Orchestrator website and agent not running after adjusting Windows crypto libraries

Question

Orchestrator website and agent not running after adjusting Windows crypto libraries

Closed this issue 8 years ago · 1 comments

We had some crypto library updates on our computers over the weekend and since then our Falcon Orchestrator box can neither start the ETL service or edit the web site configurations. I get this error in the RunLog.txt and even just backing out the crypto changes we still can't get it to start. I've confirmed that there are no FIPS settings configured on the server, any thoughts?

2017-03-29 15:05:19,256 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.SHA256.Create()
at FalconOrchestrator.DAL.Crypto.DecryptText(String input, String password)
at FalconOrchestrator.DAL.AppConfiguration.get_FALCON_STREAM_KEY()
at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

Answer 1 · 2017-03-29T21:13:54.000Z

As discussed on slack, the fix was to manually modify the registry entry for LOCAL MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy and set it to 0. For background to other folks that may run into this issue... the RijnadelManaged class is used from the Systsm.Security.Cryptography library within .NET in order to encrypt credentials prior to being stored in the database. For whatever reason, RijnadelManaged is not FIPS compliant. Thus if enabling the Use FIPS compliant algorithms for encryption, hashing, and signing policy via GPO (or use of another tool to do the same thing) you will receive the aforementioned error.

Given there's no security risk in the use of this crypto method, the recommendation/fix is to keep this this policy check on the Orchestrator server disabled. Closing this issue out as we've confirmed the service is functional again once disabling the policy check.