External to Directory Sync Pro for Active Directory, the following server configurations are necessary to set up the environment for FIPS Mode.
-
Windows Server 2016 or later must be installed and up to date.
-
The following group policies must be enabled:
-
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
-
Ensure this policy is enabled.
-
-
Network Security: Configure encryption types allowed for Kerberos.
-
Ensure the “AES128_HMAC_SHA1” and “AES256_HMAC_SHA1” values are selected.
-
NOTE: Authentication of target accounts with synchronized passwords requires Kerberos encryption type “RC4_HMAC_MD5” to be allowed for participating devices.
-
-
-
Insecure SCHANNEL Server protocols must be disabled.
-
SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
-
-
SSL certificate for Web Hosting issued by a trusted certificate authority.