locked
ADFS and ADFS proxy supported on FIPS enabled server? RRS feed

  • Question

  • Hello All,

    Has anyone tried installing ADFS and ADFS proxy on FIPS enabled server? I am about to start the testing but before that just wanted to see if anyone has faced any issues with it.

    Regards,

    Rahul

    Tuesday, August 16, 2016 4:40 PM

Answers

  • There is no known issues regarding FIPS and ADFSA on Windows Server 2012 R2.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 23, 2016 6:21 PM

All replies

  • There is no known issues regarding FIPS and ADFSA on Windows Server 2012 R2.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 23, 2016 6:21 PM
  • There is now:

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          1/4/2018 9:29:04 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          DOMAIN\adfsserv
    Computer:      SERVER.DOMAIN.COM
    Description:
    Encountered error during <g class="gr_ gr_46 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="46" id="46">federation passive request</g>. 

    Additional Data 

    Protocol Name: 
    Saml 

    Relying Party: 
    RELYINGPARTY.com 

    Exception details: 
    System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
       at System.Security.Cryptography.RijndaelManaged..ctor()
       at System.IdentityModel.CryptoHelper.GetSymmetricAlgorithm(Byte[] key, String algorithm)
       at Microsoft.IdentityServer.Cryptography.CryptoUtil.Algorithms.NewAes256Encryption()
       at Microsoft.IdentityServer.Service.Cryptography.MSISRsaEncryptionManager.Encrypt(Byte[] value)
       at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
       at Microsoft.IdentityServer.Web.Protocols.SSOManager.SaveSingleSignOnCookie(Byte[] token, Nullable`1 expiryTime, WrappedHttpListenerContext httpListenerContext, NamedByteCookieManager cookieManager)
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.SaveSingleSignOnCookie(WrappedHttpListenerContext httpListenerContext, Boolean deleteTemporarySsoCookie)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2018-01-04T14:29:04.645055300Z" />
        <EventRecordID>337</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-2102-0080010000C4}" />
        <Execution ProcessID="2952" ThreadID="6236" />
        <Channel>AD FS/Admin</Channel>
        <Computer>SERVER.DOMAIN.COM</Computer>
        <Security UserID="S-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Saml</Data>
            <Data>RELYINGPARTY.com</Data>
            <Data>System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
       at System.Security.Cryptography.RijndaelManaged..ctor()
       at System.IdentityModel.CryptoHelper.GetSymmetricAlgorithm(Byte[] key, String algorithm)
       at Microsoft.IdentityServer.Cryptography.CryptoUtil.Algorithms.NewAes256Encryption()
       at Microsoft.IdentityServer.Service.Cryptography.MSISRsaEncryptionManager.Encrypt(Byte[] value)
       at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
       at Microsoft.IdentityServer.Web.Protocols.SSOManager.SaveSingleSignOnCookie(Byte[] token, Nullable`1 expiryTime, WrappedHttpListenerContext httpListenerContext, NamedByteCookieManager cookieManager)
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.SaveSingleSignOnCookie(WrappedHttpListenerContext httpListenerContext, Boolean deleteTemporarySsoCookie)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    Charles Herrington

    Thursday, January 4, 2018 3:26 PM
  • What are the crypto involved in this transaction? If they are not FIPS compliant, then the message is just legit. And it's not an issue of ADFS not working with FIPS being enabled, it's an issue of the crypto not being FIPS compliant.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 5, 2018 2:23 AM