First published on CloudBlogs on Jun, 28 2014
Howdy folks, A couple weeks back, Taylor Higley asked a question on Twitter about Azure AD Password Sync, MD5 and FIPS compliance:
Once the Password sync agent has the encrypted password hash it uses
MD5CryptoServiceProvider
to generate a hash key used for decrypting the envelope containing the password hash. At no point in time does the password sync agent have access to the clear text password. The password sync agent then secures the password hash by re-hashing it using a stronger SHA256 hash per RFC 2898 before uploading it to the cloud.
So when
MD5CryptoServiceProvider
is used in a FIPS compliant environment, it throws a
System.InvalidOperation
exception. This is because the MD5 hash is considered a weak hash and not recommended for use in a FIPs environment. However since it is not being used to do encryption, we believe this is a non-issue.
Password Sync can be enabled in a FIPS compliant system by locally disabling FIPS for the Directory Sync process. This can be done by adding <enforceFIPSPolicy enabled="false" /> in the miiserver.exe.config file. The miiserver.exe.config can be found at % ProgramFiles Windows Azure Active Directory SyncSYNCBUSSynchronization ServiceBin miiserver.exe.config.
For more information here, refer to
http://social.technet.microsoft.com/wiki/contents/articles/24961.password-sync-failing-in-fips-compliant-systems.aspx
I hope this is helpful and provides clarity for everyone interested in this issue.
As always, would love to get any feedback or suggestions you have!
Best Regards,
Alex Simons (twitter:
Alex_A_Simons
)
Director of PM
Active Directory Team
(updated 7/3/2014 to fix a few typos and grammar issues)
Howdy folks, A couple weeks back, Taylor Higley asked a question on Twitter about Azure AD Password Sync, MD5 and FIPS compliance:
byte[] ComputeMd5(byte[] sessionKey, byte[] salt) { byte[] data = new byte[sessionKey.Length + salt.Length]; Buffer.BlockCopy(sessionKey, 0, data, 0, sessionKey.Length); Buffer.BlockCopy(salt, 0, data, sessionKey.Length, salt.Length); using (MD5 md5 = new MD5CryptoServiceProvider()) { return md5.ComputeHash(data); } } |
Updated Jul 28, 2020
Version 2.0Alex Simons (AZURE)
Microsoft
Joined May 01, 2017
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.