SharePoint on Windows 2008: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Enterprise, SharePoint

I was tackling this error today on my farm. When attempting to open Central Admin, I would get this error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

The event logs had an Event ID 8214 but the error was unknown so I couldn’t find any information about it. Searches on the net weren’t helpful, they just talk about authentication problems. I wasn’t sure if the Event ID was even related but I think it was.

I edited the web.config of the Central Admin site and set <customErrors mode=”Off”> but it didn’t help, I got the error above or sometimes a blank page when loading Central Admin. The key was to also set <CallStack=”true”> in the web.config.

I was able to get the Central Admin to finally load after changing a couple registry settings. First, I saw a HKLM\SYSTEM\CurrentControlSet\Control key called “fipsalgorithmpolicy” which was set to 0. Hmm, that’s good. Some more research pointed me to a sub-key called FIPSAlgorithmPolicy. There was a DWORD value called “Enabled” and this was set to 1. Changing it to 0 (zero) and performing an IISRESET allowed me to open Central Admin.

Great, but not great. My network has a policy (Group Policy setting) to turn this on. “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” is set to enabled. So, this isn’t a permanent solution.

I found this blog post called Aggregated Intelligence: FIPS validated cryptographic algorithms in .NET which suggested adding another line in my web.config <enforcefipspolicy enabled=”false” >. For the record, that did nothing for me, I don’t know why.

Anyway, I was pretty sure that this was a best practice, especially in Department of Defense (DoD) where I’ve spent most of my time working. It’s maybe even a requirement. I started looking at IIS and the Web Site Settings for Central Admin. In Windows 2008, it defaults to the “Features” view. In there, I checked each of the icons. Inside “Machine Key” I noticed that the algorithm was set to SHA1 (or was it AES). In any case, I changed it to TripleDES, performed an IISRESET /NOFORCE and everything worked! I’ll have to verify some of this tomorrow but hopefully this post gives some useful troubleshooting steps.

KB811833 talks about enabling FIPS compliant algorithms, its titled: The effects of enabling the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” security setting in Windows XP and in later versions of Windows

email
0 comments… add one

Leave a Comment

%d bloggers like this: