I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called “System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms” which is enabled on my server.
Since that has been enabled, most of my aspx pages are returning the error “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.” These pages aren’t accessing any cryptographic methods. They do communicate with another database server, but that’s it.
My problem is similar to the one described here. However, I don’t have the option of disabling this FIPS security setting.
I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?
Update
Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.
I found two hotfixes which may be related. I will try to install these and see what happens.
Refer to Microsoft’s knowledge base article: KB 811833 – The effects of enabling the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing…”. Excerpt:
By default, ASP.NET wants to use algorithms that are incompatible with FIPS compliance. To solve your problem, you’ll need to change ASP.NET configuration to use a compatible algorithm instead. Refer to machineKey Element on how to configure another algorithm.
This MSDN forum post suggests 3DES ought to be compatible… although the machineKey documentation listed previously does say about AES (the default in ASP.NET 4.0) “This algorithm is compliant with the United States Federal Information Processing Standards (FIPS)“.
I’ve also heard that having
debug="true"in your web.config may cause the error.