Azure DevOps 2020, I created a new project collection on our DevOps server. When I went to create a new project for that new collection from my work computer browser, I received this message:
Oops, something went wrong. Project creation operation failed.
Hitting button Try Again on that error screen produced the same result.
On our DevOps server, the log file from my attempt C:\ProgramData\Microsoft\Azure DevOps\Server Configuration\Logs..._CreateProject_1130_141424.log had this error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Executing step: Create the Team Project
Executing step: 'Create the Team Project' WorkItemTracking.CreateTeamProject (5 of 12)
Process guids. TypeId: b8a3a935-7e91-48b8-a94c-606d37c3e9f2 Inherits: 00000000-0000-0000-0000-000000000000
Process flags. : IsSystem: True IsCustom: False
All projects count:1
Well-formed projects count:0
Refreshing server caches.
Importing queries.
Failure while provisioning project - will retry (Message): This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Failure while provisioning project - will retry (Stacktrace): at System.Security.Cryptography.SHA1Managed..ctor()
at Microsoft.TeamFoundation.WorkItemTracking.Server.CommonWITUtils.GetSha1HashString(String text)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DalUpdateQueryItemHashElement.JoinBatch(ElementGroup group, ServerQueryItem item, IVssRequestContext requestContext)
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.ExplodeQueryUpdates(Guid id)
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.AddQueryUpdatesToBatch()
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.BuildBatch(XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Boolean bypassRules, Boolean validationOnly, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.UpdateImpl(XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, Boolean bulkUpdate, Boolean& bulkUpdateSuccess, IVssIdentity user, Boolean overwrite, Boolean bypassRules, Boolean validationOnly, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.Update(XmlElement package, Boolean overwrite, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.ProvisioningService.ImportQueries(IVssRequestContext requestContext, IProcessTemplate template, XmlNode queriesNode, Uri projectUri, ProvisioningActionType action)
at Microsoft.TeamFoundation.Server.Deploy.TFCollection.Project.WorkItemTrackingImporter.ImportQueries()
at Microsoft.TeamFoundation.Server.Servicing.TFCollection.WorkItemStepPerformer.ProvisionTeamProject(IVssRequestContext requestContext, IServicingContext servicingContext, Lazy`1 witImporter, String projectUri, ProcessDescriptor processDescriptor)
at Microsoft.TeamFoundation.Server.Servicing.TFCollection.WorkItemStepPerformer.CreateTeamProject(IServicingContext servicingContext)
Failure while provisioning project - will retry (Exception Type): InvalidOperationException
Importing queries.
[Error] This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA1Managed..ctor()
at Microsoft.TeamFoundation.WorkItemTracking.Server.CommonWITUtils.GetSha1HashString(String text)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DalUpdateQueryItemHashElement.JoinBatch(ElementGroup group, ServerQueryItem item, IVssRequestContext requestContext)
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.ExplodeQueryUpdates(Guid id)
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.AddQueryUpdatesToBatch()
at Microsoft.TeamFoundation.WorkItemTracking.Server.Update.BuildBatch(XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Boolean bypassRules, Boolean validationOnly, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.UpdateImpl(XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, Boolean bulkUpdate, Boolean& bulkUpdateSuccess, IVssIdentity user, Boolean overwrite, Boolean bypassRules, Boolean validationOnly, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.Update(XmlElement package, Boolean overwrite, Boolean provisionRules)
at Microsoft.TeamFoundation.WorkItemTracking.Server.ProvisioningService.ImportQueries(IVssRequestContext requestContext, IProcessTemplate template, XmlNode queriesNode, Uri projectUri, ProvisioningActionType action)
at Microsoft.TeamFoundation.Server.Deploy.TFCollection.Project.WorkItemTrackingImporter.ImportQueries()
at Microsoft.TeamFoundation.Server.Servicing.TFCollection.WorkItemStepPerformer.ProvisionTeamProject(IVssRequestContext requestContext, IServicingContext servicingContext, Lazy`1 witImporter, String projectUri, ProcessDescriptor processDescriptor)
at Microsoft.TeamFoundation.Server.Servicing.TFCollection.WorkItemStepPerformer.CreateTeamProject(IServicingContext servicingContext)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStepPerformerBase.PerformHostStep(String servicingOperation, ServicingOperationTarget target, IServicingStep servicingStep, String stepData, ServicingContext servicingContext)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStepPerformerBase.PerformStep(String servicingOperation, ServicingOperationTarget target, String stepType, String stepData, ServicingContext servicingContext)
at Microsoft.TeamFoundation.Framework.Server.ServicingStepDriver.PerformServicingStep(ServicingStep step, ServicingContext servicingContext, ServicingStepGroup group, ServicingOperation servicingOperation, Int32 stepNumber, Int32 totalSteps)
Step failed: Create the Team Project. Execution time: 220 milliseconds.
[StepDuration] 0.1820582
[GroupDuration] 0.2299482
[OperationDuration] 1.1763862
Clearing dictionary, removing all items.
Based on that error, I performed the following steps on the DevOps server. After each step I stopped/started IIS, then went back to attempt Create Project again. No luck with any of these solutions.
Modified file C:\ProgramData\Microsoft\Azure DevOps\Configuration\SavedSettings\ApplicationTier\web.config to contain element enforceFIPSPolicy enabled="false".
Since the app pools for Azure DevOps use the .NET CLR Version v4.0.30319, I modified file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config to contain element enforceFIPSPolicy enabled="false".
On the machine's Local Security Policy, disabled setting System cryptography: Use FIPS compliant algorithms...
Can anyone suggest what else I can try? I'm assuming the error message is accurate, and quite frankly I was surprised that the last thing I tried did not solve the problem.
UPDATE: In the error message I also see
at System.Security.Cryptography.SHA1Managed..ctor()
I'm assuming SHA1Managed..ctor() means SHA1Managed constructor. If that's true then Microsoft says that SHA1Managed is not FIPS compliant.
But I can't change the DevOps code, if it's using SHA1Managed there's nothing I can do about it, correct?
On our DevOps server, we have DevOps 2020 Update 1. So we are behind, would getting to Update 2 solve this problem? Or should I ask, does Update 2 use a different/newer cryptography class which might solve my problem?
Ok so this option in my original post did work for me:
On the machine's Local Security Policy, disabled setting System cryptography: Use FIPS compliant algorithms...
What I did not do was get a server reboot from our network folks after making this change. One of them suggested that perhaps the value was cached, and a reboot was worth a try. We did so, and that allowed me to create a project.
WARNING THOUGH!!!
Disabling FIPS made the server unreachable via Remote Desktop! So after I created my Project, one of our network folks had to go directly to the machine to re-enable FIPS. Which put security back to where we want it, and allowed remote access again.