ASPX Pages Fail Due To FIPS 140 Security Policy?
Mar 18, 2011
I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" which is enabled on my server.
Since that has been enabled, most of my aspx pages are returning the error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." These pages aren't accessing any cryptographic methods. They do communicate with another database server, but that's it.
My problem is similar to the one described here. However, I don't have the option of disabling this FIPS security setting.
I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?
Update
Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.
I found two hotfixes which may be related. I will try to install these and see what happens.
SQL Server Reporting Services R2 hotfix ScriptManager Control hotfix
View 1 Replies
Similar Messages:
Feb 19, 2010
If you enable the "Use FIPS compliant algorithms for encryption, hashing, and signing" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework will result in an InvalidOperationException. By default, ASP.NET uses AES to encrypt the ViewState blob, so it fails. You can work around this by adding a key like this to web.config:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
And that covers you for basic ASP.NET use. My problem is this: I have a large, complex ASP.NET web applications that makes heavy use of ScriptManagers (the foundation of ASP.NET AJAX) and needs to be deployed by a government customer who must enable this FIPS policy setting. Any ASP.NET page with a ScriptManager on it throws this exception:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA1Managed..ctor() +3607454
System.Security.Policy.Hash.get_SHA1() +45
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
System.Web.UI.ScriptManager.RegisterScripts() +407
System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
Even adding the <enforceFIPSPolicy enabled="false"/> element to web.config does not resolve the exception.
Is there any way to configure ASP.NET such that ScriptManager can be used with the Windows FIPS security policy?
View 3 Replies
Apr 2, 2013
Error:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.Local its run fine. when i place in iis. it throw this exception.
View 1 Replies
Oct 15, 2010
I'm working on a SharePoint solution which makes use of a third party dll (Telerik for Asp.Net Ajax - Telerik.Web.UI.dll) for rich experience. Since Telerik dll is a common assembly i have to deploy it to the bin folder of the webapplication instead of GAC. So here comes the problem.
WSPBuilder automatically deploys the dll to gac if the dll presents in the GAC folder. To deploy the telerik dll in bin i created the folder 80�in and copied the dll there. I tried to build the wsp again and then went through the manifest.xml created. Great. The deployment target for the dll changed to WebApplication and wspbuilder was smart to create the cas policy itself.
<CodeAccessSecurity>
<PolicyItem>
<PermissionSet class="NamedPermissionSet" version="1" Description="WSPBuilder generated
[code]....
But Wspbuilder was not smart enough to put the four part name of SharePointPermission IPermission class. But i learnt that CAS actually requires the four part name. So i decided to make use of the -CustomCAS command line option of wspbuilder.exe to pass my custom cas policy file.
Here is my custom policy file -
<IPermission class="AspNetHostingPermission" version="1" Level="Minimal" />
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="Execute" />[code]....
After i deployed the wsp i verified
* the dlls going to bin
* the trust level changed to custom trust level
* custom policy file being added to config folder
But when i run the page i get the following error -
screen shot -
Error -Execution Permission Denied
I've checked my entire application for any assembly references of the dll. But i was not able to find one.
View 1 Replies
Jun 24, 2010
I developed our feature rich web page which is constantly changing. I'm not much of a programmer but I know HTML and CSS pretty well. I have a need to create a couple of login page for prospects and end users to get to secured content. I put together a page that works perfectly in Microsoft Visual Web developer Express 2010. This includes a login page. Ironically, after learning how to do all this from a book, there is a web page that perfectly chronicles what I am trying to accomplish and the steps to do it. It's here: [URL]
I don't expect you to watch it, but there is a simple aspx page created for login and then users are created and the content is displayed after successful login. It works fine in m development environment, but when I post, nothing. Furthermore, twice in the last two days, after downloading my current site to my hard drive, and then posting back after adding this functionality, my FrontPage forms stopped working. I had to have my website restored from backup. The whole thing makes no sense and I can't find any precedence posted on any user forums. So any testing I do seems to wipe out my navigation structure.
I'm going to establish the site on a different server tonight and see if its configuration. If that works, I'm not sure where to g next. I'd appreciate any thoughts. The worst part is I can't post a test page or my Fropage contact forms stop working.
View 1 Replies
Mar 31, 2010
I have a website statistics program that creates .htm pages for viewing. Im trying to keep them in their own folder on the root - "Statistics"After reading many posts I have tried many iterations of:
[code]...
Problem is, an .aspx pages in there won't get served with login, but all the .htm pages will.
View 24 Replies
Apr 6, 2010
when i run my application i got this error like...
Description: An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Policy.PolicyException: Required permissions cannot be acquired.
View 1 Replies
Feb 15, 2010
I want to use the login component with forms authentication, but i don't want to use the whole package. I have a database with users in it, and i create the users manually, through another section of my site. I will authenticate them using my own functions, in the Authenticate event.
But, specifying the forms authentication in web.config, i seem to recall having seen somewhere, that i could add pages that were protected, while the rest of the site wasn't.
How do i do this? Currently, i have only 1 page that i want to protect.
View 2 Replies
Nov 10, 2010
i have an dll file which is data access layer of my application.
i am getting this exception while accessing databse
Description:
The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission contact your system administrator or change the application's trust level in the configuration file.
Exception Details:
System.Security.SecurityException: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
View 3 Replies
Apr 9, 2010
Using VS 2010 RC, VB, and Forms authentication to allow access to the site, depending on the login rights of a user, I want to turn on and off access to certain pages. I can turn on and off buttons to access the pages, but a user can type the page into the url, and it will still go to them.
View 5 Replies
May 24, 2010
In one of my website I need to prevent direct access to non .aspx pages in a protected folder. Authentication works fine if I am going to [URL] but in one case my users are uploading html pages in that folder and if somebody cut and paste [URL]the page can be seen without the authentication process to be activated.
View 6 Replies
Sep 30, 2010
My masterpage has a loginStatus control to let users log out and it works very well on normal pages .Recently, I created a new content page associated with the mentioned master page. Such new page allows users to add textboxes dynamically through ajax asycpostback.
Unfortunately, loginstatus right now fails to work when i click it. I traced the process and i found out that the loggingout event was not fired when i click it.
I follow this video to make such "Dynamically add control" page.
http://www.asp.net/ajax/videos/how-to-dynamically-add-controls-to-a-web-page
View 2 Replies
Mar 2, 2011
i have login page that i use captcha image but i want if user login fail for 3 times append this captcha to login page so user must enter content of captcha image to login.how can i do that?
View 10 Replies
Mar 6, 2011
I have a stripped down log in form on the top of each page, user/pass box and buttom, no keep me log in or error messages. If the user enters the right credetians he is log in and user name shows up instead of log in form; if he enters the wrong info, nothing happens.
Now, I want it to happen is that if the user enters the wrong credetians, and he doesnt get log in, he is redirect to the full Log In page.
View 4 Replies
Oct 11, 2010
I wrote a test page that does a bunch of busy work in a method called at page load. This process as I have it now takes around 12 seconds.
If I try to load another page while the first long running page is loading, this second page doing nothing except writing out a world, it doesn't load until the first long running page is finished.
Why is this the case? I would think IIS would be able to handle multiple concurrent connections, it seems crazy that one long running page would stop every other page in the application from loading. I must be missing something or not understand how IIS works.
I would think multiple independent requests would be spawned on different threads. Is this only the case if the requests are from different sessions entirely? Are all requests from a single session bound to a single thread?
View 1 Replies
Feb 26, 2010
first of all: this probelm was already an issue in [URL] but it does not resolve my problem: I have VS2008 and SQL Server 2008 Express with Adv. Option istalled. When compiling a page with the reportviewer control I get the error Type 'Microsoft.Reporting.RdlBuildProvider' cannot be instantiated under a partially trusted security policy (AllowPartiallyTrustedCallersAttribute is not present on the target assembly). C:websitesadAgencyweb.config
From the obove mentioned post I learned to use <trust level="Full" /> in the web.config file (which I never used on other Implementations that work). Now the compilation works, but when I start the web application and call that page I get a lot of JScrip Errors like: Runtime error in Microsoft JScript: 'RSClientController' is undefined, which comes from a line in the dynamic page.aspx file: document.getElementById('ctl00_maincontent_ReportViewer1').ClientController = new RSClientController "ctl00_maincontent_ReportViewer1_ctl03", "ReportFramectl00_maincontent_ReportViewer1", ...
I should mention, that I had SQL Server 2005 Express uninstalled before the 2008 version.
View 1 Replies
Feb 25, 2011
Our asp.net 2.0 app encountered the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.After adding the following in web.config -> <system.web> section:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
The error occurs in those pages that uses AJAX.
View 1 Replies
Sep 27, 2010
I have two application (one of this is mojo portal): [URL] for some users when they login into "app" then the login in "mojo" doesn't work and viceversa. I've set the machinekey into web.config file. When the users remove all cookies and session data the login works again. The two application are into a Web Farm. Should be ARR the problem?
View 2 Replies
Jun 6, 2010
i would like to know if there's a combo like jCryption (jCryption) - PHP but for jQuery - ASPX.I mean, I have been searching for a combo to send data both ways (Client-server, server-client) with jQuery to ASPX. The best I found was jCryption that sends data from JavaScrpit to PHP. I need a combo to send data from JavaScrpit to ASPX.
PD: Please don't tell me to use HTTPS, it's not enough to ensure the data communication on a client - server application.
View 1 Replies
Nov 28, 2010
First of all, thank you for the attention.
I am having some trouble, I am very new to asp.net, and the last problem I had, I spent about 59 hours trying to solve, Now I have a new one !
:D well, I guess this is part of the learning process...
Well, in Visual Studio 2010, I clicked New Website. @ C# language, ... The template it gives is pretty nice, it creates a database MDF file, and a login/register setup ready to go !...
You guys can see it live AT CLICK HERE ...
Everything is working, well at least here at the local machine...
There are 2 pages in there, Default.aspX, and About.aspx ... I want to allow ONLY logged in users to view those 2 pages... I tryed a few things, added my account to a role called ADMIN,
In the web.cong I changed Allow"*" to allow"ADMIN" ... still didn't work.. Also, I was trying to avoid using roles for now, and I was trying to find a way to do this for individual pages in the same directory as well... If possible with out touching the web.config file...
View 3 Replies
Jun 23, 2010
i used security in login page which restricts all users who have not logged in to all pages. I need to restrict specific users to specific pages. I'm not using AspSqlService provider. So i cannot create roles and restrict automatically. And the pictures i use in login page are not visible @ runtime.
View 1 Replies
Apr 16, 2010
I'd like a really simple way to deploy .net 4.0 with group policy. I tried the steps in [URL], but for some reason the installer won't unpack to my designated directory using the method outlined in the article.
I tried dotNetFx40_Full_x86_x64.exe /T:"Path to share" /C
There must be an easy way to do this which doesn't involve manually going to each computer in the organization.
View 1 Replies
May 5, 2010
Hey as you guys know I'm not so good at CSS. I wrote a site for a business a friend is starting using it, I've got it hosted on the web now, but all the pages but Default.aspx ignore the CSS file.
View 4 Replies
Jul 29, 2010
I found that i can use Response.WriteFile to include them and most of the pages work, except that the login page is not working.
View 4 Replies
Nov 11, 2010
I know an ASP.NET app can have as many aspx pages as you want but after hitting a certain number of them (over 100) should I consider a different design? Or, as the months/years go by do I just keep adding more and more pages to my app?
View 3 Replies
