I am currently using DotNetOpenAuth v4.1.0.12182 to perform simple Relying Party functionality and was able to get it working (tested Google and Yahoo) without even adding any web.config entries. However, this site will be deployed onto web servers which have the following setting enabled:
Go to Control Panel > Administrative Tools > Local Security Policy
Find the setting "System cryptography: Use FIPS compliant algorithms..." and set it to Enabled
Without this enabled the site works fine. With this enabled I get the Server Error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms". I did find information on the dotnetopenauth v4-0 beta release page which mentions that, as of the DotNetOpenAuth 4.0 release, one of the changes was "FIPS-compliant SHA algorithms can now be configured in your .config files."
What I need help with...
I am seeking to know what config changes I need to make in order to get this FIPS message/error to go away. I've looked at [http://www.dotnetopenauth.net/developers/help/configuration-options/][2] but cannot find any clarity on it as to what is FIPS related. Any help would be greatly appreciated, thank you!
Updated (7/10/2012)
I'm providing the steps I've re-taken so the error can be replicated:
I used a fairly fresh install of Server 2008 R2 Enterprise (already had VS 2010 installed and perhaps some updates)
Added the Web Server Role
Added the .NET Framework 3.5.1 Feature
Enabled the Local Security Policy: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Restarted the server
Compiled/built the OpenIdRelyingPartyWebForms sample and published it for use as a local IIS website
Ran into a URI error that caused me to have to set the App Pool to use ASP.NET v4.0
Ran into another error that caused me to have to "force install of .NET 4": http://devonenote.com/2010/06/could-not-load-type-system-servicemodel-activation-httpmodule/
Now the "Relying Party" webpage finally rendered so I clicked the Members Only link and then clicked the Sign In with a Yahoo ID option
After about a 2-3 second pause for it processing I receive:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA512Managed..ctor() +4479214
[TargetInvocationException: Exception has been thrown by the target of an invocation.] when trying to do System.Security.Cryptography.SHA512.Create +11 and then System.Security.Cryptography.CryptoConfig.CreateFromName +1195
[TypeInitializationException: The type initializer for 'DotNetOpenAuth.OpenId.HmacShaAssociation' threw an exception.] DotNetOpenAuth.OpenId.HmacShaAssociation.TryFindBestAssociation (cs:134)
Troubleshooting steps...
Added the config entries (based upon the link that Andrew provided) to the Framework64/v4.0.30319/Config/machine.config under the tag. However, since I have not yet added the Security.Cryptogrophy DLL anywhere I removed those lines from the config (the ones dealing with HMACSHA512).
Restarted the machine
Browsed back to and clicked the Sign In with a Yahoo ID button
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA384Managed..ctor() +4486510
[TargetInvocationException: Exception has been thrown by the target of an invocation.] when trying to do System.Security.Cryptography.SHA384.Create +11 and then System.Security.Cryptography.CryptoConfig.CreateFromName +1195
[TypeInitializationException: The type initializer for 'DotNetOpenAuth.OpenId.HmacShaAssociation' threw an exception.] DotNetOpenAuth.OpenId.HmacShaAssociation.TryFindBestAssociation (cs:134)
What I noticed is that now it is complaining about SHA384 instead of SHA512, so the machine.config entry for SHA512 (telling ASP.NET to use the SHA512Cng class within System.Core) must be working!
So next I proceeded to add SHA384 & SHA256 entries, did an iisreset, and browsed back to and clicked the Sign In with a Yahoo ID button. This time I was finally redirected to Yahoo, logged in, and was sent back to my localhost URL but received this FIPS error:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.HMACSHA256..ctor(Byte[] key) +4491026
So now I proceeded with the following:
Added in the HMACSHA512 machine.config line I originally took out and duplicated it for HMACSHA256
Added the Security.Cryptography.dll file from the codeplex project referenced in Andrew's response to the GAC (windows\assembly) as per this MSDN blog
Restarted the machine
Browsed to and clicked the Yahoo button again but received the same error
It appears as if the new Cryptography DLL was not being "picked up" by ASP.NET and used. So, next I tried:
Removing the DLL from the GAC
Restarting the machine
Added the Cryptography DLL as a reference to the OpenIdRelyingPartyWebForms sample and re-compiled and published it, overriding the exisiting IIS website files
Browsed to and clicked the Yahoo button again but received the same error
Any ideas on how I can get past this problem with HMACSHA256?
You need to configure .NET itself to create the FIPS-compliant versions of the required algorithms. Please check out this previously filed and fixed issue, including the comments, for guidance on how to proceed.
Using Andrew's comment/link I was able to get the solution working. However, I was never able to overcome the FIPS issue using .NET Framework 3.5. I had to upgrade to .NET Framework 4.0 and then add the following to the root configuration element of the machine.config XML file:
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass CoreSHA512="System.Security.Cryptography.SHA512Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<cryptoClass CoreSHA384="System.Security.Cryptography.SHA384Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<cryptoClass CoreSHA256="System.Security.Cryptography.SHA256Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</cryptoClasses>
<nameEntry name="System.Security.Cryptography.SHA512" class="CoreSHA512"/>
<nameEntry name="System.Security.Cryptography.SHA384" class="CoreSHA384"/>
<nameEntry name="System.Security.Cryptography.SHA256" class="CoreSHA256"/>
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>
In case the XML was stripped out above, follow the link that Andrew provided and you'll find the XML in the post by joeudwin. I removed the lines for "TestHMACSHA512" and duplicated the lines for "TestSHA512" for 384 and 256 entries. I did not need to download Security.Cryptography.dll from CodePlex.
Related
Been on this for hours...
New Windows 2012 server, fresh IIS 8 installation with all asp.net, 3.5, 4.5, ISAPI extensions/filters/whatever all installed.
Application pool is 4.0 and integrated mode. This is only website using that app pool.
Try and run website with index.vbhtml as default document (after adding it to default documents) and I get "cannot server this sort of page" "explicitly forbidden".
I look at "handler mappings" in IIS manager. .vbhtml is set to "forbiddenhandler" so I changed it to "System.Web.DefaultHttpHandler, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a".
Now I just get "The DefaultHttpHandler.BeginProcessRequest method is not supported by IIS integrated pipeline mode"
I'm now stuck! What's the problem with this darned server please?
IIS shouldn't directly serve those files, they are rederred through the MVC pipeline through a controller. If you have a file say, /Views/Home/Index.cshtml, you should be navigating to http://siteurl/home/index to see the content from that page via the Index action on your Home controller.
NOTE: Based on comment thread below, OP's underlying issue appears to have been with the installation (or lack of) ASP.NET MVC (or a corrupted installation, as he states in the comments that he did have it installed)
I have seen many posts here and elsewhere regarding this error. In every case the solution is to either uninstall any 32-bit office components, or to change the target platform of the .NET project that's trying to access the driver to x86 instead of Any CPU. Neither of those solutions worked for me.
Here are the details. I have two ASP.NET sites on the same server running Windows Server 2008. One is a production site and the other is a staging site. I am trying to generate an Excel file via OLEDB. The production site produces the file with no problem. The staging site throws this error. Both sites are identical except for the host headers and the SQL Server database they connect to. The target framework for both is 4.5 and the App Pool is set to use 4.0.
Has anyone else come had this problem?
Turned out to be an IIS7 configuration problem. Each site had its own App Pool. On the advanced settings dialog, under (General), there is an attribute named Enable 32-Bit Applications. This attribute was set to True on the stage site. Changing it to False resolved the issue.
i am trying to deploy simple asp.net mvc frameworkd application in may shared hosting and i get erro like this:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
http://test.pakabink.lt/
In my control panel i am seting "ASP.NET 2.0 Full Trust". What i need to ask for server administrator to change?
You should be able to bin deploy and run the MVC framework in medium trust. There is a possibility that there is some other permission that the hosting company has taken away but it should work. Are you testing with the default MVC project? If you are using other components (Structure Map, for example), that may be causing the error.
Check out Bin Deploying ASP.NET MVC from Phil Haack about deploying and the required trust level.
Medium trust does not allow certain Reflection operations. I guess some part of your code does or calls other part(s) of code.
Web deploy copies some System.Web dlls to bin folder, for example System.web.MVC but not all. It is kind of lot of debugging to determine which ones are missing, like the previous comment said about reflection methods.
I'm just starting with ASP.NET MVC and I was trying the Authentication with this new architecture.
So, I started following a tutorial in the official site and, while I was trying to add some users through the Web Site Administration Tool, I found this error:
There is a problem with your selected data store. This can be caused by
an invalid server name or credentials, or by insufficient permission.
It can also be caused by the role manager feature not being enabled.
Click the button below to be redirected to a page where you can choose
a new data store.
The following message may help in diagnosing the problem: Could not load type
'MyMvcApp.MvcApplication'.
Now, the only thing I changed in the web.config was the connection string and, I'm sure the connection string is not the problem (is the same I'm using in other project).
EDIT: Here is the connection string: "Data Source=myMachine\SqlExpress;Initial Catalog=TestDB;User ID=TestUser;Password=123456"
I tried several things and googled a lot, but nothing worked.
So, any ideas? as I said, I did not change anything in the web.config besides the connection string.
Thanks in advance,
Found the problem: I just need to COMPILE the solution BEFORE starting the WSAT.
Thanks to everyone for your answers.
Well, like the message says, this feature requires real management enabled, and the default MVC web site template has this disabled. Go into Web.config and change:
<roleManager enabled="false">
to
<roleManager enabled="true">
One other thing to check: Make sure that when you create the SQL Membership Provider metadata you connect as a user who will be useful at runtime. In other words, if you connect as sa, then the metadata will be in the dbo schema. But if you connect as yourself, then the metadata will be in your schema, which isn't necessarily useful to other applications. You should run SQL Server Management Studio in order to verify in which schema the metadata is placed.
I have installed .NET Framework 3.5 SP1 and ASP.NET MVC CTP in a Windows Server 2003 R2 box, but my ASP.NET MVC site still doesn't work on that server. I was searching the internet and IIS for a solution and I noted that I can't choose other .NET Framework version besides 2.0 for my virtual directories. I'm almost sure if I correct this I can make my site work there.
Currently the main "/" URL answers with:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
And the "/Default.aspx" URL answers with:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Section or group name 'system.web.extensions' is already defined.
Phil Haack has a pretty good writeup here
http://haacked.com/archive/2008/11/26/asp.net-mvc-on-iis-6-walkthrough.aspx
I had the similar issue.
I recently upgraded my server to support .net framework 4.0.
Converted my application to support .net fx 4.0.
Deployed the application on sever and trying to test .. I get "HTTP Error 404 - File or directory not found"
Solution
Open IIS Manager, expand the master server node (i.e, the Servername node), and then select the Web service extensions node.
In the right pane of IIS Manager, right-click the extension "ASP.NET v4.0.*".
Click the Allow button.
Besides Jason's answer, the common things to look for is:
Enable Wildcard mapping and point it to the aspnet assembly Phil mentions in Jason's link.
The /default.aspx error you are getting seems to be a web.config configuration error. At the very top of your web.config, look for:
<sectionGroup name="system.web.extensions"
Most likely it is defined twice. You only need the reference for the RC build you have. If you need the exact RC references, create a new ASP.NET MVC Web Project in a temp folder. And then grab the web.config from it.
-E
I also encountered this problem, in my case the solution was to uninstall the ASP.NET MVC Beta.
The application I was trying to get working had the version 1 MVC dlls bin deployed and once the Beta was uninstalled it all worked fine.
Similar issue: We tried to install an MVC4/.NET 4 app on an IIS6 box, set up everything as described, and got same error:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
For us, the final fix was to add the UrlRoutingModule to the web.config:
<add name="UrlRoutingModule"
type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
Which makes sense, but I don't know why we needed to explicitly add it and others didn't. (We are running in a directory under Sharepoint, maybe related...)