none
FIPS validated cryptographic algorithms RRS feed

  • Question

  • I have enabled the FIPS algorithm policy on our windows server2008 machine. Now, any page that has a viewstate is abending with the following error: 

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.



    This is used in a web farm so we have a machine key defined in our machine.config. If I add decryption="3DES" to the end of that key everything works again. My guess is the default is AES which isn't FIPS compliant. I also noticed this is not an issue on my iis 6.0 servers running server 2003. Very similar setup.

    Is there a better way to handle this situation? I read some articles about doing something similar in the app web config. The web.config worked fine. However, the machine.config change seems better because I won't have to change every application.

     

    Monday, January 18, 2010 9:58 PM

Answers

  •  

    Hi,

    Actually, this issue is not caused by IIS, the problem occurs when the following conditions are true:

    1. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy registry subkey is set to 1.

    2. ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The ReindaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms.

     

    This KB provide a detail description of walk-around solution for this issue, according to the KB, we may need to modify web.config manually:

    1. In a text editor such as Notepad, open the application-level Web.config file.

    2. In the Web.config file, locate the <system.web> section.

    3. Add the following <machineKey> section to in the <system.web> section:

    <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

    4. Save the Web.config file.

    5. Restart the Microsoft Internet Information Services (IIS) service. To do this, run the following command at a command prompt: iisreset

     

    And, as you saw in your tests, change machine.config seems better if we want to change same setting in many web.config files. Settings in machine.config will affect all applications on the machine, but web.config can overwrite settings of machine.config for separate applications.

    As far as I know, we may need to modify either web.config or machine.config to get rid of this issue.


    Sincerely,
    Eric

    Please remember to mark helpful replies as answers.
    • Marked as answer by eryang Monday, January 25, 2010 2:48 AM
    Tuesday, January 19, 2010 6:52 AM

All replies

  •  

    Hi,

    Actually, this issue is not caused by IIS, the problem occurs when the following conditions are true:

    1. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy registry subkey is set to 1.

    2. ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The ReindaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms.

     

    This KB provide a detail description of walk-around solution for this issue, according to the KB, we may need to modify web.config manually:

    1. In a text editor such as Notepad, open the application-level Web.config file.

    2. In the Web.config file, locate the <system.web> section.

    3. Add the following <machineKey> section to in the <system.web> section:

    <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

    4. Save the Web.config file.

    5. Restart the Microsoft Internet Information Services (IIS) service. To do this, run the following command at a command prompt: iisreset

     

    And, as you saw in your tests, change machine.config seems better if we want to change same setting in many web.config files. Settings in machine.config will affect all applications on the machine, but web.config can overwrite settings of machine.config for separate applications.

    As far as I know, we may need to modify either web.config or machine.config to get rid of this issue.


    Sincerely,
    Eric

    Please remember to mark helpful replies as answers.
    • Marked as answer by eryang Monday, January 25, 2010 2:48 AM
    Tuesday, January 19, 2010 6:52 AM
  • Hi,
    Is above suggestion working in your side? please feel free to let us know if you have any other concerns.
    Sincerely,
    Eric

    Please remember to mark helpful replies as answers.
    Friday, January 22, 2010 1:27 AM
  • Thanks, that worked for me :)
    Friday, May 20, 2011 3:12 PM
  • Fantastic - this also worked for us!!
    Wednesday, June 8, 2011 12:21 PM
  • Worked for us! Thanks!

    Our existing .Net4 Web app started throwing this error. It was frustrating the heck out of me. But your solution did the trick.

    Wednesday, December 14, 2011 12:16 PM
  • Worked for me as well!!! Thanks.

    Thursday, September 27, 2012 3:40 AM
  • Although this thread is a bit old, I'd like to bring it back to life and state I haven't been as lucky as the others.  eryang could you tell me if being behind a load balancer or in a webfarm would have any effect on this?  I have verified that the registry setting is set to 1 but unsure how to verify the other item (although assume it is also true) so figured the simple web.config change would fix it, and it doesn't. 

    Really needing some other suggestions here...


    View Brenden Kehren's profile on LinkedIn

    • Proposed as answer by Bryan Senter Tuesday, October 15, 2013 12:43 PM
    Wednesday, November 28, 2012 2:02 PM
  • FroggEye:

    Note that the KB indicates restart required to recognize change in registry setting. 

    I recommend removing (or setting to false) the fipsalgorithmpolicy  as a last resort.

    The change to web.config worked for me. 

    I've already changed set debug=false. A true setting can cause similar problems.

    Watch for web.config closer to the root!

    Tuesday, October 15, 2013 12:47 PM
  • Hi Eric,

    Thank you for this article.

    I changed the web.config file first but that did not work, but also changing the FIPS registry setting to zero did work.

    Regards,

    Geoff James

    Tuesday, February 11, 2014 5:15 AM
  • Yes. It worked for me. In my case, the issue started after a group policy update. Thanks for the solution.
    Tuesday, July 7, 2015 11:03 AM
  • I made suggested change. While that error went away now I get this error:

    System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input) at 
    System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Protect(Byte[] clearData) at System.Web.Security.MachineKey.Protect(ICryptoServiceProvider cryptoServiceProvider, Byte[] userData, String[] purposes) at 
    System.Web.Security.MachineKey.Protect(Byte[] userData, String[] purposes) at System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Protect(Byte[] data) at 
    System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer.Serialize(AntiForgeryToken token) at System.Web.Helpers.AntiXsrf.AntiForgeryTokenStore.SaveCookieToken(HttpContextBase httpContext, AntiForgeryToken token) at 
    System.Web.Helpers.AntiXsrf.AntiForgeryWorker.GetFormInputElement(HttpContextBase httpContext) at System.Web.Helpers.AntiForgery.GetHtml() at 
    System.Web.Mvc.HtmlHelper.AntiForgeryToken() at ASP._Page_Views_Contracts_Edit_cshtml.Execute()

    I undid this change and the original error returned.


    Edward R. Joell MCSD MCDBA



    • Edited by joeller Tuesday, August 4, 2015 1:16 PM
    Monday, August 3, 2015 8:34 PM
  • Setting the Registry key and updating the web.config worked for me. 

    Thanks! 

    Thursday, January 21, 2016 12:28 AM