You are currently offline, waiting for your internet to reconnect

The Get-FederatedDomainProof cmdlet fails in an Exchange Server 2010 SP1 environment

SYMPTOMS
Consider the following scenario:
  • You create a federation trust between a Microsoft Exchange Server 2010 Service Pack 1(SP1) organization and Microsoft Federation Gateway.
  • The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is enabled on the server that is running Exchange Server 2010 SP1.
  • You use the Get-FederatedDomainProof cmdlet to generate a cryptographically secure string for the domain.
In this scenario, the cmdlet fails, and you receive the following error message:

WARNING: An unexpected error has occurred and a Watson dump is being generated: Exception has been thrown by the target of an invocation.
Exception has been thrown by the target of an invocation.

Exception has been thrown by the target of an invocation.
+ CategoryInfo : NotSpecified: (:) [Get-FederatedDomainProof], TargetInvocationException
+ FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.Exchange.Management.SystemConfigur
ationTasks.GetFederatedDomainProof

Additionally, the following event is logged on the Exchange Server 2010 SP1 server:

Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: Date
Event ID: 8
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: Computer
Description:
(PID PID, Thread XX) Task Get-FederatedDomainProof throwing unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA512Managed..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.ProcessForCertificate(String thumbprint, String propertyName)
at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord().


CAUSE
This issue occurs because the cryptographic algorithm that is used to calculate the hash value of a domain name is not a U.S. Federal Information Processing Standards (FIPS)-certified cryptographic algorithm.
RESOLUTION
To resolve this issue, install the following update rollup:
2661854 Description of Update Rollup 2 for Exchange Server 2010 Service Pack 2
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
For more information about the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is , click the following article number to view the article in the Microsoft Knowledge Base:
811833 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
For more information about how to create a federation trust, visit the following Microsoft website:
For more information about the Get-FederatedDomainProof cmdlet, visit the following Microsoft website:
For more information about FIPS-compliant algorithms, visit the following Microsoft website:
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 2644920 - Last Review: 04/16/2012 16:57:00 - Revision: 1.0

Microsoft Exchange Server 2010 Service Pack 1

  • kbqfe kbfix kbsurveynew kbexpertiseinter KB2644920
Feedback
e='ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?"> body>html>