What is FIPS?

Windows has a setting that prevents applications on the machine from using encryption that are not compliant with Federal Information Processing Standards(FIPS). This setting is typically only needed for servers that contain government data. Here is a good article about FIPS and why it would need to be enabled.

The reason this is causing an issue, is because SmartConnect encrypts the SQL login details used to connect to the SmartConnect database using a non-FIPS compliant algorithm. There are two options to resolve this error message. The first is to disable FIPS Mode. If this is not an option, we can add some SmartConnect config files to tell Windows that SmartConnect is exempt from the FIPS requirements.

Disable FIPS Mode

Disabling FIPS Mode is a simple setting switch to the Local Policy.

Go to Administrative Tools > Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Switch the flag to disabled.

**In my testing I haven’t needed to reboot after changing the setting, but if the issue persists, a restart may be required.

Exclude SmartConnect from FIPS

We will need to add a configuration file for each SmartConnect application and service individually. I will go into detail about each SmartConnect folder individually.

User Interface, Windows Service, and Configuration Application

In the SmartConnect Folder: C:\Program Files (x86)\eOne Solutions\SmartConnect

There are four config files that need to be added. The names must match exactly.

eOne.SmartConnect.RunMapConsole.exe.config

eOne.SmartConnect.UI.External.exe.config

eOne.SmartConnect.WindowsService.exe.config

eOne.SmartConnect.Config.exe.config

 

Each file will contain the same XML.

<configuration> 

<runtime> 

<enforceFIPSPolicy enabled=”false”/> 

</runtime> 

</configuration>

 

WCF Service

In the WCF Folder: C:\Program Files (x86)\eOne Solutions\wcf

The application pool for the service needs to be pointed to a different CLRConfigFile. By default, all application pools use the aspnet.config file, but we don’t want to change that one.

Create a new file named “AppPool.config”

The file should contain the following.

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<configuration>

<runtime>

<legacyUnhandledExceptionPolicy enabled=”false” />

<legacyImpersonationPolicy enabled=”true”/>

<alwaysFlowImpersonationPolicy enabled=”false”/>

<SymbolReadingPolicy enabled=”1″ />

<shadowCopyVerifyByTimestamp enabled=”true”/>

<enforceFIPSPolicy enabled = “false” />

</runtime>

<startup useLegacyV2RuntimeActivationPolicy=”true” />

</configuration>

 

After creating the file, it will need to be assigned to the Application Pool. There isn’t a setting for this available through the IIS GUI so we will need to do it using the CMD prompt.

Here is the command that will need to be ran.

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name=’SmartConnectWcf’].CLRConfigFile:”C:\Program Files (x86)\eOne Solutions\wcf\AppPool.config”  /commit:apphost

Asp.net Web Service

In the asmx folder: C:\Program Files (x86)\eOne Solutions\www

The application pool for the service needs to be pointed to a different CLRConfigFile. By default, all application pools use the aspnet.config file, but we don’t want to change that one.

Create a new file named “AppPool.config”

The file should contain the following.

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<configuration>

<runtime>

<legacyUnhandledExceptionPolicy enabled=”false” />

<legacyImpersonationPolicy enabled=”true”/>

<alwaysFlowImpersonationPolicy enabled=”false”/>

<SymbolReadingPolicy enabled=”1″ />

<shadowCopyVerifyByTimestamp enabled=”true”/>

<enforceFIPSPolicy enabled = “false” />

</runtime>

<startup useLegacyV2RuntimeActivationPolicy=”true” />

</configuration>

 

After creating the file, it will need to be assigned to the Application Pool. There isn’t a setting for this available through the IIS GUI so we will need to do it using the CMD prompt.

Here is the command that will need to be ran.

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name=’SmartConnect’].CLRConfigFile:”C:\Program Files (x86)\eOne Solutions\www\AppPool.config”  /commit:apphost