Report Manager: “System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

Applies To: Tested on SQL Server Reporting Services 2008, 2008 R2, 2012 and 2014.

When you browse Report Manager URL, you get an HTTP 500 error or a blank page (in case if you have disabled friendly HTTP messages) on the browser window. When you check the Reporting Services log files you would find the below error being logged:

ERROR: System.Web.HttpException: Error executing child request for Error.aspx. ---> System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Whereas you would able to browse Report Server URL successfully and it lists all the Reports, Data Sources, Folders, etc. without any issues.

 

Cause:

This is happening because FIPS is enabled on the Reporting Services server and Report Manager does not support the Local Security Policy "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". (https://technet.microsoft.com/en-us/library/ms345220%28v=sql.105%29.aspx)

To ascertain that FIPS is enabled you can:

(1)    Check the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

And the value of it should be set to 1.

(2)    Or else, go to Local Security Policy (Start -> Run -> secpol.msc) and then go to “Security Settings -> Local Policies -> Security Options” and on the right-side windows you should see the policies in that please look for the Policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” and checked the security thing and it should be Enabled.

 

For more information on why FIPS is not supported you can refer:

https://support.microsoft.com/en-us/kb/911722

https://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

 

How to resolve this issue:

If you do not need FIPS, go ahead and change the above mentioned registry change from 1 to 0 or else change the local security policy from Enabled state and Disabled state.

If you cannot disable FIPS, don’t worry we can still get around it. With reference to https://support.microsoft.com/en-us/kb/911722, in order to get around this issue you would have to edit Report Manager’s web.config file as explained below.

File to be edited:

<system-drive>\Program Files\Microsoft SQL Server\MSRS<version>.<instance>\Reporting Services\ReportManager\Web.config

What to do?

(1)    In the Web.config file, locate the <system.web> section.

(2)    Add the following <machineKey> section to in the <system.web> section:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

(3)    Save the Web.config file.

 

Once the file has been changed, you would have to restart Reporting Services service for the change to become effective.

Recommendation: Take a backup of the web.config file prior to making the change.

Note: As Reporting Services 2008 and above doesn't use IIS, this configuration change has to be made in the Report Manager's web.config file and Reporting Services service needs to be restarted after making the change and not IISRESET.

I have also added this note to https://technet.microsoft.com/en-us/library/ms345220%28v=sql.105%29.aspx as a comment.

 

HTH!

Author: Deepak Lakhotia - SQL Server BI-ONE Developer team, Microsoft

Reviewer: Krishnakumar Rukmangathan- Technical Advisor, SQL Server BI-ONE Developer team, Microsoft

Comments

  • Anonymous
    August 16, 2016
    I am getting this error when I try to build a codedUI Test. Please advise
  • Anonymous
    August 14, 2017
    I am getting the FIPS error for only one report, Not sure why. If I disable it in registry it works well. Please advise.