Reputation: 2887
How to disable fips in asp .net
I want to disalbe fips in asp .net x64 application. In web.config I added
<runtime>
<enforceFIPSPolicy enabled = "false">
</runtime>
I set debug to false.
However my application do not work. Should I declare runtime section in < configSections > ? If yes then is it a proper line
<section name="runtime" type="System.Configuration.IgnoreSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowLocation="false"/>
Upvotes: 4
Views: 6336
Answers (1)
Reputation: 5444
Solution only works for IIS >= 7.5
It doesn't look like IIS allows you to manipulate this setting through a web application's web.config. One work-around is to create a dedicated App Pool (or multiple), and configure the App Pool's CLR with FIPS enforcement disabled. IIS 7.5 introduced a CLRConfigFile property that you can use to specify an App Pool's .NET configuration file. This gives us more granular control over which applications the configuration impacts - instead of the shotgun approach where we disable it in machine.config or the group policy setting.
1.Create a configuration file, c:\inetpub\AppPoolClrConfig\noFipsWeb.config, with the following content (the location and name of the file is immaterial):
<configuration>
<runtime>
<enforceFIPSPolicy enabled = "false" />
</runtime>
</configuration>
2.Grant read permissions on the file to the identity under which the App Pool runs:
icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\YourAppPoolName":(R)
3.Configure the App Pool to load this config file by setting the pool's CLRConfigFile property:
cmd:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /[name='{AppPoolName}'].CLRConfigFile:"{FilePath}" /commit:apphost
sample:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config" /commit:apphost
Due to a bug in IIS 7.5, we need to also clear the managedRuntimeLoader property or else the CLRConfigFile will be ignored:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].managedRuntimeLoader:"" /commit:apphost
4.Restart IIS. Your Asp.NET applications that are using the App Pool above should now be ignoring FIPS.
Credits to:
Scott Forsyth for explaining how to configure an app pool to use a different CLR file than the standard aspnet.config file.
Jose Reyes for documenting the bug in IIS 7.5 that ignored the CLRConfigFile Property
Upvotes: 7
Related Questions
- How to check that an Asp.NET application is FIPS-ready
- Detecting if FIPS is being enforced via .NET C#
- Can I enable FIPS momentarily in a .net application?
- How to enforce FIPS in asp.net code (This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.)
- enforceFIPSPolicy flag in web.config doesn't seem to working for web application
- How to enable FIPS on windows 7
- ADAL fails when FIPS is required
- Disable FIPS with command line
- ASPX pages fail due to FIPS 140 security policy
- Can the ASP.NET ScriptManager be made to work with the Windows FIPS security policy?