Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE:

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE:

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE:
  • Date: Fri, 8 Mar 2013 19:10:43 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

When I read the Microsoft FIPS Evaluation, I did not see anything obvious that would lend itself to password encryption by the operating system or Active Directory.  Anyone else?

FIPS 140 Evaluation

Updated : February 10, 2012

The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic libraries:

·         Schannel Security Package

·         Remote Desktop Protocol (RDP) Client

·         Encrypting File System (EFS)

·         Microsoft .NET Framework Applications

·         BitLocker® Drive Full-volume Encryption (Windows Vista, Windows Server 2008, or later)

·         IPsec Settings of Windows Firewall (Windows Vista SP1, Windows Server 2008, or later)

Note: Microsoft Product Relationship with CAPI/CNG libraries

Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic components. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API (CAPI) and Cryptographic API: Next Generation (CNG) FIPS 140 validated cryptographic libraries. Windows components and Microsoft products use the documented application programming interfaces (API) for each of the libraries to access various cryptographic services.


Jeff C.


From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, March 08, 2013 2:03 PM
Subject: [AD-Assurance] FW:


I sent the following question off to the DS MVPs and AD product team representatives. I've gotten a response back that there is a special FIPS mailing list within Microsoft where my question has been sent along to. I'll let folks know if/when I get something back on this.


From: Brian Arkills
Sent: Friday, March 08, 2013 9:34 AM


Does anyone know whether this FIPS setting also affects the encryption used by Active Directory for password encryption (and for the PEK encryption)?


I suspect it doesn't, but I'd be really happy to learn that it does. :)


If it doesn't, I think the KB should be modified to note that it doesn't affect all encryption processes that Windows uses so it isn't misleading.



Archive powered by MHonArc 2.6.16.

Top of Page