Error when you execute SSIS package on FIPS-enabled Windows

Symptom
Assume that you have Microsoft SQL Server 2012, 2014, or 2016 running on a server that has Federal Information Processing Standard (FIPS) enabled. In this situation, when you run or validate a Microsoft SQL Server Integration Service package (SSIS) that contains a data flow script component, you receive the following error message:
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.MD5 CryptoserviceProvider..ctor()

Note This issue occurs when the following registry subkey is set to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

Cause
This issue occurs because SSIS uses the MD5 algorithm. The MD5 algorithm is not FIPS compliant.
Resolution

Service pack information

SQL Server 2016

To fix this issue in SQL Server 2016, get Service Pack 1 for SQL Server 2016.

About updates for SQL Server 2016
Each new build for SQL Server 2016 contains all the hotfixes and all the security fixes that were included with the previous build. We recommend that you install the latest build for SQL Server 2016.

SQL Server 2014

To fix this issue in SQL Server 2014, get Service Pack 2 for SQL Server 2014.
About updates for SQL Server 2014
Each new update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous update. We recommend that you install the latest build for SQL Server 2014.

SQL Server 2012

To fix this issue in SQL Server 2012, get Service Pack 3 for SQL Server 2012.
About updates for SQL Server 2012
Each new update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous update. We recommend that you install the latest service pack for SQL Server 2012.
Workaround
To work around this issue, try one of the following methods:

  • Turn off the FIPS policy on the server. To do this, see the "To configure FIPS policy settings" section on the following TechNet website:Notes

    • You must restart the application for the new setting to take effect.
    • This setting affects the following registry value in Windows Server:
      HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
      This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.
  • Use other Microsoft .NET solutions instead of the Script component.

    Note The MD5 algorithm is hard-coded within the data flow Script component. Therefore, you cannot change this Script component.
More information
SQL Server Integration services uses several Windows encryption algorithms that do not comply with FIPS 140-2, that are security requirements for cryptographic modules. For example, SSIS 2012 uses MD5. This does not comply with FIPS 140-2, for computing hash values that are not used for security. FIPS 140-2 defines security standards that the United States and Canadian governments use to validate security levels for products that implement cryptography.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Properties

Article ID: 2925865 - Last Review: 12/02/2016 13:21:00 - Revision: 5.0

Microsoft SQL Server 2016 Developer, Microsoft SQL Server 2016 Enterprise, Microsoft SQL Server 2016 Enterprise Core, Microsoft SQL Server 2016 Standard, Microsoft SQL Server 2014 Developer, Microsoft SQL Server 2014 Enterprise, Microsoft SQL Server 2014 Enterprise Core, Microsoft SQL Server 2014 Standard, Microsoft SQL Server 2012 Developer, Microsoft SQL Server 2012 Enterprise, Microsoft SQL Server 2012 Enterprise Core, Microsoft SQL Server 2012 Standard

  • kbsurveynew kbexpertiseinter kbfix kbexpertiseadvanced KB2925865
Feedback