AD Domain Users unable to login in to the FIPS-compliant environment

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Linux 9
FIPS mode enabled
SSSD Direct Integration

Issue

Failing to login domain users using weak encryptions.

Resolution

To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9

# update-crypto-policies --set FIPS:AD-SUPPORT

By setting the cryptographic policy to FIPS:AD-SUPPORT, you are adding the following encryption types to the list of already allowed encryption types that comply with FIPS 140-3:

aes256-cts:normal
aes256-cts:special
aes128-cts:normal
aes128-cts:special

Root Cause

Enable RC4 support in RHEL
The AD-SUPPORT cryptographic sub-policy is only available on RHEL 8.3 and newer.
The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961
Microsoft’s Active Directory implementation does not yet support any of the RFC8009 Kerberos encryption types that use SHA-2 HMAC. Considerations in adopting RHEL 9 - Known issues

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux for x86_64

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.