Symptom
Assume that you have Microsoft SQL Server 2012, 2014, or 2016 running on a server that has Federal Information Processing Standard (FIPS) enabled. In this situation, when you run or validate a Microsoft SQL Server Integration Service package (SSIS) that contains a data flow script component, you receive the following error message:
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.MD5 CryptoserviceProvider..ctor()
Note This issue occurs when the following registry subkey is set to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy
Cause
This issue occurs because SSIS uses the MD5 algorithm. The MD5 algorithm is not FIPS compliant.
Resolution
Service pack information
SQL Server 2016
To fix this issue in SQL Server 2016, get Service Pack 1 for SQL Server 2016.
Each new build for SQL Server 2016 contains all the hotfixes and all the security fixes that were included with the previous build. We recommend that you install the latest build for SQL Server 2016.
SQL Server 2014To fix this issue in SQL Server 2014, get Service Pack 2 for SQL Server 2014.
Each new update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous update. We recommend that you install the latest build for SQL Server 2014.
SQL Server 2012To fix this issue in SQL Server 2012, get Service Pack 3 for SQL Server 2012.
Each new update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous update. We recommend that you install the latest service pack for SQL Server 2012.
Workaround
To work around this issue, try one of the following methods:
-
Turn off the FIPS policy on the server. To do this, see the "To configure FIPS policy settings" section on the following TechNet website:
Additional System CountermeasuresNotes
-
You must restart the application for the new setting to take effect.
-
This setting affects the following registry value in Windows Server:
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\EnabledThis registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.
-
-
Use other Microsoft .NET solutions instead of the Script component.
Note The MD5 algorithm is hard-coded within the data flow Script component. Therefore, you cannot change this Script component.
More Information
SQL Server Integration services uses several Windows encryption algorithms that do not comply with FIPS 140-2, that are security requirements for cryptographic modules. For example, SSIS 2012 uses MD5. This does not comply with FIPS 140-2, for computing hash values that are not used for security. FIPS 140-2 defines security standards that the United States and Canadian governments use to validate security levels for products that implement cryptography.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.