Tuesday, September 26, 2017

Report Manager: “System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

during my installation of Report server, I was able to access reportserver url but not reports url.
I get nothing in event viewer, but got below error in reports log.
Report Manager: “System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”


Cause:
This is happening because FIPS is enabled on the Reporting Services server and Report Manager does not support the Local Security Policy "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". (https://technet.microsoft.com/en-us/library/ms345220%28v=sql.105%29.aspx)
To ascertain that FIPS is enabled you can:
(1)    Check the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy
And the value of it should be set to 1.
(2)    Or else, go to Local Security Policy (Start -> Run -> secpol.msc) and then go to “Security Settings -> Local Policies -> Security Options” and on the right-side windows you should see the policies in that please look for the Policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” and checked the security thing and it should be Enabled.

For more information on why FIPS is not supported you can refer:
https://support.microsoft.com/en-us/kb/911722
http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

How to resolve this issue:
If you do not need FIPS, go ahead and change the above mentioned registry change from 1 to 0 or else change the local security policy from Enabled state and Disabled state.
If you cannot disable FIPS, don’t worry we can still get around it. With reference to https://support.microsoft.com/en-us/kb/911722, in order to get around this issue you would have to edit Report Manager’s web.config file as explained below.
File to be edited:
<system-drive>\Program Files\Microsoft SQL Server\MSRS<version>.<instance>\Reporting Services\ReportManager\Web.config
What to do?
(1)    In the Web.config file, locate the <system.web> section.
(2)    Add the following <machineKey> section to in the <system.web> section:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
(3)    Save the Web.config file.

Once the file has been changed, you would have to restart Reporting Services service for the change to become effective.
Recommendation: Take a backup of the web.config file prior to making the change.
Note: As Reporting Services 2008 and above doesn't use IIS, this configuration change has to be made in the Report Manager's web.config file and Reporting Services service needs to be restarted after making the change and not IISRESET.
I have also added this note to https://technet.microsoft.com/en-us/library/ms345220%28v=sql.105%29.aspx as a comment.


reference: https://blogs.msdn.microsoft.com/dataaccesstechnologies/2015/07/16/report-manager-system-invalidoperationexception-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms/


Regards,
Sudhanshu

No comments:

Post a Comment