Something Went Wrong with my site collection!??! FIPS, SharePoint 2013 and Windows 2012R2
Have you ever worked on a secure environment? Have you ever worked with an image that has STIG requirements? In a few cases, I have run into instances where things just aren't working in SharePoint the way I am use to them working with an out of the box install. I have found that the images that I work on have been locked down pretty tight. For example, some are locked down so tight, you can't even change the background image on the desktop without Administrator's rights. Since, I have bumped my head on this issue a few times, I figured I'd give you the break down on it. So…
What is FIPS?
FIPS is the Federal Information Processing Standard created by the United States Federal Government for hardware, software and devices. This standard is a cryptographic module inside a security system created to protect the confidentially and integrity of information within that module. Federal agencies and departments can validate that the module in use is covered by the FIPS 140-1 or FIPS 140-2 certification. FIPS being in enabled, in most cases, is a Security Technical Implementation Guide (STIG) requirement.
What is a STIG?
A STIG is a Security Technical Implementation Guide is a cybersecurity method to standardize security protocols with a network, servers, computers, and logical design to enhance security.
The Issue:
When attempting to create a new site collection in SharePoint 2013, you may receive the error "Sorry, something went wrong".
Things that I notice:
- The Central Administration site was running perfectly fine.
- Event ID 8306 indicating failed Claims Authentication in the Event Viewer.
- In the SharePoint 2013, these errors are synonymous with not being able to access the new created site collection and the above Claims Authentication error:
This appears to be most commonly caused by the FIPS (Federal Information Processing Standard) algorithm being enabled on a Windows operating system.
Disable the FIPS Local System Policy:
System Cryptography: Use FIPS complaint algorithms for encryption, hashing and signing.
- Click Administrative Tools > Local Security Policy.
- Click and expand Local Policies> Click Security Options > Click System Cryptograph: Use FIPS complaint algorithms for encryption, hashing and signing.
- Click Disable > Click Ok
- Restart the affected application. Close and reopen Internet Explorer.
Alternative Method 1 to Disable FIPS via Registry:
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy set Enabled to 0
Alternative Method 2 to Disable FIPS via ASPNET.config:
Edit the following files:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Aspnet.configThen add the following line:
<enforceFIPSPolicy enabled="false"/>.
For more information about how FIPS affects the Windows operating system:
https://technet.microsoft.com/en-us/library/cc263215(v=office.14).aspx
The Break Down:
In a nutshell, FIPS being enabled prevents users from accessing a newly created site collection and needs to be disabled to do so. The main reason that we see the above error is that SharePoint uses MD5, an encryption algorithm that doesn't comply with FIPS 140-2 certification.