Re: ADFS Not Compatible with FIPS?

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 14:59:32 -0500

This could be. I'm not really sure. There are basically two parts to ADFS
crypto. There is the SSL stuff that is used for the client to talk to the
web applications (app, resource federation server/proxy and account
federation server/proxy) and there is the token signing and verification
stuff.

The SSL stuff is all implemented at the Windows level by IIS and happens
below the ASP.NET level completely. That is all managed by Schannel and
should show up that way.

The token signing and verification stuff is all done in .NET code by the
ADFS implementation. That may be where things are breaking. Once again, if
this was brought to MS support, they might be able to create a fix to work
around the issue (assuming that machine key thing doesn't do; I'd be
surprised if it does though...).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9EEF070B-6B09-476D-A01D-3B35A36F101B@xxxxxxxxxxxxxxxx

Thanks, Joe. I re-enabled SChannel, but got no events. Then the client
generated a different error (none of this seems to be consistently
reproducible) - and the error was FIPS-specific:

This implementation is not part of the Windows Platform FIPS
validated
cryptographic algorithms.

Some research led me to find out that It's looking like ASP .NET 2.0 uses
the AES algorithm, but it is not a FIPS-compliant algorithm. See
http://support.microsoft.com/kb/911722/en-us?spid=8940&sid=291.

We are going to try a workaround mentioned in that article - it's a
<machineKey> entry to add to the claimapp's web.config file.

"Joe Kaplan" wrote:

References:
- Re: ADFS Not Compatible with FIPS?
  - From: Joe Kaplan

Prev by Date: Re: AD Design
Next by Date: Re: Cannot validate trust - 2 forests
Previous by thread: Re: ADFS Not Compatible with FIPS?
Next by thread: Re: ADFS Not Compatible with FIPS?
Index(es):
- Date
- Thread

Relevant Pages

Re: Mixed Mode Authentication in .net 2.0
... SSL does not require a client certificate. ... This is important to prevent the user's credentials (either plaintext ... Good luck with ADFS. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Use of SSL as a VPN
... > perceived deficiency in SSL because of its use of MD5 for generating ... We don't doubt the strength of the crypto in SSL ... question about PFS with SSL using DH. ...
(sci.crypt)
Re: My own e-mail encryption solution
... tested C++ libraries such as LibTomCrypt, CryptLib and /or Crypto++. ... Minor misunderstandings of the exact nature of the security can lead to catastrophic security failures as happened in SSL v2. ...
(sci.crypt)
Re: ADFS, ISA and SSL offloading
... ADFS does not work without SSL server ... It is not for performance reasons that we offload SSL and send only http ... I wanted to have a definitive answer on whether ADFS web agent will work ...
(microsoft.public.windows.server.active_directory)
Re: SSPI and Crypto
... In windows, is SSPI the only way to invoke SSL? ... Are all the Crypto and SSL calls thread safe? ... you can't encrypt using the same symmetric key at ...
(microsoft.public.platformsdk.security)