While creating an AD connector in SCSM2012 R2 A few months back I got the following error:
Server request failed for command 3
Exception message:Exception has been thrown by the target of an invocation..
StackTrace: at System.RuntimeMethodHandle._InvokeConstructor(Object args, SignatureStruct& signature, IntPtr declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object args)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.a02(Byte s, Byte k, Byte v)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.a01(String s)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.RegisterDataSource(DataSourceObject ds, Int32 solutionId)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.SessionManager.DataProvider.RegisterDataSource(XPathNavigator node, Int32 connectorId, Int32 groupId, Boolean enabled, Int32& dataSourceId, String& filter, Boolean& notify)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.SessionManager.DataProvider.RegisterSyncSchedule(XPathNavigator node)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.Configure(XPathNavigator xpath)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.ApplyDataSyncByPropertyBag(Dictionary`2 propertyBag)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.doUpdateDataSource(Guid g)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.createDataSource(Guid g)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.LinkingFrameworkRequest(Int32 commandId, ResultSet values)
Exception message:This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms..
StackTrace: at System.Security.Cryptography.RijndaelManaged..ctor()
The connector was created but would not run and when I tried to delete the connector I got an error:
An error was encountered while running the task
The key to this error is the last line of the error message when creating the connector that states:
Exception message:This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms
Network Steve touched on the error and the solution in his Blog Post: http://www.networksteve.com/forum/topic.php/SCSM_Active_Directory_Error/?TopicId=38758&Posts=0
However, I wanted to explain this a little more.
What is FIPS?
The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved by the US Federal government for use on their computer systems. Implemented approved cryptographic algorithms are considered FIPS 140-compliant only if it has passed validation by the National Institute of Standards and Technology (NIST).
Enabling FIPS mode within your environment makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.
For more details on what FIPS is check https://en.wikipedia.org/wiki/FIPS_140-2 and http://technet.microsoft.com/en-us/library/cc750357.aspx
Microsoft originally recommended in its Security Baselines that FIPS should be turned on however have revised their recommendations http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
Where do I tell if it is Enabled?
On the management server from which you are creating the AD Connector;
First check the registry:
If the key has the Enabled value set to 1 then it is Enabled and you can change this value to 0 to disable the policy.
If this key has the Enabled value set to 0 then it is Disabled and the policy is being effected elsewhere, probably via Group Policy.
To check the group policy state, open the Local Security Policy Editor and open the Local Policies > Security Options node and search for the policy titled “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing“
If this is enabled then the policy is being set via Group Policy. Speak to your policy admins about setting and exception for this server.
One last piece is that once the connector has attempted to be created and fails, it can not be deleted via the console. The only way to get rid of the connector is via good-ol’ PowerShell.