Follow

FIPS Error

Created by: Michael Olig
Created date:
Last Updated date:

.NET uses the AES algorithm, which is not part of the Windows Platform FIPS validated cryptographic algorithms. Microsoft removed this setting from its security baseline settings in 2014 due in part to its impact on software leveraging the .NET Framework. You can read more about their reasoning here:

http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

Servers that are set to enforce the FIPS algortithm can prevent services from starting and communication to fail with this error being reported:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

at System.Security.Cryptography.AesManaged..ctor()
at ADG.Database.DAL.DALConnection.Decrypt(String __Data)
at ADG.Database.DAL.DALCommand.ExecuteNonQueryWithDecrypt(String format, String encrypted)
at ADG.Database.Definition.UDBInstallUninstall.PrepareDatabase(IDALConnection conn, UDBParams udbParams, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode)
at ADG.Database.Definition.UDBInstallUninstall.CreateDatabase(UDBParams udbParams, String adminUser, String adminPassword, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode, Boolean fixSequences)
at ADG.Database.Definition.UDBInstallUninstall.InstallUnifiedDB(UDBParams udbParams, CredentialContext context, IProgress`1 progress, Boolean createAlias)
at DatabaseConfigurationTool.CreateDatabase.CreateDatabaseSteps()
at DatabaseConfigurationTool.DatabaseForm.CreateDatabaseThread(Object o)

The issue can be resolved with the following steps:

  1. On each server in the environment, open the Registry Editor (regedit.exe).
  2. Navigate to Changed this registry key to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy\Enabled.
  3. Change the value of the key from 1 to 0.
  4. Reboot the server.

NOTE: Please be aware that this registry change is subject to being re-enabled by Group Policy. The Group Policy setting responsible for this setting is called "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" and can be found by expanding the Group Policy console tree to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk