Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 3.5 > ASP.NET 3.5 Professionals
ASP.NET 3.5 Professionals If you are an experienced ASP.NET programmer, this is the forum for your 3.5 questions. Please also see the Visual Web Developer 2008 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 3.5 Professionals section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old September 23rd, 2013, 02:05 PM
Authorized User
Join Date: Apr 2013
Posts: 14
Thanks: 5
Thanked 0 Times in 0 Posts
Default Bad security error (FIPS) when deploying ASP.net website


I am deploying a 3.5 ASP.Net website to IIS 6.1 on a government system that has some kind of FIPS security restrictions. When navigating to any website, no matter how trivial or complex it is, I get the error:

"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. ".

I have read forum postings directing me to turn off FIPS either in the Registry or Admin Tools. The problem is the goverment keeps running scans on the webserver and turning FIPS registry setting back on. What is the work around for this ? Making settings in Machine.config are ignored as well.


Old September 24th, 2013, 09:51 AM
Authorized User
Join Date: Apr 2013
Posts: 14
Thanks: 5
Thanked 0 Times in 0 Posts

After doing a lot of research (googling) I solved my FIPS security problem. I had to piece together the solution from several different sources. Here's the complete solution that worked for me, in case anyone else has the issue:

in Web.config, make following settings:


      <machineKey validationKey="AutoGenerate,IsolateApps"
                validation="3DES" decryption="3DES"/>
The above change is necessary to switch from AES to 3DES. Apparentlty, on FIPS compliant systems, AES will not work. ** important, if application is deployed in IIS, then it must be restarted after this setting with iisreset at command prompt, run as admin.

The other setting in web.config is turn off Debug. FIPS exception will be thrown if Debug is true. So it must be set to false.

<compilation debug="false">
If using Ajax or the ScriptManager for anything in the website, FIPS exception is still thrown because of hashing algorithms not being FIPS compliant. Fortunately there is a hotfix patch to correct this problem. If using ScriptManager for anything, this patch will make it FIPS compliant when installed on the Webserver:

KB981119 - ScriptModule throws FIPS exception on Win 7

The above solutions is really good for any system that requires FIPS, like in government settings.

Thank you.
Old December 13th, 2013, 01:28 AM
Authorized User
Join Date: Nov 2013
Posts: 3
Thanks: 0
Thanked 1 Time in 1 Post

The above given solution seems to be pretty reasonable.

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 16 - Security in your ASP.NET Website sting88 BOOK: Beginning ASP.NET 4.5 : in C# and VB 6 September 10th, 2013 01:56 AM
General Website Security in ASP.net 3.5 logon forms EmmanuelEgobu BOOK: Professional ASP.NET 3.5 : in C# and VB ISBN: 978-0-470-18757-9 10 February 9th, 2011 05:09 AM
deploying ASP.net nandar_hayhay ASP.NET 1.0 and 1.1 Basics 1 September 29th, 2007 12:29 PM
The Code of book ASP.NET Website Programming Error jackahu BOOK: ASP.NET Website Programming Problem-Design-Solution 0 June 16th, 2004 11:04 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.