search cancel

Having FIPS enabled on the Remediation page is causing this error: Legacy encryption is not supported in FIPS mode. ITMS

book

Article ID: 199972

calendar_today

Updated On:

Products

Patch Management Solution

Issue/Introduction

When you go to "Home>Patch Management>Settings>Remediation"

you are getting this generic page:


The NS logs show:
 
Failed to process web request.

Exception of type 'System.Web.HttpUnhandledException' was thrown.
   [System.Web.HttpUnhandledException @ System.Web]
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(HttpContext context)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(HttpContext context)

Legacy encryption is not supported in FIPS mode.
   [Altiris.NS.Exceptions.NSComException @ Altiris.NS]
   at Altiris.NS.Security.Cryptography.SymmetricKeyInfo.EncryptedData.GetLegacyAlgorithm(SymmetricKeyInfo keyInfo)
   at Altiris.NS.Security.Cryptography.SymmetricKeyInfo.EncryptedData.GetSymmetricAlgorithm(SymmetricKeyInfo keyInfo)
   at Altiris.NS.Security.Cryptography.SymmetricKeyInfo.GetAlgorithm(Byte[] encryptedData, Int32& headerSize, Int32& encryptedBufferSize)
   at Altiris.NS.Utilities.BasicCrypto.Decrypt(Byte[] encryptedData, SymmetricKeyInfo keyInfo)
   at Altiris.NS.Utilities.BasicCrypto.DecryptStringFromBase64String(String encryptedData, SymmetricKeyInfo keyInfo)
   at Altiris.PatchManagementCore.Policies.PatchManagementVendorPolicy.DecryptPassword(String encryptedPassword)
   at Altiris.PatchManagementCore.Web.Policies.PMVendorPolicy_PackageServer.OnDataBinding(EventArgs e)
   at System.Web.UI.Control.DataBind(Boolean raiseOnDataBinding)
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBind(Boolean raiseOnDataBinding)
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBind(Boolean raiseOnDataBinding)
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBind(Boolean raiseOnDataBinding)
   at System.Web.UI.Control.DataBindChildren()
   at System.Web.UI.Control.DataBind(Boolean raiseOnDataBinding)
   at Altiris.PatchManagementCore.Web.Policies.PMVendorPolicyPage.Page_Load(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at Altiris.NS.UI.Controls.PageCachePage.OnLoad(EventArgs e)
   at Altiris.PatchManagementCore.Web.Policies.PMVendorPolicyPage.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

COM Exception errcode: 0x8007700E

Exception logged from:
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

HTTP [GET]http://localhost/Altiris/PatchManagementCore/Policies/PMVendorPolicy.aspx?ItemGuid=1bf89561-394a-42e1-88b2-bae5f42874cc
 ip: [199.123.115.101]; languages: [en-US];
 timings: [[R] 00:00:00.0781271(W: 00:00:00.0156033)];
 response: [200 OK]; x-smp-nsversion: [8.5.5713.0];

-----------------------------------------------------------------------------------------------------
Date: 9/16/2020 3:16:33 PM, Tick Count: 16104781 (04:28:24.7810000), Size: 4.65 KB
Process: w3wp (9244), Thread ID: 1134, Module: Altiris.NS.UI.dll
Priority: 1, Source: Altiris.NS.UI.AltirisPage.ProcessRequest

You can see the same error if you go to:

Settings menu>All Settings>Software>Patch Management>Windows Settings>Windows Patch Remediation Settings

 

If you disable FIPS, the page loads just fine.

Cause

Corrupted entry. Unable to decrypt password reference due to FIPS settings. The stack shows that decryption changes to legacy mode since data is not encrypted with FIPS complaint algorithm. 

Environment

ITMS 8.5 RU4

Resolution

If you can disable FIPS:

Before you enable FIPS again, please do the following:

1. Now that the page opens, under Settings menu>All Settings>Software>Patch Management>Windows Settings>Windows Patch Remediation Settings, go to the "Programs" tab. Check if you have the option "Specified User" selected. Clear out this section.

2. Then, change it to "System Account" and save the change.

3. Make sure that this page loads here as well under Home>Patch Management>Settings>Remediation page. 

4. Then, Enable FIPS again and see if these pages still load. If so, go ahead and add again the correct User setting under the "Specified User" section for the "Programs" tab. Save the change and see if that works. If works, just you need to decide if you need to have an account set up there for whatever reason or if the account/password mentioned is even still valid.

By default, there is no one, we use "System Account".

 

If you CAN'T disable FIPS:

1. Go to "Settings menu>All Settings>Software>Patch Management>Windows Settings>Windows Patch Remediation Settings" and export as XML this "Windows Patch Remediation Settings"

 

2. Open exported XML in edit mode and remove the value for password field -> save changes

 

3. Import the modified .XML via a right-click on "Windows Settings" folder -> open imported "Windows Patch Remediation Settings" -> go to "Programs" tab and specify there required user account name and password -> save changes.

Attachments