Partager via


WF: Running Work Flow application on FIPS (The Federal Information Processing Standard) complaint Machines.

WF: Running Work Flow application on FIPS (The Federal Information Processing Standard) complaint Machines.

 

Issue:

Using the System.Workflow.Runtime library in our code and when creating the workflow with WorkflowRuntime.CreateWorkflow()

 

We get the following exception:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

at System.Workflow.Runtime.HashHelper.HashServiceType(String serviceFullTypeName)

at System.Workflow.Runtime.HashHelper.HashServiceType(Type serviceType)

at System.Workflow.Runtime.TrackingListenerBroker.AddService(Type trackingServiceType, Version profileVersionId)

at System.Workflow.Runtime.TrackingListenerFactory.GetChannels(Activity schedule, WorkflowExecutor exec, Guid instanceID, Type workflowType, TrackingListenerBroker& broker)

at System.Workflow.Runtime.TrackingListenerFactory.GetListener(Activity sked, WorkflowExecutor skedExec, TrackingListenerBroker broker)

at System.Workflow.Runtime.TrackingListenerFactory.GetTrackingListener(Activity sked, WorkflowExecutor skedExec)

at System.Workflow.Runtime.TrackingListenerFactory.WorkflowExecutorInitializing(Object sender, WorkflowExecutorInitializingEventArgs e)

at System.Workflow.Runtime.WorkflowRuntime.WorkflowExecutorCreated(WorkflowExecutor workflowExecutor, Boolean loaded)

at System.Workflow.Runtime.WorkflowExecutor.RegisterWithRuntime(WorkflowRuntime workflowRuntime)

at System.Workflow.Runtime.WorkflowRuntime.RegisterExecutor(Boolean isActivation, WorkflowExecutor executor)

at System.Workflow.Runtime.WorkflowRuntime.Load(Guid key, CreationContext context, WorkflowInstance workflowInstance)

 

Cause:

This issue occurs because Windows Workflow Foundation uses the MD5CryptoServiceProvider class to provide non-secure hashing of a string to a unique key. The MD5CryptoServiceProvider class does not support FIPS compliance.

 

WORK-AROUND - 1

To work around this issue, disable the FIPS encryption level. We can use the Group Policy Object.

To do this, follow these steps:

 

1.Click Start, click Run, type gpedit.msc, and then click OK.

2.Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

3.In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Disable, and then click OK.

 

WORK-AROUND-2

Below tag can be applied on application level, rather than requirement to disable FIPS for complete machine.

<configuration>

<runtime>

<enforceFIPSPolicy enabled="false"/>

</runtime>

</configuration>

WORK-AROUND-3

We need to double check if environment has the following hot fix already installed.

https://support.microsoft.com/en-us/kb/977069

 

Work Around 3 may not help, cause:

Hotfix 977069 contained a fix for the implementation of the MD5 service provider for this class: WorkflowDefinitionDispenser.

However, we are seeing this exception coming from the TrackingListener class.

Product group reviewed the code and looks like we are still using MD5 provider in the TrackingListener class.

 

Actual Code:

[System.Security.SecuritySafeCritical]  // auto-generated

public MD5CryptoServiceProvider() {

if (CryptoConfig.AllowOnlyFipsAlgorithms)

throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));  <--------------

Contract.EndContractBlock();

 

// _CreateHash will check for failures and throw the appropriate exception

_safeHashHandle = Utils.CreateHash(Utils.StaticProvHandle, Constants.CALG_MD5);

}

 

Stack:

0:009> KL

# Child-SP          RetAddr           Call Site

00 00000000`261cdd88 00007ffd`d7fa0302 mscorlib_ni!System.InvalidOperationException..ctor(System.String)

01 00000000`261cdd90 00007ffd`ae6b8305 mscorlib_ni!System.Security.Cryptography.MD5CryptoServiceProvider..ctor()+0x47b2a2

02 00000000`261cddd0 00007ffd`ae6b51af system_workflow_runtime_ni!System.Workflow.Runtime.HashHelper.HashServiceType(System.String)+0x25

03 00000000`261cde30 00007ffd`ae78e6f5 system_workflow_runtime_ni!System.Workflow.Runtime.TrackingListenerFactory.GetChannels(System.Workflow.ComponentModel.Activity, System.Workflow.Runtime.WorkflowExecutor, System.Guid, System.Type, System.Workflow.Runtime.TrackingListenerBroker ByRef)+0x55f

04 00000000`261ce0e0 00007ffd`ae5e67c1 system_workflow_runtime_ni!System.Workflow.Runtime.TrackingListenerFactory.GetListener(System.Workflow.ComponentModel.Activity, System.Workflow.Runtime.WorkflowExecutor, System.Workflow.Runtime.TrackingListenerBroker)+0x1a7bd5

05 00000000`261ce160 00007ffd`ae5dd6f8 system_workflow_runtime_ni!System.Workflow.Runtime.TrackingListenerFactory.WorkflowExecutorInitializing(System.Object, WorkflowExecutorInitializingEventArgs)+0x4d1

06 00000000`261ce2a0 00007ffd`ae5e6296 system_workflow_runtime_ni!System.Workflow.Runtime.WorkflowRuntime.WorkflowExecutorCreated(System.Workflow.Runtime.WorkflowExecutor, Boolean)+0x38

07 00000000`261ce2f0 00007ffd`ae5eb19c system_workflow_runtime_ni!System.Workflow.Runtime.WorkflowExecutor.RegisterWithRuntime(System.Workflow.Runtime.WorkflowRuntime)+0xe6

08 00000000`261ce360 00007ffd`ae5de5a4 system_workflow_runtime_ni!System.Workflow.Runtime.WorkflowRuntime.Load(System.Guid, System.Workflow.Runtime.CreationContext, System.Workflow.Runtime.WorkflowInstance)+0x35c

09 00000000`261ce4b0 00007ffd`ae5dcaf1 system_workflow_runtime_ni!System.Workflow.Runtime.WorkflowRuntime.GetWorkflowExecutor(System.Guid, System.Workflow.Runtime.CreationContext)+0xe4

0a 00000000`261ce560 00007ffd`ae5dc922 system_workflow_runtime_ni!System.Workflow.Runtime.WorkflowRuntime.InternalCreateWorkflow(System.Workflow.Runtime.CreationContext, System.Guid)+0x1c1

 

If Disable FIPS is not an option for us, then you can request MS support technician to provide the private hotfix Fix.

Also, PG is trying to integrate the Fix with new public hot fix release (scheduled sometime in April 2016).

 

Thanks

Saurabh Somani