fips.mode.enable

This configuration parameter indicates whether FIPS 140-2 compliant algorithms are used in the authentication protocols. FIPS 140-2 compliance is available for authentication using Kerberos and NTLM with the following caveats and requirements:

  • FIPS mode is available on Delinea Agents version 5.0.2 or later but only on specific UNIX platforms. See the NIST validation entry for the Delinea FIPS mode for the current list of supported platforms.

  • Domain controllers must be at Windows 2008 domain functional level or greater. If the domain controller domain functional level does not meet the required level, adclient does not start and returns an error message.

  • FIPS 140-2 compliance uses only the following algorithms: AES128-CTS or AES256-CTS encryption types, RSA for public key generation, DSA for digital signature generation and SHA1, SHA256, SHA384 or SHA512 for hashing.

  • Inter-realm keys for the AES128-CTS or AES256-CTS encryption types must be established between any trusted domains to enable Active Directory users tolog on to a joined computer (see the ksetup utility to set up inter-realm keys).

  • FIPS mode only allows NTLM pass-through authentication over SChannel; FIPS mode is not available for ‘NTLM authentication over SMB or SMB2.

In most cases, you set this configuration parameter using group policy. As long as the UNIX computer is running a supported platform, this policy sets the fips.mode.enable configuration parameter to true and restarts adclient.

The administrator must explicitly add the centrifydc_fips.xml or centrifydc_fips.adm group policy template on the domain controller to set fips.mode.enable. The template needs to be imported to just one domain controller in a forest.

If you are manually setting this parameter, the parameter value must be true or false. For example, to enable FIPS 140-2 compliant algorithms, set the following:

fips.mode.enable: true

The default is false.

After manually setting this parameter, you must restart adclient to enable FIPS mode.

There are several restrictions and rules governing the use of FIPS mode. For example:

  • Prevalidated groups and users that use FIPS mode to log in when disconnected must have their Active Directory msDS-SupportedEncryptionTypes attribute set to at least 0x18 (prevalidated login for users in FIPS mode requiresKerberos AES 128- or 256-bit encryption).Seeadclient.prevalidate.allow.groups and adclient.prevalidate.allow.users for the full explanation of the Active Directory msDS-SupportedEncryptionTypes options.

  • The value of the corresponding Windows policy (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Option > System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing) has no effect on the Windows, Linux, UNIX, or Mac OS X computers managed through the Delinea Agent. You must use the configuration parameter or the Delinea policy to enable FIPS mode.

The following configuration parameters affect adclient operation when FIPS mode is enabled:

  • adclient.krb5.keytab.clean.nonfips.enctypes: Set this configuration parameter to true to have adclient scan the computer’s keytab file and remove all non-AES encryption keys for service principal names (SPNs) during startup. (The default is false.)

  • adclient.krb5.permitted.encryption.types: If you include the arcfour-hmac-md5 encryption type in this configuration parameter ANDadclient.krb5.extra_addresses is true, adclient generates the MD4 hash for the computer password and saves it in the keytab file.

For more information about using FIPS encryption, see the Administrator’s Guide for Linux and UNIX.