ADAL fails when FIPS is required

Question

Our team is seeing an issue using ADAL 2.12 in our servers which have FIPS enabled\\required. Here is the exception thrown:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA256Managed..ctor() --- End of inner exception stack trace --- at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireToken(String resource, ClientCredential clientCredential)

I also captured the original exception in a debugger and found this more detailed stack trace:

mscorlib.dll!System.Security.Cryptography.SHA256Managed.SHA256Managed() + 0xcf bytes
[Native to Managed Transition]
mscorlib.dll!System.Security.Cryptography.CryptoConfig.CreateFromName(string name, object[] args) + 0x46b bytes mscorlib.dll!System.Security.Cryptography.SHA256.Create(string hashName) + 0xb bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformSpecificHelper.CreateSha256Hash(string input) + 0x41 bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.LogReturnedToken(Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult result) + 0x91 bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.PostRunAsync(Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult result) + 0x32 bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.RunAsync.MoveNext() + 0xdf6 bytes
mscorlib.dll!System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start(ref Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.RunAsync stateMachine) + 0x161 bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.RunAsync() + 0x13a bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync.MoveNext() + 0x130 bytes mscorlib.dll!System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start(ref Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync stateMachine) + 0x171 bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(string resource, Microsoft.IdentityModel.Clients.ActiveDirectory.ClientKey clientKey, bool callSync) + 0x17e bytes
Microsoft.IdentityModel.Clients.ActiveDirectory.dll!Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireToken(string resource, Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential clientCredential) + 0x7d bytes

Is there any way to get around this? From looking at code through a reflector, it seems the ADAL library itself needs to be updated to fix this.

Answer 1

Thanks for reporting this. We opened a bug for it and will address it in our next servicing release which would be out in a few days. This is the bug on GitHub:

https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/132