You create a federation trust between a Microsoft Exchange Server 2010 Service Pack 1(SP1) organization and Microsoft Federation Gateway.
The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is enabled on the server that is running Exchange Server 2010 SP1.
You use the Get-FederatedDomainProof cmdlet to generate a cryptographically secure string for the domain.
In this scenario, the cmdlet fails, and you receive the following error message:
WARNING: An unexpected error has occurred and a Watson dump is being generated: Exception has been thrown by the target of an invocation. Exception has been thrown by the target of an invocation.
Exception has been thrown by the target of an invocation. + CategoryInfo : NotSpecified: (:) [Get-FederatedDomainProof], TargetInvocationException + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.Exchange.Management.SystemConfigur ationTasks.GetFederatedDomainProof
Additionally, the following event is logged on the Exchange Server 2010 SP1 server:
Log Name: MSExchange Management Source: MSExchange CmdletLogs Date: Date Event ID: 8 Task Category: General Level: Error Keywords: Classic User: N/A Computer: Computer Description: (PID PID, Thread XX) Task Get-FederatedDomainProof throwing unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA512Managed..ctor() --- End of inner exception stack trace --- at System.RuntimeMethodHandle._InvokeConstructor(Object args, SignatureStruct& signature, IntPtr declaringType) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture) at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object args) at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.ProcessForCertificate(String thumbprint, String propertyName) at Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederatedDomainProof.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord().
This issue occurs because the cryptographic algorithm that is used to calculate the hash value of a domain name is not a U.S. Federal Information Processing Standards (FIPS)-certified cryptographic algorithm.
To resolve this issue, install the following update rollup:
2661854 Description of Update Rollup 2 for Exchange Server 2010 Service Pack 2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting is , click the following article number to view the article in the Microsoft Knowledge Base:
811833 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
For more information about how to create a federation trust, visit the following Microsoft website: