At the time of this document, the combination of LDAP with Kerberos along with FIPS is untested.

Because a FIPS mode station can only use FIPS-compliant algorithms, the LDAP and Kerberos servers must also support FIPS algorithms. This is a known problem for all versions of Windows Active Directory, which support only DES and RC4 (neither of which are FIPS-compliant algorithms).

Therefore, Kerberos together with FIPS is not possible without meeting these requirements:

In order to use Kerberos and FIPS, it may be necessary to enable the use of stronger encryption on the Kerberos server. This is something you would typically need to have done by the Kerberos administrator at the installation site.

In order to ensure that only FIPS algorithms are used when doing Kerberos authentication, Workbench can be set up to request only certain specific FIPS encryption types. You do this by editing the krb5.conf file, described in the NiagaraAX LDAP/Active Directory Configuration Guide.

Add the following lines to the [libdefaults] section of this file, to restrict which encryption types are allowed by a client:

[libdefaults]

default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1

default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1

permitted_enctypes = aes256-cts aes128-cts des3-cbc-sha1

These entries will restrict the ciphers used to AES-128, AES-256, or 3DES. Note that AES-128 and AES-256 are not supported on a QNX-based JACE platform, which must use the (last) 3DES cipher