Centrify supports FIPS 140-2 compliance for authentication using Kerberos and NTLM with the following requirements and caveats:
- FIPS mode is available on agent version 5.0.2 or later but only on supported operating systems. See the NIST validation entry for the Centrify FIPS mode for the current list of supported platforms.
- Domain controllers must be at Windows Server 2008 domain functional level, or later.
- The administrator must explicitly add the
centrifydc_fips.xmlor directly edit the administrative template to enable this policy.
Note: Centrify recommends that you use the
centrifydc_fips.xmltemplate. When you do, the agent performs several checks before implementing the policy to confirm that your domain controller and joined computers meet the requirements.
If multiple encryption types are specified only the AES128-CTS and AES256-CTS encryption type keys (with RSA for public key generation, DSA for digital signature generation and SHA1, SHA256, SHA384 or SHA512 for hashing) are generated and saved to the keytab file. However, if arcfour-hmac-md5 encryption is specified, the MD4Hash of the machine password will be generated and saved to the keytab file.
Note: Which encryption types are used in each joined computer is controlled by a parameter set in each Linux, UNIX, or Mac OS X computer’s configuration file. See the
adclient.krb5.permitted.encryption.typesdescription in the Notes section on Related configuration parameters for an explanation.
Inter-realm keys for the AES128-CTS or AES256-CTS encryption types must be established between any trusted domains to enable Active Directory users to log on to a joined computer (see the
ksetuputility to set up inter-realm keys).
In some environments, offline multi-factor authentication is not compatible with FIPS mode. See the Multi-factor Authentication Quick Start Guide for details about this restriction.