hi,

I am deploying a 3.5 ASP.Net website to IIS 6.1 on a government system that has some kind of FIPS security restrictions. When navigating to any website, no matter how trivial or complex it is, I get the error:

"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. ".

I have read forum postings directing me to turn off FIPS either in the Registry or Admin Tools. The problem is the goverment keeps running scans on the webserver and turning FIPS registry setting back on. What is the work around for this ? Making settings in Machine.config are ignored as well.

Thanks,

Darius

After doing a lot of research (googling) I solved my FIPS security problem. I had to piece together the solution from several different sources. Here's the complete solution that worked for me, in case anyone else has the issue:

in Web.config, make following settings:

The above change is necessary to switch from AES to 3DES. Apparentlty, on FIPS compliant systems, AES will not work. ** important, if application is deployed in IIS, then it must be restarted after this setting with iisreset at command prompt, run as admin.

The other setting in web.config is turn off Debug. FIPS exception will be thrown if Debug is true. So it must be set to false.

If using Ajax or the ScriptManager for anything in the website, FIPS exception is still thrown because of hashing algorithms not being FIPS compliant. Fortunately there is a hotfix patch to correct this problem. If using ScriptManager for anything, this patch will make it FIPS compliant when installed on the Webserver:


KB981119 - ScriptModule throws FIPS exception on Win 7
http://archive.msdn.microsoft.com/KB...ReleaseId=4066




The above solutions is really good for any system that requires FIPS, like in government settings.

Thank you.

The above given solution seems to be pretty reasonable.