Basic requirements

Centrify supports FIPS 140-2 compliance for authentication using Kerberos and NTLM with the following requirements and caveats:

  • FIPS mode is available on agent version 5.0.2 or later but only on supported operating systems. See the NIST validation entry for the Centrify FIPS mode for the current list of supported platforms.
  • Domain controllers must be at Windows Server 2008 domain functional level, or later.
  • The administrator must explicitly add the centrifydc_fips.xml or directly edit the administrative template to enable this policy.

    Note:   Centrify recommends that you use the centrifydc_fips.xml template. When you do, the agent performs several checks before implementing the policy to confirm that your domain controller and joined computers meet the requirements.

  • If multiple encryption types are specified only the AES128-CTS and AES256-CTS encryption type keys (with RSA for public key generation, DSA for digital signature generation and SHA1, SHA256, SHA384 or SHA512 for hashing) are generated and saved to the keytab file. However, if arcfour-hmac-md5 encryption is specified, the MD4Hash of the machine password will be generated and saved to the keytab file.

    Note:   Which encryption types are used in each joined computer is controlled by a parameter set in each Linux, UNIX, or Mac OS X computer’s configuration file. See the adclient.krb5.permitted.encryption.types description in the Notes section on Related configuration parameters for an explanation.

  • Inter-realm keys for the AES128-CTS or AES256-CTS encryption types must be established between any trusted domains to enable Active Directory users to log on to a joined computer (see the ksetup utility to set up inter-realm keys).

  • FIPS mode only allows NTLM pass-through authentication over SChannel. FIPS mode is not available for NTLM authentication over SMB or SMB2.

  • In some environments, offline multi-factor authentication is not compatible with FIPS mode. See the Multi-factor Authentication Quick Start Guide for details about this restriction.