Use FIPS 140-2 compliance algorithms

Use the FIPS compliant algorithms for encryption, hashing and signing group policy to specify the use of FIPS 140-2-compliant cryptographic algorithms for authentication protocols.

Basic requirements

Delinea supports FIPS 140-2 compliance for authentication using Kerberos and NTLM with the following requirements and caveats:

  • FIPS mode is available on agent version 5.0.2 or later but only on supported operating systems. See the NIST validation entry for the Centrify FIPS mode for the current list of supported platforms.

  • Domain controllers must be at Windows Server 2008 domain functional level, or later.

  • The administrator must explicitly add the centrifydc_fips.xml or directly edit the administrative template to enable this policy.

    Delinea recommends that you use the centrifydc_fips.xml template. When you do, the agent performs several checks before implementing the policy to confirm that your domain controller and joined computers meet the requirements.

  • If multiple encryption types are specified only the AES128-CTS and AES256-CTS encryption type keys (with RSA for public key generation, DSA for digital signature generation and SHA1, SHA256, SHA384 or SHA512 for hashing) are generated and saved to the keytab file. However, if arcfour-hmac-md5 encryption is specified, the MD4Hash of the machine password will be generated and saved to the keytab file.

    Which encryption types are used in each joined computer is controlled by a parameter set in each Linux, UNIX, or Mac OS X computer’s configuration file. See the adclient.krb5.permitted.encryption.types description in the Notes section on Related Configuration Parameters for an explanation.

  • Inter-realm keys for the AES128-CTS or AES256-CTS encryption types must be established between any trusted domains to enable Active Directory users to log on to a joined computer (see the ksetup utility to set up inter-realm keys).

  • FIPS mode only allows NTLM pass-through authentication over SChannel. FIPS mode is not available for NTLM authentication over SMB or SMB2.

  • In some environments, offline multi-factor authentication is not compatible with FIPS mode. See the Multi-factor Authentication Quick Start Guide for details about this restriction.

Enabling the Policy

To enforce FIPS 140-2 compliance, select the Computer Configuration > Policies> Centrify Settings > DirectControl Settings > Use FIPS compliant algorithms for encryption, hashing, and signing policy, open the properties, and select Enabled.

The policy takes effect after the next group policy update.

When you use the XML group policy template, the agent performs the following validation checks:

  • It verifies that each joined computer is running a supported operating system.

  • It verifies that each machine is joined to a domain at domain functional level 2008 or above. If the domain does not meet the domain functional level requirements, the agent issues the following warning:

    FIPS mode is supported only on domain with 2008 domain functional level or up.

    Enabling this policy with lower domain functional level may prevent adclient from working properly. Are you sure you want to enable this policy?

    Respond Yes to enable the policy regardless or No to abort. However, if the current domain functional level is inadequate or FIPS mode is not supported on the host platform, the agent does not restart when the policy is applied.

For all joined computers that pass, the agent is automatically stopped and restarted. After a successful restart, the adjoin, adleave, and adinfo commands run in FIPS mode immediately. If a joined computer is running an unsupported platform, the computer’s configuration file is not updated and the agent is not restarted.

There are several restrictions and rules governing the use of FIPS mode. The following bullets summarize the policy:

  • Pre-validated groups and users that use FIPS mode to log on when disconnected must have each user’s Active Directory msDSSupportedEncryptionTypes attribute set to use Kerberos AES 128- or 256-bit encryption. You can set this attribute in the users’ accounts using Active Directory Users and Computers or ADSI Edit.
  • The value of the corresponding Windows policy to use FIPS compliant algorithms has no effect on the Windows, Linux, UNIX, or Mac OS X computers managed through the Centrify Agent. You must use the Centrify policy to enable FIPS mode. The Centrify policy is only available when you add the centrifydc_fips.xml or centrifydc_fips.admx template (see Adding Centrify policies from XML files).

Related configuration parameters

The following centrifydc.conf configuration parameters affect FIPS operation. See the Configuration and Tuning Reference Guide for details about these parameters.

  • fips.mode.enable: Enable FIPS mode on a per-computer basis. This group policy modifies the fips.mode.enable parameter in centrifydc.conf.
  • adclient.krb5.clean.nonfips.enctypes: If FIPS mode is enabled and this configuration parameter is set to true, adclient scans the computer’s keytab file and removes all non-AES encryption keys for service principal names (SPNs) during startup. The default is false.
  • adclient.krb5.permitted.encryption.types: If FIPS mode is enabled, and if you include the arcfour-hmac-md5 encryption type in this configuration parameter, and if adclient.krb5.clean.nonfips.enctypes is true, adclient generates the MD4 hash for the computer password and saves it in the keytab file.