Error: “An Error Was Encountered While Running the Task” when Creating a Connector in SCSM

While creating an AD connector in SCSM2012 R2 A few months back I got the following error:

Server request failed for command 3
Exception type:TargetInvocationException
Exception message:Exception has been thrown by the target of an invocation..
StackTrace: at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.Rijndael.Create()
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.a02(Byte[] s, Byte[] k, Byte[] v)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.a01(String s)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.RegisterDataSource(DataSourceObject ds, Int32 solutionId)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.SessionManager.DataProvider.RegisterDataSource(XPathNavigator node, Int32 connectorId, Int32 groupId, Boolean enabled, Int32& dataSourceId, String& filter, Boolean& notify)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.SessionManager.DataProvider.RegisterSyncSchedule(XPathNavigator node)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.Configure(XPathNavigator xpath)
at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.DatacenterClass.ApplyDataSyncByPropertyBag(Dictionary`2 propertyBag)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.doUpdateDataSource(Guid g)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.createDataSource(Guid g)
at Microsoft.EnterpriseManagement.LinkingFramework.LinkingFrameworkServerRequest.LinkingFrameworkRequest(Int32 commandId, ResultSet values)

Inner Exception:
Exception message:This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms..
StackTrace: at System.Security.Cryptography.RijndaelManaged..ctor()

 

The connector was created but would not run and when I tried to delete the connector I got an error:

An error was encountered while running the task

The key to this error is the last line of the error message when creating the connector that states:

Exception message:This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Network Steve touched on the error and the solution in his Blog Post: http://www.networksteve.com/forum/topic.php/SCSM_Active_Directory_Error/?TopicId=38758&Posts=0

However, I wanted to explain this a little more.

What is FIPS?

The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved by the US Federal government for use on their computer systems. Implemented approved cryptographic algorithms are considered FIPS 140-compliant only if it has passed validation by the National Institute of Standards and Technology (NIST).

Enabling FIPS mode within your environment makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.

For more details on what FIPS is check https://en.wikipedia.org/wiki/FIPS_140-2 and http://technet.microsoft.com/en-us/library/cc750357.aspx

Microsoft originally recommended in its Security Baselines that FIPS should be turned on however have revised their recommendations http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

Where do I tell if it is Enabled?

On the management server from which you are creating the AD Connector;

First check the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy

If the key has the Enabled value set to 1 then it is Enabled and you can change this value to 0 to disable the policy.

If this key has the Enabled value set to 0 then it is Disabled and the policy is being effected elsewhere, probably via Group Policy.

To check the group policy state, open the Local Security Policy Editor  and open the Local Policies > Security Options node and search for the policy titled “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Capture2  Capture

If this is enabled then the policy is being set via Group Policy. Speak to your policy admins about setting and exception for this server.

One last piece is that once the connector has attempted to be created and fails, it can not be deleted via the console. The only way to get rid of the connector is via good-ol’ PowerShell.

Capture3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s