When Running Protect in an Environment with FIPS You Receive the Error: the Service Responsible for Importing Scan and Agent Results Is Not Running

Version 7

    Symptoms

     

    • Protect is running in an environment with FIPS.
    • The Protect Console Service crashes as soon as you open Protect.
    • You receive the error: "The service responsible for importing scan and Agent Results is not running", and restarting the service does not resolve the problem.
    • In the ST.ServiceHost.managed.log file you see the following error:
      Parameter name: culture
      2048 (0x0800) is an invalid culture identifier.
      2013-10-09T17:48:41.8020307Z 0033 C Program.cs:26|System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
      at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
    • You may also see the below message in the ST.Protect.Managed.log:
      2013-10-09T17:48:43.2528307Z 0004 E CredentialServiceController.FindCredentialOwner|ST.UI.UserViewableException: The console service cannot be reached. Credentials previously shared with the service will be reported as not shared. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/ST/Console/Deployment/Credentials/CredentialsService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.IO.PipeException: The pipe endpoint 'net.pipe://localhost/ST/Console/Deployment/Credentials/CredentialsService' could not be found on your local machine.

     

    Cause

     

    Protect uses MD5 hash for faster sort lookups, but it currently isn't working correctly with FIPS. This is a known issue and will be fixed in a future release of Protect.

     

    Resolution

     

    This issue was resolved in the initial build of Protect 9.1. Please upgrade to the latest version of Protect to resolve this issue properly.

     

    A possible workaround to resolve this issue in Protect 9.0:

     

    1. Shut down Protect.
    2. Stop the console service.
    3. Navigate to the protect installation folder under Program Files: Default for v.9 is C:\Program Files\LANDesk\Shavlik Protect
    4. Backup the ST.ServiceHost.exe.config and ST.Protect.exe.config
    5. Edit both of those files and add the following between the </st> and <system.diagnostics> tags:
      <runtime>
      <enforceFIPSPolicy enabled="false"/>
      </runtime>

      Example (ST.ServiceHost.exe.config):
      Before:
      </components>
      </host>
      </st>
      <system.diagnostics>
      <trace autoflush="true" useGlobalLock="false" />
      <sources>

      After:
      </components>
      </host>
      </st>
      <runtime>
      <enforceFIPSPolicy enabled="false"/>
      </runtime>
      <system.diagnostics>
      <trace autoflush="true" useGlobalLock="false" />
      <sources>

    6. Save both files.
    7. Clear the log files in the main logs directory (Default is C:\ProgramData\LANDesk\Shavlik Protect\Logs)
    8. Start the console service.
    9. Start Protect.

     

    Notes:

    • You can also set this dword's value to 0 to disable FIPS (restart needed):
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy\Enabled
    • FIPS could also be controlled by GPO, if the above does not work that would be an indication that a GPO is controlling FIPS and this would need to be resolved via GPO.

     

    Risk of Workaround

    This workaround will disable FIPS for the Protect console service and application.

     

    Affected Product(s)

     

    Shavlik Protect 9.0.1182

    Shavlik Protect 9.0.1106