FIPS 140-2 Compliancy with Microsoft Dynamics CRM 2011

Article ID: 2691911 - View products that this article applies to.
Expand all | Collapse all

Summary

Introduction

Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules [FIPS 140] is a U.S. Federal government standard that defines a minimum set of security requirements for products that implement cryptography. The standard is designed for cryptographic modules that are used to help secure sensitive, but unclassified information.

FIPS 140-1, the original working version of the standard, became official on January 11, 1994 and was in effect until May 25, 2002, when FIPS 140-2 became the mandatory standard for new products. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the National Institute of Standards (NIST) and the Communications Security Establishment of Canada (CSEC).

Microsoft Windows has a long history of participation in the CVMP under FIPS 140-2.

Note For more information about the details of Microsoft’s participation in the program, refer to the Technical Article FIPS 140 Evaluation at http://technet.microsoft.com/en-us/library/cc750357.aspx.

In most cases, the CMVP does not certify the whole application space, only the critical cryptographic service components. Therefore the specific modules that have successfully completed the testing program can claim to be “FIPS Certified”. All other higher layer applications that use these certified components can be said to be “FIPS compliant” or “Operating in FIPS mode” or “uses FIPS technology”.


Requirements for FIPS 140-2 Compliance with Microsoft Dynamics CRM

Setting up a FIPS compliant operating environment requires running the following:
  • Windows Server 2008 R2 SP1 x64
  • Microsoft Dynamics CRM 2011 UR3 or a later version
  • Microsoft SQL Server 2008 R2 x64

Windows Server

The first step in configuring a FIPS 140-2 compliant operating environment is to configure the computer that is running Windows Server 2008 R2 SP1 x64 by enabling the FIPS security setting.„  To enable the Windows Server FIPS security setting either in the Local Security Policy or as part of Group Policy, follow these steps:
  1. Using an account that has administrative credentials, log on to a computer that is running Windows Server 2008 R2 SP1 x64 on which any of the CRM Server roles are installed.
  2. Click Start, click Run, type gpedit.msc, and then press ENTER.
  3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
  4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
  5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
  6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
  7. Close the Local Group Policy Editor.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    811833 "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

Microsoft Dynamics CRM

Enabling FIPS compliant operations in Microsoft Dynamics CRM 2011 UR3 or a later version requires modifying the registry on the computer that is running Microsoft Dynamics CRM Server so that the value of the MSCRMFIPFSCompliance registry key to 1.

To enable FIPS compliant operations in Microsoft Dynamics CRM 2011 UR3 or a later version, follow these steps:
1. Using an account that has administrative credentials, log on to a computer that is running Microsoft Dynamics CRM Server 2011 UR3 or a later version.
2. Click Start, click Run, type regedit, and then click OK.
3. Locate and then click the specific registry subkey for the computer. For example, on the Microsoft Dynamics CRM Server, locate Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\.
4. Right-click the registry subkey, and then click New.
5. Click DWord Value, and then type MSCRMFIPSCompliance.
6. Right-click MSCRMFIPSCompliance, click Modify, choose Decimal, type 1, and then click OK.
7. Save the changes to the registry and close the Registry Editor.When the SQL Server 2008 service detects that FIPS mode is enabled at startup, SQL Server 2008 logs the following message in the SQL Server error log:



For more information, click the following article number to view the article in the Microsoft Knowledge Base:

955745 "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."

Although the article is focused on FIPS compliancy in Microsoft Dynamics CRM 4.0, the information also applies to Microsoft Dynamics CRM 2011.


Microsoft SQL Server


When the SQL Server 2008 service detects that FIPS mode is enabled at startup, SQL Server 2008 logs the following message in the SQL Server error log:

Service Broker transport is running in FIPS compliance mode

Additionally, the following message may be logged in the Application log:

Database Mirroring transport is running in FIPS compliance mode
 
To make sure that the server is running in FIPS compliant mode, locate and verify the existence of the first (and possibly the second) message.

 In addition, to make sure that Microsoft SQL Server 2008 R2 is operating in a FIPS compliant mode, on the computer that is running Microsoft SQL Server, you must run the following script:

USE MSCRM_CONFIG
GO
UPDATE CrmKeySettingProperties SET CrmKeySettingProperties.NVarCharColumn= 
'HMACSHA1'
FROM CrmKeySettingProperties CrmKeySettingProperties  
JOIN CrmKeySetting   
ON CrmKeySettingProperties.Id = CrmKeySetting.Id
WHERE CrmKeySettingProperties.ColumnName = 'Algorithm'
AND CrmKeySetting.KeyType in ('CrmTicketKey', 'CrmWRPCTokenKey', 
'CrmEmailCredentialsKey', 'CrmStaticVersionSiteKey', 
'CrmStaticVersionScaleGroupKey')
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

955720 Instructions for using SQL Server 2008 in FIPS 140-2-compliant mode

Important: Make sure to remember the following points when ensuring compliance with FIPS:

  • To obtain dialog security between services, the encryption process will use the FIPS-certified instance of the Advanced Encryption Standard (AES) if the FIPS mode is enabled. If the FIPS mode is disabled, the encryption process uses RC4.
  • When you configure a Service Broker endpoint in FIPS mode, you must specify "AES" for the Service Broker. If the endpoint is configured to RC4, SQL Server generates an error. Therefore, the transport layer does not start.

Special Considerations for Deployments with Windows Network Load Balancing

For Microsoft Dynamics CRM 2011 deployments with Windows Network Load Balancing (NLB), compliancy with FIPS 140-2 requires that configuration change to the .Net machine config.xml file on the CRM Web Servers.


„To ensure FIPS compliancy for Microsoft Dynamics CRM 2011 implementations leveraging NLB, follow these steps:
  1. Using an account that has administrative credentials, log on to a computer serving as the CRM Web Server.
  2. Browse to the folder “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config”, and then open the file that is named machine.config.
  3. In the file, under any existing <mscorlib> …..</mscorlib> elements, between the </system.web> and the </configuration> elements, add the following text:
    <mscorlib>   
    <cryptographySettings>     
    <cryptoNameMapping>       
    <cryptoClasses>         
    <cryptoClass             
    SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral,
    PublicKeyToken=b77a5c561934e089" />      
    <cryptoClass             
    RijndaelCSP="System.Security.Cryptography.AesCryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />       
    </cryptoClasses>       
    <nameEntry           
    name="SHA256"           
    class="SHA256CSP" />               
    <nameEntry                   
    name="http://www.w3.org/2001/04/xmlenc#aes256-cbc"           
    class="RijndaelCSP" />     
    </cryptoNameMapping>   
    </cryptographySettings> 
    </mscorlib>
Microsoft Dynamics CRM Email Router
Add Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM Email\MSCRMFIPSCompliance = 1 (Dword) on Email Router server then install Email Router.

Microsoft Dynamics CRM client for Microsoft Office Outlook

Please see the following article:
Error message when you try to configure the Microsoft Dynamics CRM 4.0 client for Outlook: "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"

More information

If the Microsoft Dynamics CRM 2011 platform is configured by using the procedures here, Microsoft Dynamics CRM 2011 will exclusively use FIPS Certified algorithms and components for all covered cryptographic functions and will therefore be operating in FIPS 140-2 compliant mode.

Properties

Article ID: 2691911 - Last Review: September 23, 2013 - Revision: 7.0
Applies to
  • Microsoft Dynamics CRM 2011
Keywords: 
kbmbsmigrate kbsurveynew KB2691911

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com