Currently the team I'm on is working on a server migration of two environments (both have a DB and Web server). We're migrating from Windows Server 2008R2 to Windows Server 2016. These are brand new instances that are being stood up.
We finished with one environment and began running through testing of our site that is hosted on both servers (one is a testing environment and one production). Most of everything functions as expected with one exception in the testing environment.
The site we host is a custom .Net application built with MVC4 and C#. It also has a link out to a IBM Cognos application for reporting purposes.
In testing, I had one area of the .Net application to test that I was slightly worried about. This application is an older part of the site that generates a PDF file based on data within an Access DB.
The application ended up throwing the following error: "Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms". There were no additional details logged when the error was thrown by the application.
I have seen this error previously in my local development environment. How I dealt with it then was change the Windows Registry entry for the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy Enabled = 0
However, in our testing environment, as well as production, that is not possible. We are required to keep Enabled = 1.
Our 2008R2 server had no issues with this, but the 2016 server does not like it. At this point, I've added an entry to the web.config to allow for it, but to no avail. It is the entry of the following:
<system.web>
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
...
</system.web>
I modified the MSBuild.exe.config file also with the following:
<configuration>
<runtime>
<enforceFIPSPolicy enabled = "false" />
</runtime>
</configuration>
Neither change made a difference in the end. At this point, I'm drawing a blank. Is there a way to disable FIPS for the application?
I finally did figure out a solution. The code that was throwing the error revolved around the use of iTextSharp. The version we had was older and was notorious for throwing the error I mentioned above due that it was not FIPS compliant.
The quick and easy solution was a simple one: upgrade the version of iTextSharp to the next version, which was FIPS compliant.
Though this works, we are due to rewrite the module that uses this code, where we will replace iTextSharp altogether (discontinued at this point).