Make ASP.NET web application FIPS Compliant? - asp.net

I need to understand how to make an ASP.NET web application FIPS compliant. To keep it simple, I created a new web application within VS 2008. I have FIPS enabled on my development machine, as the client using the web application will be a Federal agency that will enforce FIPS.
I can not even compile the new web application - as it gives me the error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
I have read documentation and added the following elements to the web.config file:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
<enforceFIPSPolicy enabled="false" /> (also tried <enforceFIPSPolicy enabled="0" />)
But I still get this error. Again, I want to get this to work with a brand new web application before I attempt to get it to work with my actual solution.
I am using .NET 3.5 SP1 for the framework.
Any help would be greatly appreciated.
Thanks.
Chris

if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.
Here's a handy site that lists all of the FIPS and non-FIPS algorithms in .NET http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

There are two things to make a new.NET application FIPs compliant.
1) In your machine key settings, use 3DES for decryption and SHA1 for validation, as you mentioned in the question. (There is a STIG out that says you should use SHA1. https://www.stigviewer.com/stig/iis_7.0_web_site/2014-03-25/finding/V-26026)
2) Ensure that the code is not in debug mode.
The compilation section of your web.config and the page directives should all have debug="false". Debug="true" will kick off the FIPs compliance error before .Net can even run the first line of code.
For visual studio to compile the code, you may need to disable fips on visual studio.
For visual studion 2010:
Open Devenv.exe.config from
C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE if you are on x64 OS
or C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\ on x86 OS
Find </runtime> tag and add the following above that line:
<enforceFIPSPolicy enabled="false"/>
After the above modification devenv config would look like:
<configuration>
<runtime>
.
.
.
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
Restart Visual Studio
https://blogs.msdn.microsoft.com/brijs/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010/
Sources: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx
https://blogs.msdn.microsoft.com/webtopics/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debugtrue/
http://forums.asp.net/t/1778719.aspx?+FIPS+validated+cryptographic+algorithms+3DES+machinekey+solution+didnt+work

Related

ASP.NET MVC4 to 5 Upgrade

I have had to take a very old project out of it's dusty box and upgrade it from 4 to 5 and I followed the guidance on the MS Site (https://learn.microsoft.com/en-us/aspnet/mvc/overview/releases/how-to-upgrade-an-aspnet-mvc-4-and-web-api-project-to-aspnet-mvc-5-and-web-api-2) and it all works perfect locally on my dev machine. Yep it works on my machine so ship it right....
Well No because I publish to the server and this is where the issues start as I keep getting errors saying:
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: The 'targetFramework' attribute in the
element of the Web.config file is used only to target
version 4.0 and later of the .NET Framework (for example,
''). The 'targetFramework'
attribute currently references a version that is later than the
installed version of the .NET Framework. Specify a valid target
version of the .NET Framework, or install the required version of the
.NET Framework.
I have checked that the Web.Config file has the Target set to 4.7.1 and on the server the current version is 4.7.2 so where am I going wrong.
The line in the Web.Config that is being referenced is:
<compilation debug="true" targetFramework="4.7.1" />
And at the bottom of the error page:
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.2106.0
I like my local machine too much to ship it to the cloud so someone please help. I have been bashing my head against the desk for hours now and Google/Bing etc are not helpful.
Have you tried to install "Runtime" SDK on the server?
The runtime SDK for Framework 4.7.1 can be found here:
https://www.microsoft.com/net/download/visual-studio-sdks
If you haven't done it, try it!
Probably you don't have the .Net version in the hosting server just install the .Net version in the server.
.Net 4.7.1 Offline Installer
Thanks for the responses but this site is hosted on a shared hosting platform so I can't install anything, but I checked and they have 4.7.2 installed.
I fixed the problem by removing the targetFramework from the compilation settings and worked a treat.
Old:
<compilation debug="true" targetFramework="4.7.1" />
New:
<compilation debug="true" />
Thanks for the help. Now onto the next issue.

Which .net version is used ? The one in web conifg or the one used while building?

Probably a noob question but what version of .NET is used in a ASPX web application? Is it the version defined in the project propperties or the one defined in the web.config file of the website?
I need to know this because an API I am using in the web application is closing all non TLS1.2 protocolls. And as far as I understand TLS1.2 is the default in .NET 4.5. The server is Windows Server 2008.
Visual Studio uses web.config values to initialize the property pages. So, they're one in the same.
You see the .NET version from the property pages in the web.config similar to this:
<configuration>
<system.web>
<compilation targetFramework="4.5" />
</system.web>
</configuration>
If you change the target framework in the project properties and save, you should see the updated target framework in that value in your web.config file.

Compiling ASP.NET project versus NET4.0 with NET4.5 installed

I have an ASP.NET project that was working correctly compiled with Visual Studio 2010 and NET4.0.
Then I have installed VS Express 2012 and NET4.5 and I always get an Exception trying to open a SqlConnection.
Can I have some chance to recompile my project targeting NET4.0 (so without disinstalling 4.5) and have it working?
In VS Express 2012 I have this web.config:
<system.web>
<compilation debug="true" targetFramework="4.0"/>
The referenced assemblies correctly target the v4.0, for example:
Assembly System.Data
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0\System.Data.dll
EDIT 2
As this blog http://blogs.msdn.com/b/msbuild/archive/2007/04/12/new-reference-assemblies-location.aspx and also this answer https://stackoverflow.com/a/8543850/1012244 explains very well, there is a BIG difference betweeen Referenced Assemblies (folder contains those assemblies that ship with the x.xx Framework which are useful for referencing during the design and build of new components) and Runtime scenario (At runtime, these components will still be loaded from the GAC in most cases).
However, when I run the project I always get the Exception, as if the project actually was using NET4.5... Why?
PS. If I deploy this project on a production server machine with only NET4.0 installed, the connection is fine.
(This is clear now: Installing Net4.5 essentially replaces Net4.0)
UPDATED QUESTION -
Can I have some chance to recompile my project targeting an OLD NET4.0 .dll (System.Data.dll in my case) instead of the new Net4.5 dll?
EDIT - Additional info
At this MSDN link http://msdn.microsoft.com/en-us/library/ff602939.aspx I found:
If you determine that a change in the .NET Framework 4.5 has broken your application, check the Runtime Settings Schema to determine whether you can use a runtime setting in your application configuration file to restore the previous behavior.
Could this help me? And how?

VS2012 / IIS7 building website causing conflicts

I have an old website (asp.net 2.0) that is running on IIS7 on a server happily.
I want to make a change to the code, so I have copied all the source code and appropriate binaries to my desktop (running VS 2012).
However whether I am using IIS or the inbuilt webserver I am getting the following error;
The type 'foo' in 'c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\livesite\169c38ce\cc32b84b\App_Web_qbel5zk4.28.cs' conflicts with the imported type 'foo' in 'c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\livesite\169c38ce\cc32b84b\App_Web_m030ztdd.dll'. Using the one in 'c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\livesite\169c38ce\cc32b84b\App_Web_qbel5zk4.28.cs'.
This same code worked fine on an older XP PC running VS 2005. I am assuming that this is down to the .net framework, the app pool in iis is set to run as asp.net 2 classic, but the assemblies are being generated under v4 of the framework.
I have tried deleting temporary asp.net files and I am still getting the same issue.
There is only one instance of each of the classes it is objecting about in the project. So how do I fix it so that this works in VS 2012, but still using .net 2.0 ?
Maybe it is a matter of dynamic compilation. By default the "batch" attribute of the "compilation" element in your web.config is true. Something like this :
<compilation defaultLanguage="c#" debug="false" batch="true" targetFramework="4.0" />
With batch="true", whenever a control has to be compiled in a directory, the server compiles all controls (everything?) in its directory.
That may results in conflicts for elements referenced from different locations in your site.
You should try to set batch="false" and to remove your temporary files.
If you still encounter problems, try to do a dummy edit-and-save on the corresponding ascx/cs files.
Hope this will help

System.ServiceModel.Activation.HttpModule error

what is the cause of this error on below line?
<system.web>
<globalization fileEncoding="utf-8" requestEncoding="utf-8" responseEncoding="utf-8" culture="fa-IR" uiCulture="fa-IR" />
<compilation targetFramework="4.0" debug="true">
<assemblies> <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
Everywhere the problem to this solution was mentioned as re-registering aspNet by using aspnet_regiis.exe. But this did not work for me.
Though this is a valid solution (as explained beautifully here)
but it did not work with Windows 8.
For Windows 8 you need to Windows features and enable everything under ".Net Framework 3.5" and ".Net Framework 4.5 Advanced Services".
Thanks
Neha
This happens when you install .Net 4 before enabling IIS, or if you register WCF after registering .Net 4. In either case, your App Pools will be running .Net 2.0 (which is the CLR version required for .Net 3 if you have registered WCF, which installs ASP.Net 3.5, or the default if you have installed IIS after .Net 4)).
There are many references to this on the web, e.g. the MSDN blogs:
http://blogs.msdn.com/b/webtopics/archive/2010/04/28/system-typeloadexception-for-system-servicemodel-activation-httpmodule-in-asp-net-4.aspx
The fix is to re-register ASP.Net 4 from the correct (32 or 64 bit) Framework folder (Framework64 on a 64bit server), using the aspnet_regiis.exe tool, e.g.
aspnet_regiis.exe -iru
For Windows 8 you need to Windows features and enable everything under .Net Framework 3.5 and .Net Framework 4.5 Advanced Services -> Enable Everything
For windows 8 the above configuration in
Control panel->programs->windows features on/off
enable every thing under".net Framework3.5" and ".net Framework 4.5 advanced Services"
Working fine for me.
Thanks Madhavi.B
I had this problem on a server managed by one of our clients. I didn't have the access to run the aspnet_regiis.exe tool. As a workaround I did the following:
I removed aspNetCompatibilityEnabled="true" from the <serviceHostingEnvironment> tag in the web.config
removed [AspNetCompatibilityRequirements] from the webservice.cs file
Unfortunately this means that for example HttpContext.Current becomes null, I could fix my webservice by rewriting all my HttpContext.Current.Server.MapPath calls to System.Web.Hosting.HostingEnvironment.MapPath
Hope this helps someone.
This problem surfaced for us immediately after we installed the Windows Management Framework 3.0/PowerShell 3.0 sp1 (KB2506143) on a Windows Server 2008 R2 x64. Windows Update then also installed KB2736422, KB2756921, and KB2656411 immediately after.
Our solution was to first uninstall KB2506143 (and the three updates that accompanied that), then run aspnet_regiis.exe -iru as suggested in Ed209's response above. Both steps were necessary to resolve the problem. Thank you, Ed209.
appcmd.exe set config -section:system.webServer/modules /[name='ServiceModel'].preCondition:"managedHandler,runtimeVersionv2.0" /commit:apphost
worked for me

Resources