Has the configureIPPolicy key file setting been found to be incompatible with web applications / services?

Is the configuration key enforceFIPSPolicy as described here for Windows applications only?

On my development machine (Windows 7) I have FIPS enabled and then if I created a simple console application follow these steps:

static void Main(string[] args)
    var algorithm = new RijndaelManaged();
    Console.WriteLine("Algorithm created!");


When I run it, I get a FIPS error:

System.InvalidOperationException: This implementation is not part of the Windows 
Platform FIPS validated cryptographic algorithms.


Then if I add the following item configuration

to the file app.config


  <enforceFIPSPolicy enabled="false"/>


The application runs successfully.

Now if I do the same in a web application (ASP.NET MVC 4):

public ActionResult Index()
    var alg = new RijndaelManaged();
    return View();


The code will fail even if I add the same config section to the application's web.config file.

I was also able to observe the same behavior in WCF web service.

I would guess this is because the web applications and web services are hosted on IIS (although I also reproduced the same behavior with Cassini).

Is there a way to force a web application to "opt out" of FIPS validation in the same way we can for Windows applications? Has anyone been successful with this?


source to share

All Articles