Enabling the policy

To enforce FIPS 140-2 compliance, select the Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Use FIPS compliant algorithms for encryption, hashing, and signing policy, open the properties, and select Enabled.

The policy takes effect after the next group policy update.

When you use the XML group policy template, the agent performs the following validation checks:

  • It verifies that each joined computer is running a supported operating system.
  • It verifies that each machine is joined to a domain at domain functional level 2008 or above. If the domain does not meet the domain functional level requirements, the agent issues the following warning:

    FIPS mode is supported only on domain with 2008 domain functional level or up.

    Enabling this policy with lower domain functional level may prevent adclient from working properly. Are you sure you want to enable this policy?

    Respond Yes to enable the policy regardless or No to abort. However, if the current domain functional level is inadequate or FIPS mode is not supported on the host platform, the agent does not restart when the policy is applied.

For all joined computers that pass, the agent is automatically stopped and restarted. After a successful restart, the adjoin, adleave, and adinfo commands run in FIPS mode immediately. If a joined computer is running an unsupported platform, the computer’s configuration file is not updated and the agent is not restarted.

There are several restrictions and rules governing the use of FIPS mode. The following bullets summarize the policy:

  • Pre-validated groups and users that use FIPS mode to log on when disconnected must have each user’s Active Directory msDS‑SupportedEncryptionTypes attribute set to use Kerberos AES 128- or 256-bit encryption. You can set this attribute in the users’ accounts using Active Directory Users and Computers or ADSI Edit.
  • The value of the corresponding Windows policy to use FIPS compliant algorithms has no effect on the Windows, Linux, UNIX, or Mac OS X computers managed through the Centrify agent. You must use the Centrify policy to enable FIPS mode. The Centrify policy is only available when you add the centrifydc_fips.xml or centrifydc_fips.admx template (see Adding Centrify policies from XML files).