Re: ADFS Not Compatible with FIPS?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 11 Sep 2006 12:24:19 -0500
Do you still have Schannel event logging enabled in debug mode? Do you get
any interesting errors on the machine that is establishing the connection?
This might be something that can be configured around, especially if it is
the SSL part of ADFS and not the token signing part. I've never dealt with
this problem though, so I really don't know. This might be worth opening an
official support inquiry with MS to ensure that it gets taken care of.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CE110B6-34AC-4AB4-964F-36D1CE9E3EDC@xxxxxxxxxxxxxxxx
Has anyone out there tried enabling FIPS-compliant algorithms on Windows
Server in an ADFS environment?
We just discovered that this setting is the cause of many of our past ADFS
configuration failures. When we enable _cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing_ in the domain security
policy, the ADFS trust breaks.
The ADFS client can access the Web server with the TLS 1.0 setting enabled
in IE. But the federation servers stop talking to each other, and the
client
gets the discoverclientrealm page but eventually just gives up after that
with a page not displayable type error.
According to the MSKB, this FIPS setting affects Terminal Services and
EFS,
so it doesn't surprise me that it affects ADFS.
Anyone else been able to track down a fix (other than disabling FIPS)?
TIA,
Susie
.
- Prev by Date: Re: trying to connect to ADAM instance via JNDI
- Next by Date: Re: Accidental Domain Creation - PLease help with removal
- Previous by thread: Cannot validate trust - 2 forests
- Next by thread: Re: ADFS Not Compatible with FIPS?
- Index(es):
Relevant Pages
|
