Earlier this week, Microsoft released a new version of Azure AD Connect for all your on-premises Active Directory Domain Services and LDAP v3 to Azure Active Directory, and thus Office 365, synchronization needs.
Version 18.104.22.168 of Azure AD Connect, dated June 3, 2016, adds two fixes.
This version introduces two fixes:
Password Sync can now be USed on FIPS compliant serverS
In previous versions of Azure AD Connect, Password Sync failed to run on Federal Information Processing Standard (FIPS) compliant Windows Servers. This is because FIPS compliant systems bar the use of MD5 hash algorithms, so they block Password Sync when the tool tries to access MD5 functions.
User passwords are stored as a non-reversible hash in Windows Server Active Directory Domain Controllers (DCs). When the Password Sync agent attempts to synchronize the password hash from a DC over a secure RPC interface, the DC encrypts that password hash using an MD5 key. The MD5 key that the DC uses is derived from the RPC session key and a salt. Once this happens, the password hash is now wrapped in an MD5 encryption envelope. The Password Sync agent gets this encrypted password hash from the Domain Controller (DC) over the secure RPC interface.
Once the Password Sync agent has the encrypted password hash, it uses MD5CryptoServiceProvider to generate a hash key used for decrypting the envelope containing the password hash.
At no point in time does Azure AD Connect’s Password Sync agent have access to the clear text password.
When MD5CryptoServiceProvider is used in a FIPS compliant environment, it throws a System.InvalidOperation exception. This is because the MD5 hash is considered a weak hash and not recommended for use in a FIPS compliant environment.
To get Password Sync running on FIPS-compliant systems, add enforceFIPSPolicy in the miiserver.exe.config file for your Azure AD Connect implementation:
- Go to %programfiles%\Azure AD Sync\Bin.
- Open miiserver.exe.config.
- Go to the configuration/runtime node (at the end of the file).
- Add the following node: <enforceFIPSPolicy enabled="false"/> like this:
<configuration> <runtime> <enforceFIPSPolicy enabled="false"/> </runtime> </configuration>
- Save your changes.
NetBIOS name to FQDN resolution
The team also fixed an issue where a NetBIOS name could not be resolved to the Fully Qualified Domain Name (FQDN) in the Active Directory Connector, hindering communications between Azure AD Connect and your Active Directory Domain Services (AD DS) environment.
This is version 22.214.171.124 of Azure AD Connect.
You can download Azure AD Connect here.
The download weighs 74,5 MB.
If the Automatic Updating functionality hasn’t already upgraded your Azure AD Connect installation to version 126.96.36.199, you can download and install this version of Azure AD Connect above.
AAD Password Sync, Encryption and FIPS compliance
DirSync: Password Sync failing in FIPS-compliant systems
Microsoft Identity Software: Public Release Build Versions