4

I want to disalbe fips in asp .net x64 application. In web.config I added 

<runtime>
    <enforceFIPSPolicy enabled = "false">
</runtime>

I set debug to false.

However my application do not work. Should I declare runtime section in < configSections > ? If yes then is it a proper line

<section name="runtime" type="System.Configuration.IgnoreSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowLocation="false"/>
Darqer
  • 2,847
  • 9
  • 45
  • 65

1 Answers1

7

Solution only works for IIS >= 7.5

It doesn't look like IIS allows you to manipulate this setting through a web application's web.config. One work-around is to create a dedicated App Pool (or multiple), and configure the App Pool's CLR with FIPS enforcement disabled. IIS 7.5 introduced a CLRConfigFile property that you can use to specify an App Pool's .NET configuration file. This gives us more granular control over which applications the configuration impacts - instead of the shotgun approach where we disable it in machine.config or the group policy setting.

1.Create a configuration file, c:\inetpub\AppPoolClrConfig\noFipsWeb.config, with the following content (the location and name of the file is immaterial):

<configuration>
    <runtime>
        <enforceFIPSPolicy enabled = "false" />
    </runtime> 
</configuration>

2.Grant read permissions on the file to the identity under which the App Pool runs:

icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\YourAppPoolName":(R)

3.Configure the App Pool to load this config file by setting the pool's CLRConfigFile property:

cmd:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='{AppPoolName}'].CLRConfigFile:"{FilePath}"  /commit:apphost

sample:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost

Due to a bug in IIS 7.5, we need to also clear the managedRuntimeLoader property or else the CLRConfigFile will be ignored:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].managedRuntimeLoader:""  /commit:apphost

4.Restart IIS. Your Asp.NET applications that are using the App Pool above should now be ignoring FIPS.

Credits to:

Scott Forsyth for explaining how to configure an app pool to use a different CLR file than the standard aspnet.config file.

Jose Reyes for documenting the bug in IIS 7.5 that ignored the CLRConfigFile Property

Tomalak
  • 332,285
  • 67
  • 532
  • 628
Tung
  • 5,334
  • 1
  • 34
  • 41
  • This worked fine on my local machine but messed up the App pool on the server and the site would fail to load. I had to remove and re-create the app pool to fix it. – Vishal Apr 24 '18 at 21:00
  • Thanks for the feedback, @Vishal. After you recreated the app pool on the server, did the solution at least work? In what way was the app pool messed up? What were the errors that you received when trying to access the web application (that made the site inaccessible)? I'm interested in improving the answer if there are gotchas. – Tung Apr 25 '18 at 02:27
  • You're welcome @Tung. No, post the recreation of the app pool, the applied settings were reset, which is what I was hoping for. Unfortunately, I don't have the exact error at this point but the site would fail to load and the app pool would get stopped. If I started the app pool again and browsed the site, I would get the same results. Hope it helps. – Vishal Apr 25 '18 at 15:54
  • 1
    Works perfectly fine with windows server 2016 and IIS 10. Thank you for the detailed answer. – A P Aug 22 '18 at 14:43
  • It took 5h from my weekend to figure out that I just need to add to my "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config" I hate FIPS so much – HB MAAM Oct 03 '20 at 07:17