Symptoms

Consider the following scenario:

  • You create a federation trust between a Microsoft Exchange Server 2010 Service Pack 1(SP1) organization and Microsoft Federation Gateway.

  • The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is enabled on the server that is running Exchange Server 2010 SP1.

  • You use the Get-FederatedDomainProof cmdlet to generate a cryptographically secure string for the domain.

In this scenario, the cmdlet fails, and you receive the following error message:

WARNING: An unexpected error has occurred and a Watson dump is being generated: Exception has been thrown by the target of an invocation.Exception has been thrown by the target of an invocation. Exception has been thrown by the target of an invocation. + CategoryInfo : NotSpecified: (:) [Get-FederatedDomainProof], TargetInvocationException + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.Exchange.Management.SystemConfigur ationTasks.GetFederatedDomainProof

Additionally, the following event is logged on the Exchange Server 2010 SP1 server:

Cause

This issue occurs because the cryptographic algorithm that is used to calculate the hash value of a domain name is not a U.S. Federal Information Processing Standards (FIPS)-certified cryptographic algorithm.

Resolution

To resolve this issue, install the following update rollup:

2661854 Description of Update Rollup 2 for Exchange Server 2010 Service Pack 2

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is , click the following article number to view the article in the Microsoft Knowledge Base:

811833 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing For more information about how to create a federation trust, visit the following Microsoft website:

General information about how to create a federation trustFor more information about the Get-FederatedDomainProof cmdlet, visit the following Microsoft website:

General information about the Get-FederatedDomainProof cmdletFor more information about FIPS-compliant algorithms, visit the following Microsoft website:

General information about FIPS compliant algorithms

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.