Chat now with support
Chat with Support

Directory Sync Pro for Active Directory 20.11 - Requirements and Installation Guide

Section 1. Introduction Section 2. Directory Sync Pro Prerequisites Section 3. Directory Sync Pro for Active Directory Advanced Network Requirements Section 4. Migrator Pro for Active Directory Prerequisites Section 5. Requirements for Both Directory Sync Pro for Active Directory and Migrator Pro for Active Directory Section 6. Installing Directory Sync Pro for Active Directory and Migrator Pro for Active Directory Section 7. Upgrading Directory Sync Pro for Active Directory and Migrator Pro for Active Directory Section 8. Modifying, Repairing and Uninstalling Directory Sync Pro for Active Directory and Migrator Pro for Active Directory Section 9. Migrator Pro for Active Directory Agent Installation Section 10. Troubleshooting Appendix A: Configuring Directory Sync Pro for Active Directory in a Non-English Active Directory Environment Appendix B. Installing and Configuring SQL Server Reporting Services Appendix C. STIG Environments Appendix D. Deployment in FIPS Environment

Additional Information

Microsoft SQL Server 2012 Database Security Technical Implementation Guide (stigviewer.com)

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (stigviewer.com)

MS SQL Server 2016 Instance Security Technical Implementation Guide (stigviewer.com)

MS SQL Server 2016 Database Security Technical Implementation Guide (stigviewer.com)

 

Binary Tree Directory Sync Pro for Active Directory 20.11.0 can be successfully deployed in a FIPS environment by following the procedure described in this document.

The audience for this section is technical implementation consultants deploying Directory Sync Pro for Active Directory.

Appendix D. Deployment in FIPS Environment

Additional Information

Microsoft SQL Server 2012 Database Security Technical Implementation Guide (stigviewer.com)

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (stigviewer.com)

MS SQL Server 2016 Instance Security Technical Implementation Guide (stigviewer.com)

MS SQL Server 2016 Database Security Technical Implementation Guide (stigviewer.com)

 

Binary Tree Directory Sync Pro for Active Directory 20.11.0 can be successfully deployed in a FIPS environment by following the procedure described in this document.

The audience for this section is technical implementation consultants deploying Directory Sync Pro for Active Directory.

Cryptographic usage

Directory Sync Pro for Active Directory relies on the following Third-Party cryptographic libraries for its cryptographic needs.

Cryptographic usage

Cryptographic algorithm

Cryptographic parameters

Communication – Website User Interface

SSL TLS 1.2

 

Communication – (SMB 3.x)

AES-128-CMAC, AES-128-GCM

 

Communication – (SMB 2.1)

HMAC-SHA256

 

Communication – (LDAP/Kerberos)

AES128_HMAC_SHA1, AES256_HMAC_SHA1

SESSION: Signing & Sealing

Communication – (Kerberos NTLM Authentication)

RC4_HMAC_MD5

 

Symmetric encryption of bulk data

AES256 CBC Mode

KEY: 256-bit PBKDF2 (Constant)

IV: 128-bit PBKDF2 (Constant)

Symmetric encryption of bulk data – Additional Entropy

RNG

64-bits (Random per encrypted value)

Symmetric encryption of secrets – (DPAPI) Configuration Parameters

AES256 CBC Mode

SCOPE: LocalMachine

Symmetric encryption of secrets – Additional Entropy

RNG

256-bits (Constant per node)

Hashing – (PBKDF2) Generation of encryption KEY/IV

HMACSHA1

HASH SIZE: 160-bit

Hashing – (DPAPI)

SHA512

HASH SIZE: 523-bit

Hashing – Attribute Change Detection

SHA256

HASH SIZE: 256-bit

Hashing – Legacy Attribute Change Detection

MD5

HASH SIZE: 128-bit

Background

To execute in a FIPS compliant mode, a Windows environment requires the Microsoft Policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting enabled.

Microsoft states that This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply”.

Directory Sync Pro for Active Directory leverages Microsoft’s CryptoAPI (CAPI) and CryptoAPI Next Generation (CNG) for its cryptographic needs.

Microsoft Product Relationship with CNG and CAPI libraries is documented here: https://technet.microsoft.com/en-us/library/cc750357.aspx

“Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating