While working on the ADFS solution described in my previous post today we came across an interesting situation. Our servers require the security configuration “Use FIPS compliant algorithms for encryption” which actually downgrades the security modules used from SHA1 to 3DES.
Once you have configured your server with this setting you will find that the ADFS SingleSignOn.dll will choke. This behavior is documented on Microsoft’s Technet Article 935449. Basically, the problem is the original ADFS DLL file which did not include support for 3DES encryption. This issue would manifest in the wonderful error message:
This implementation is not part of the Windows
Platform FIPS validated cryptographic algorithms.
I guess Microsoft doesn’t believe this issue will effect many users, as you are required to open a support case in order to request the updated DLL files that support 3DES. Fortunately I was able to request the hotfix for my customer and we were able to quickly move past this problem.
In any case, if you are in an environment that requires FIPS security and you want to configure ADFS then hopefully this article will help your troubleshooting efforts.
Mon, Jun 8, 2009
Technology