none
Disabling the FIPS Algorithm Check

    Question

  • When I configured SharePoint it did not work initially. While troubleshooting I discovered that the issue is with FIPS. After following instructions in the following KB http://support.microsoft.com/kb/911722 SharePoint started working.

    But now when I am trying to invoke any OOB workflows it still comes up with the following error

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
    at Microsoft.Office.InfoPath.Server.Util.UrlManager.<>c__DisplayClass4.<GetFileHash>b__3()
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
    at Microsoft.Office.InfoPath.Server.Util.UrlManager.GetFileHash(String physicalFilePath)
    at Microsoft.Office.InfoPath.Server.Util.UrlManager.ConstructServerFilePaths(XmlDocument fileNameMap)
    at Microsoft.Office.InfoPath.Server.Util.UrlManager..cctor()

    After further reading I tried to disable the FIPS algorithm check <enforceFIPSPolicy enabled="false"/> within the <runtime> section of my portal web applications web.config Got this from the following blog post http://blogs.msdn.com/shawnfa/archive/2008/03/14/disabling-the-fips-algorithm-check.aspx

    Even this did not work; I tried to change the value to “0” per some other blog post. I also tried to put this in machine.config and web.config in the layouts folder under 12 hive.

    FIPS policy is enforced in domain using the GPO and the registry tweak is only a temporary solution until a GPO refresh which sets the registry back to enforce FIPS.

    Is there any other way I can disable the algorithm check within the .NET Framework configuration

     


    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Saturday, January 16, 2010 5:35 AM

All replies

  • I don't think this has anything to do with InfoPath Forms Services.
    Try posting this elsewhere and you might get an answer.
    Hazem Elshabini OMS (Online Modern Solutions) Software Developer http://infopointblog.com
    Sunday, January 17, 2010 6:31 PM
  • Hi Sameer,

     

    I reviewed some internal cases, this also may due to debugging is enabled in an ASP .NET 2.0 application (SharePoint is built on ASP.NET 2.0).

     

    Please try to modify the web.config and set debug="false".

     

    If this is not helpful for your issue, I suggest you to try ASP.NET forums here: http://forums.asp.net/

     

    Hope the information can be helpful and thanks for your understanding.

     

    Lambert Qin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact mtngfb@microsoft.com  


    Sincerely,
    Lambert Qin
    Posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 18, 2010 8:08 AM
  • I don't think this has anything to do with InfoPath Forms Services.
    Try posting this elsewhere and you might get an answer.
    Hazem Elshabini OMS (Online Modern Solutions) Software Developer http://infopointblog.com

    It is very much an IFS issue, if you look at the call stack IFS is calling "MD5CryptoServiceProvider"

    In-spite of the explicitly using the user defined encryprion/decryption algoritm "3DES" in web.config IFS still uses the "
    MD5CryptoServiceProvider " which is not FIPS validated algorithm.

    So i am looking for some way to instruct InfoPath Form Services (IFS) not to use this "
    MD5CryptoServiceProvider" class instead if it can use any other class which uses the FIPS approved encryption/decryption algorithms.


    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Monday, January 18, 2010 6:45 PM

  • I have not changed it, and it is currently set as debug="false"

    I have also cross-posted this on ASP.NET Security forum here

    http://forums.asp.net/p/1514870/3620918.aspx#3620918

    Hi Sameer,

     

    I reviewed some internal cases, this also may due to debugging is enabled in an ASP .NET 2.0 application (SharePoint is built on ASP.NET 2.0).

     

    Please try to modify the web.config and set debug="false".

     

    If this is not helpful for your issue, I suggest you to try ASP.NET forums here: http://forums.asp.net/

     

    Hope the information can be helpful and thanks for your understanding.

     

    Lambert Qin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact mtngfb@microsoft.com  


    Sincerely,
    Lambert Qin
    Posting is provided "AS IS" with no warranties, and confers no rights.


    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Monday, January 18, 2010 6:46 PM
  • Sameer,

    Im experiencing the same issues with the FIPS policy enabled.  I can edit the web.config for each application to force the web page to use 3DES, but document workflow is still throwing up the FIPS related error when the FIPS Algorithm key is set to 1. 

    I set it to zero, and everything works fine until the GPO is refreshed...  then the error returns.

    Any luck in forcing InfoPath Form Services to use FIPS compliant algorithms?
    Tuesday, February 16, 2010 9:55 PM
  • Sameer,

    Im experiencing the same issues with the FIPS policy enabled.  I can edit the web.config for each application to force the web page to use 3DES, but document workflow is still throwing up the FIPS related error when the FIPS Algorithm key is set to 1. 

    I set it to zero, and everything works fine until the GPO is refreshed...  then the error returns.

    Any luck in forcing InfoPath Form Services to use FIPS compliant algorithms?

    Nope... its a bad code in infopath so even with luck i could not have run it...

    We had a support case opened with MS Pro Support and this is their exact quote "I would like to inform you that Microsoft is aware of the issue mentioned in this email. Currently we do not have any hot fix or service pack which fixes this problem. We do not  have any ETA for the resolution of this issue."

    So if you are counting on it do not plan an implementation. The only option you have is to disable the FIPS check. And if you know how Active directory and GPO work then its possible to disable this policy only for servers where sharepoint is running which can still give you a case to fight with your security team.

    Best of luck!!


    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Tuesday, February 16, 2010 10:44 PM
  • Sameer,

    Thanks for the detailed info.  Ill bookmark this thread, so if you hear anytihng back from MS about a fix, please post it here.

    thanks again.

    Bobby

    Wednesday, February 17, 2010 6:00 PM
  • Has anyone heard anything new on this.  I have this same issue and I cannot resolve it.  Any help would be appreciated.
    Friday, May 20, 2011 8:44 PM
  • Have you tried setting the FIPs settings at the machine.config level? 

    That will tell .NET to ignore the FIPs Policy for the entire machine.

    <configuration>
        <runtime>
            <enforceFIPSPolicy enabled="false"/>
        </runtime>
    </configuration>

    The machine.config for .Net 2.0 is found here:

    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG

     

     

     

     

    • Proposed as answer by Sven W Tuesday, September 27, 2011 7:04 PM
    Monday, July 11, 2011 6:42 AM