Microsoft
MicrosoftLatest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 (Windows 10/11 has been on-prem Domain joined and has smart card logon certificate provisioned), the logon process will fail because the kerberos/PKINIT always uses SHA-1, even though I changed CSP/Minidriver to report only SHA256/384/512 algorithm support list to Windows, and I changed according to https://www.anoopcnair.com/configure-hash-algorithms-for-certificate-logon/ to disable SHA-1. I logged the process of lsass.exe calling CSP/Minidriver, it will create SHA-1 hash and then sign the SHA-1 digest later.
So how to use FIPS certified smart card (without SHA-1) to logon to windows 10/11?
As by the following this is only supported if all KDCs are on Windows Server 2025:
The policy Configure hash algorithms for certificate logon has been added for smart card crypto agility, located at System\KDC and System\Kerberos. This setting lets users configure the hash algorithm to be used in certificate-based smart card (PKINIT) authentication of Kerberos. With this configuration, customers have the option to prevent SHA-1 from being used. It’s important to note these settings are useful only if both the client and KDC (Windows Server 2025) are configured this way in the environment.
Disabling SHA-1 for PKINIT is more secure for your environment. However, the authentication might fail if your domain controller does not support PKINIT SHA-2. For that reason, we leave the SHA-1 option as default in the baseline and suggest you test your own environment before making a decision.
Source: Windows Server 2025, security baseline | Microsoft Community Hub
