ADFS error message on a Windows Server 2003 R2-based computer: "The implementation is not part of Windows platform FIPS validated cryptographic algorithms"

Consider the following scenario on a Windows Server 2003 R2-based computer:

• A Federal Information Processing Standard (FIPS)-compliant algorithm that is mentioned in the Microsoft Knowledge Base article 911722 is enabled.
• You turn off the debugging switch in the Web.config file.

In this scenario, Active Directory Federation Services (ADFS) cannot handle the exception in the following class and assembly:

• SHA1Managed class
• System.Web.Security.SingleSignOn.dll assembly

In addition, you receive the following error message:

To resolve this problem, install the hotfix that is mentioned in this article, and then create the FipsAlgorithmPolicy registry entry. To create the registry entry and to enable the hotfix, see the "Enable the hotfix" section.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1) or Windows Server 2003 Service Pack 2 (SP2) installed on the computer.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 SP1, x86-based versions

Windows Server 2003 SP2, x86-based versions

Windows Server 2003, x64-based versions

Windows Server 2003 SP2, x64-based versions

Enable the hotfix

After you install the hotfix, create the FipsAlgorithmPolicy registry entry to enable the hotfix. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, point to New, and then click DWORD Value.
4. In the details pane, type FipsAlgorithmPolicy, and then press ENTER.
5. Right-click FipsAlgorithmPolicy, and then click Modify.
6. In the Edit DWORD Value dialog box, under Base, click Decimal.
7. In the Value data box, type 1, and then click OK.
8. Exit Registry Editor.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

When this problem occurs, a stack trace that resembles the following is generated.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: