Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 3.5 > ASP.NET 3.5 Professionals
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
ASP.NET 3.5 Professionals If you are an experienced ASP.NET programmer, this is the forum for your 3.5 questions. Please also see the Visual Web Developer 2008 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 3.5 Professionals section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Display Modes
  #1 (permalink)  
Old September 23rd, 2013, 03:05 PM
Authorized User
Points: 65, Level: 1
Points: 65, Level: 1 Points: 65, Level: 1 Points: 65, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Apr 2013
Location: Northern Virginia
Posts: 14
Thanks: 5
Thanked 0 Times in 0 Posts
Default Bad security error (FIPS) when deploying ASP.net website

hi,

I am deploying a 3.5 ASP.Net website to IIS 6.1 on a government system that has some kind of FIPS security restrictions. When navigating to any website, no matter how trivial or complex it is, I get the error:

"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. ".

I have read forum postings directing me to turn off FIPS either in the Registry or Admin Tools. The problem is the goverment keeps running scans on the webserver and turning FIPS registry setting back on. What is the work around for this ? Making settings in Machine.config are ignored as well.

Thanks,

Darius
  #2 (permalink)  
Old September 24th, 2013, 10:51 AM
Authorized User
Points: 65, Level: 1
Points: 65, Level: 1 Points: 65, Level: 1 Points: 65, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Apr 2013
Location: Northern Virginia
Posts: 14
Thanks: 5
Thanked 0 Times in 0 Posts
Default

After doing a lot of research (googling) I solved my FIPS security problem. I had to piece together the solution from several different sources. Here's the complete solution that worked for me, in case anyone else has the issue:

in Web.config, make following settings:

Code:
<system.web>

      <machineKey validationKey="AutoGenerate,IsolateApps"
                decryptionKey="AutoGenerate,IsolateApps"
                validation="3DES" decryption="3DES"/>
The above change is necessary to switch from AES to 3DES. Apparentlty, on FIPS compliant systems, AES will not work. ** important, if application is deployed in IIS, then it must be restarted after this setting with iisreset at command prompt, run as admin.

The other setting in web.config is turn off Debug. FIPS exception will be thrown if Debug is true. So it must be set to false.

Code:
<compilation debug="false">
If using Ajax or the ScriptManager for anything in the website, FIPS exception is still thrown because of hashing algorithms not being FIPS compliant. Fortunately there is a hotfix patch to correct this problem. If using ScriptManager for anything, this patch will make it FIPS compliant when installed on the Webserver:


KB981119 - ScriptModule throws FIPS exception on Win 7
http://archive.msdn.microsoft.com/KB...ReleaseId=4066




The above solutions is really good for any system that requires FIPS, like in government settings.

Thank you.
  #3 (permalink)  
Old December 13th, 2013, 01:28 AM
Authorized User
 
Join Date: Nov 2013
Location: Fort Worth
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

The above given solution seems to be pretty reasonable.
__________________
Movie 786
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 16 - Security in your ASP.NET Website sting88 BOOK: Beginning ASP.NET 4.5 : in C# and VB 6 September 10th, 2013 02:56 AM
General Website Security in ASP.net 3.5 logon forms EmmanuelEgobu BOOK: Professional ASP.NET 3.5 : in C# and VB ISBN: 978-0-470-18757-9 10 February 9th, 2011 05:09 AM
deploying ASP.net nandar_hayhay ASP.NET 1.0 and 1.1 Basics 1 September 29th, 2007 01:29 PM
The Code of book ASP.NET Website Programming Error jackahu BOOK: ASP.NET Website Programming Problem-Design-Solution 0 June 16th, 2004 12:04 PM



All times are GMT -4. The time now is 03:35 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.