Autodiscover does not work when FIPS is enabled in Exchange Server 2007

Assume that the Windows policy setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing is enabled in Microsoft Exchange Server 2007. Users cannot connect to the Autodiscover service. When you try open the Autodiscover.xml file (https://hostname/autodiscover/autodiscover.xml�) in a web browser, you receive the following error message:Note Federal Information Processing Standards (FIPS) is required by many federal agencies as an extra security layer, and it is supposed to work with Exchange Server 2007 Service Pack 3.

This is a known issue in Exchange Server 2007.

By default, the web.config value for the Autodiscover application pool contains the following entry.����

Note The web.config file for Autodiscover is located by default in "C:\Program Files\Microsoft\Exchange Server\Client Access\AutoDicover."

When this value is set to�true, the Autodiscover service uses the MD5 algorithm, which is not FIPS compliant. This causes Autodiscover requests to fail. �

To work around this issue, use one of the following methods.

Note�Any of these changes will require you to recycle the Autodiscover application pool.

Method 1

Remove the "<compilation defaultLanguage="c#" debug="true">" line�from the web.config file for Autodiscover.

Method 2

Set the value of "debug" to false�in the web.config file for Autodiscover:

Method 3

If you must have this value be set to true�for some reason, you can make AutoDiscover work by forcing it to use 3DES instead of MD5. To do this, add the following to the <system.web> section of the web.config file: