Project Server: SharePoint Installation issues when using FIPS

Most days I learn something new, and yesterday was no exception.  I was working with one of our Senior Consultants, Rob Bowers, on an installation problem.  The SharePoint Configuration Wizard was failing during the initial configuration of the farm on step 3.  The error that came up was:

Configuration Failed.  One or more configuration settings failed.  Completed configuration settings will not be rolled back.  Resolve the problem and run this configuration wizard again.  The following contains detailed information about the failure:

Failed to create the configuration database.

An exception of type System.InvalidOperationException was thrown.  Additional exception information:  This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

In the PSCDiagnostics log created during the execution of the wizard the same errors could be seen – the first was:

Task configdb has failed with an unknown exception , followed by

Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA256Managed..ctor()
   at Microsoft.SharePoint.UserCode.SPSolutionValidatorCollection.ComputeHash()
   at Microsoft.SharePoint.Administration.SPUserCodeService.UpdateValidatorsHash()
   at Microsoft.SharePoint.Administration.SPPersistedChildCollection`1.Add(T newObj, Boolean ensure)…

A quick search (Bing of course) found that FIPS was referring to the Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules.  An article on TechNet has a security note that mentions some potential issues with workflows – but not the failure in the configuration wizard.  Another great link from Mahesh Srinivasan at helped move things in the right direction.  Even with FIPS not enabled through group policy settings there can still be registry keys set that are enabling some of the features.  In Rob’s case, like Mahesh, he found that the two keys were set to 1 – enabled, and a third key was set to 0 – disabled.  The keys were:

    • HKLMSYSTEMControlSet001ControlLSAFipsAlgorithm
    • HKLMSYSTEMControlSet002ControlLSAFipsAlgorithm
    • HKLMSYSTEMCurrentControlSetControlLSAFipsAlgorithm

Until each of these was set to 0 the error above blocked running of the configuration wizard.  Remember, any time you are changing registry keys you should take back-ups.  Obviously this change is something you should to talk to your platform security team about too – as if you are changing these values you may need to get an exception to your company’s hardening policy for your SharePoint servers.

FIBS 104-2 is intended to ensure that only only validated cryptographic modules are used in software when securing data.  SharePoint uses cryptographic modules, for example MD5,  that are not validated – but it is in fact not using them to secure data but to create hash values that are used as unique identifiers.  It is this action that FIPS is blocking that causes the failure in the configuration wizard.

For more information on FIPS 104-2 see, and for general FIPS information see