OAB generation fails if FIPS is used in an Exchange Server 2013 environment


Consider the following scenario:
  • You use Federal Information Processing Standards (FIPS) on an Offline Address Book (OAB) server in a Microsoft Exchange Server 2013 environment. You do this by running the following command in Exchange Management Shell (EMS):
    Set-ItemProperty -Path HKLM:\system\currentcontrolset\control\lsa\fipsalgorithmpolicy -name enabled -Value 1
  • You try to update the OAB.
In this scenario, the update fails. Additionally, an event ID 17004 that resembles the following is logged in the Application log:


To resolve this issue, install the following cumulative update:
2961810 Cumulative Update 6 for Exchange Server 2013


This issue occurs because the managed SHA1 hash algorithm is used for the generation of the OAB file hash. However, the file hash is not FIPS compliant.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about FIPS, go to the following Microsoft website:For more information about the Set-ItemProperty cmdlet, go to the following Microsoft website:For more information about the Update-OfflineAddressBook cmdlet, go to the following Microsoft website:

Article ID: 2974339 - Last Review: Mar 7, 2016 - Revision: 1

Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard Edition