Deploying SCOM 2012 SP1 in FIPS Enabled Environment (pt2)

Part 1 was more how to detect if FIPS is enabled and fixing the problem encountered by SSRS, this post will be more on SCOM Management Servers and how to resolve it.

Assuming that SSRS is now successfully fix, where you are able to browse the reports via the browser, and you proceed to bring up the SCOM server, after a while, your SCOM server will have a Warning, indicating that the XML for the configurations cannot be loaded due to some FIPS complaints issue.

Well, you should be able to resolve the issue, with the solutions posted in this article, and it should work nicely.

If you are installing SCOM MS in Windows Server 2012, you might probably need to install Windows SDK or Visual Studio Command prompts to execute the gacutil.exe, another way to proceed without installing the additional stuff is to use the remotegscutil, from http://remotegacutil.codeplex.com/, which allows install the dll required easily, and the only requirement for this tool to work, is the installation of .Net 3.5

Deploying SCOM 2012 SP1 in FIPS Enabled Environment (pt1)

One of my earliest post on SCOM Installation checklist, on of the items to do is to check if the deployment environment is enabled with FIPS (Federal Information Processing Standards). (You can know more about FIPS here).

As time goes by, i stumbled upon yet another SCOM deployment where FIPS is enabled as part of the client’s security hardening. What i did was, to first install the SQL Server and Reporting Services, and then verifying that the SSRS webpage is accessible, before building up my SCOM servers. What was least expected, was the report page is completely blank. Set IE not to display any friendly error messages too, did not show any error on the page. i got stuck,  and after a few searching here and there, it might be due to the enabling of FIPS in the environment.

In order to know if FIPS is enabled, what we need to do is to launch the registry editor and locate the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

If it is enabled, the value will be 1.

First, fix the SSRS blank page issue, you may want to browse <driver>:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\LogFiles. Open the log files and search for FIPS. If it is a FIPS related issue, you will see something similar like this.

 

 

 

When you see the error message above, do the following.

1. In a text editor such as Notepad, open the Report Manager Web.config file which is located in the default path: <driver>:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportManager.
2. In the Web.config file, locate the <system.web> section.
3. Add the following <machineKey> section to in the <system.web> section:
   <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
4. Save the Web.config file.
5. Once done, restart the Reporting Services, and try to access the Reports page again, by now, you should be able to access the page.