The Get-FederatedDomainProof cmdlet fails in an Exchange Server 2010 SP1 environment

Article ID: 2644920 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You create a federation trust between a Microsoft Exchange Server 2010 Service Pack 1(SP1) organization and Microsoft Federation Gateway.
  • The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is enabled on the server that is running Exchange Server 2010 SP1.
  • You use the Get-FederatedDomainProof cmdlet to generate a cryptographically secure string for the domain.
In this scenario, the cmdlet fails, and you receive the following error message:

WARNING: An unexpected error has occurred and a Watson dump is being generated: Exception has been thrown by the target of an invocation.
Exception has been thrown by the target of an invocation.

Exception has been thrown by the target of an invocation.
+ CategoryInfo : NotSpecified: (:) [Get-FederatedDomainProof], TargetInvocationException
+ FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.Exchange.Management.SystemConfigur
ationTasks.GetFederatedDomainProof

Additionally, the following event is logged on the Exchange Server 2010 SP1 server:

Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: Date
Event ID: 8
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Computer
Description:
(PID PID, Thread XX) Task Get-FederatedDomainProof throwing unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA512Managed..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.ProcessForCertificate(String thumbprint, String propertyName)
at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord().


CAUSE

This issue occurs because the cryptographic algorithm that is used to calculate the hash value of a domain name is not a U.S. Federal Information Processing Standards (FIPS)-certified cryptographic algorithm.

RESOLUTION

To resolve this issue, install the following update rollup:
2661854 Description of Update Rollup 2 for Exchange Server 2010 Service Pack 2

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is , click the following article number to view the article in the Microsoft Knowledge Base:
811833 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
For more information about how to create a federation trust, visit the following Microsoft website:
General information about how to create a federation trust
For more information about the Get-FederatedDomainProof cmdlet, visit the following Microsoft website:
General information about the Get-FederatedDomainProof cmdlet
For more information about FIPS-compliant algorithms, visit the following Microsoft website:
General information about FIPS compliant algorithms
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2644920 - Last Review: April 16, 2012 - Revision: 1.0
APPLIES TO
  • Microsoft Exchange Server 2010 Service Pack 1, when used with:
    • Microsoft Exchange Server 2010 Enterprise
    • Microsoft Exchange Server 2010 Standard
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter KB2644920

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com