is used. Yes, I realize we will need to recover the original CA if it is lost. But, for the love of god, at least allow me to have one-or-more issuing CAs.
Well, that about wraps up this blog posting. While I could go on for a bit more, it may be best to stop now…
For all of today's Microsoft news, visit the Microsoft Subnet.
The Leader in Network Knowledge
