Re: ADFS Not Compatible with FIPS?
- From: Susieber <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Sep 2006 08:01:03 -0700
Well, the <machineKey> setting didn't work. We even applied it to the Fed
Servers' web.configs. Apparently what we've learned here is that ADFS is not
a FIPS-compliant application. Once FIPS is enabled, I cannot access the
Federation Server Service URLs from the federation servers themselves.
In fact, according to KB 911722, ASP.NET 2.0 uses the AES algorithm when it
processes view state data. The AES algorithm is not currently a Federal
Information Processing Standard (FIPS)-compliant algorithm.
So we plan to talk to Microsoft about this tomorrow. The blog link you sent
explains why FIPS is a requirement for this particular evaluation we're doing.
I'll let you know what we ultimately find out from MSFT on this. No doubt
it's fixed in Vista. We'll see.
"Joe Kaplan" wrote:
Here's a blog post I found by .NET security luminary Shawn Farkas that sheds.
a little more light on this:
http://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx
It doesn't really suggest whether there is a practical solution to this
particular problem though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9EEF070B-6B09-476D-A01D-3B35A36F101B@xxxxxxxxxxxxxxxx
Thanks, Joe. I re-enabled SChannel, but got no events. Then the client
generated a different error (none of this seems to be consistently
reproducible) - and the error was FIPS-specific:
This implementation is not part of the Windows Platform FIPS
validated
cryptographic algorithms.
Some research led me to find out that It's looking like ASP .NET 2.0 uses
the AES algorithm, but it is not a FIPS-compliant algorithm. See
http://support.microsoft.com/kb/911722/en-us?spid=8940&sid=291.
We are going to try a workaround mentioned in that article - it's a
<machineKey> entry to add to the claimapp's web.config file.
"Joe Kaplan" wrote:
Do you still have Schannel event logging enabled in debug mode? Do you
get
any interesting errors on the machine that is establishing the
connection?
This might be something that can be configured around, especially if it
is
the SSL part of ADFS and not the token signing part. I've never dealt
with
this problem though, so I really don't know. This might be worth opening
an
official support inquiry with MS to ensure that it gets taken care of.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CE110B6-34AC-4AB4-964F-36D1CE9E3EDC@xxxxxxxxxxxxxxxx
Has anyone out there tried enabling FIPS-compliant algorithms on
Windows
Server in an ADFS environment?
We just discovered that this setting is the cause of many of our past
ADFS
configuration failures. When we enable _cryptography: Use FIPS
compliant
algorithms for encryption, hashing, and signing_ in the domain security
policy, the ADFS trust breaks.
The ADFS client can access the Web server with the TLS 1.0 setting
enabled
in IE. But the federation servers stop talking to each other, and the
client
gets the discoverclientrealm page but eventually just gives up after
that
with a page not displayable type error.
According to the MSKB, this FIPS setting affects Terminal Services and
EFS,
so it doesn't surprise me that it affects ADFS.
Anyone else been able to track down a fix (other than disabling FIPS)?
TIA,
Susie
- Follow-Ups:
- References:
- Re: ADFS Not Compatible with FIPS?
- From: Joe Kaplan
- Re: ADFS Not Compatible with FIPS?
- From: Joe Kaplan
- Re: ADFS Not Compatible with FIPS?
- Prev by Date: Re: About ADAM Problem...
- Next by Date: Re: AD Schema extension and ACLing
- Previous by thread: Re: ADFS Not Compatible with FIPS?
- Next by thread: Re: ADFS Not Compatible with FIPS?
- Index(es):
Relevant Pages
|
Loading
