DPM Support Tip: Reporting fails with "implementation is not part of FIPS validated cryptographic algorithms"


When opening Reporting Services Configuration Manager, the Web Service URL and Report Manager URL fails with the following error:

Reporting Services Error
An internal error occurred on the report server. See the error log for more details. (rsInternalError) Get Online Help
Exception of type ‘System.Web.HttpUnhandledException’ was thrown.
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Stack info:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.RijndaelManaged..ctor() +200 System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +2088
System.Web.Configuration.MachineKeySection.EnsureConfig() +904
System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +88
System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +1320
System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +248
System.Web.UI.HiddenFieldPageStatePersister.Save() +280
System.Web.UI.Page.SaveAllState() +6488
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +17240


This can occur if FIPS is enabled and using the RijndaelManaged AES which is not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Because of this, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms.

See http://support.microsoft.com/kb/911722 for more information.


Edit the web.config file of directories below per article – http://support.microsoft.com/kb/911722

%DPMInstall%\Program Files\Microsoft DPM\SQL\MSRS.10.MSDPM2010\Reporting Services\ReportManager

%DPMInstall%\Program Files\Microsoft DPM\SQL\MSRS.10.MSDPM2010\Reporting Services\ReportServer

Add the following section to the system.web section

1. In a text editor such as Notepad, open the application-level Web.config file.

2. In the Web.config file, locate the <system.web> section.

3. Add the following <machineKey> section to in the <system.web> section:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

4. Save the Web.config file.

More Information

If the SSRS log file(%DPMInstall%\Program Files\Microsoft DPM\SQL\MSRS.10.MSDPM2010\Reporting Services\LogFiles) is showing the error below, the SSRS data source does not have the "Allow log on locally" privilege defined for it in the Local Security Policy:

library!ReportServer_0-2!704!09/27/2012-15:37:05:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed., ;
Info: Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed. —> System.Runtime.InteropServices.COMException (0x80070569): Logon failure: the user has not been granted the requested logon type at this computer.(Exception from HRESULT: 0x80070569)
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at RSRemoteRpcClient.RemoteLogon.GetRemoteImpToken(String pRPCEndpointName, Int32 type, Guid dataSourceId, String pUserName, String pDomain, String pPassword)
at Microsoft.ReportingServices.Diagnostics.ImpersonationContext.Login(CredentialsType credType, Guid dataSourceId, String userName, String userPwd, String domain)
— End of inner exception stack trace —

To resolve, add the account being used to the "Allow log on locally" security policy.

Andy Nadarewistsch | Senior Support Escalation Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/