I was tackling this error today on my farm. When attempting to open Central Admin, I would get this error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
The event logs had an Event ID 8214 but the error was unknown so I couldn’t find any information about it. Searches on the net weren’t helpful, they just talk about authentication problems. I wasn’t sure if the Event ID was even related but I think it was.
I edited the web.config of the Central Admin site and set <customErrors mode=”Off”> but it didn’t help, I got the error above or sometimes a blank page when loading Central Admin. The key was to also set <CallStack=”true”> in the web.config.
I was able to get the Central Admin to finally load after changing a couple registry settings. First, I saw a HKLM\SYSTEM\CurrentControlSet\Control key called “fipsalgorithmpolicy” which was set to 0. Hmm, that’s good. Some more research pointed me to a sub-key called FIPSAlgorithmPolicy. There was a DWORD value called “Enabled” and this was set to 1. Changing it to 0 (zero) and performing an IISRESET allowed me to open Central Admin.
Great, but not great. My network has a policy (Group Policy setting) to turn this on. “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” is set to enabled. So, this isn’t a permanent solution.
I found this blog post called Aggregated Intelligence: FIPS validated cryptographic algorithms in .NET which suggested adding another line in my web.config <enforcefipspolicy enabled=”false” >. For the record, that did nothing for me, I don’t know why.
Anyway, I was pretty sure that this was a best practice, especially in Department of Defense (DoD) where I’ve spent most of my time working. It’s maybe even a requirement. I started looking at IIS and the Web Site Settings for Central Admin. In Windows 2008, it defaults to the “Features” view. In there, I checked each of the icons. Inside “Machine Key” I noticed that the algorithm was set to SHA1 (or was it AES). In any case, I changed it to TripleDES, performed an IISRESET /NOFORCE and everything worked! I’ll have to verify some of this tomorrow but hopefully this post gives some useful troubleshooting steps.
Someone called me recently stating that their SharePoint farm had expired, it was a shock to them because they had installed it with the correct key. Some digging revealed that there was a post-SP2 bug. There’s a hotfix (32-bit / x64) available as well and that sent me down a path of identifying what level of SharePoint I was running. There was a great post by Penny Coventry that I used to refer but it hadn’t been updated. After some more searching and clicking around, I finally found it. Here is the blog post: How to find the level of SharePoint you are running on Penny’s new blog.
To summarize for MOSS 2007/WSS 3.0:
Using SharePoint Central Administration Web site SharePoint HTML Site Settings admin pages will show the following version numbers:
12.0.0.6510 MOSS 20071 or WSS 3.0 SP2 + June 09 cumulative Update (KB971538 + KB971537) 12.0.0.6504 MOSS 20071 or WSS 3.0 SP2 + April 09 cumulative Update (KB968850 + KB968851) 12.0.0.6421 MOSS 20071 or WSS 3.0 SP2 (KB953338 + KB953334) [Updated 1st Aug 09: SP2 download now includes the hotfix (KB971620) that corrects the activation issue; more information on the Microsoft SharePoint team blog] 12.0.0.6341 MOSS 20071 or WSS 3.0 February 09 cumulative Update (KB961755 + KB961756) 12.0.0.6335 MOSS 20071 or WSS 3.0 December 08 cumulative Update (KB960010 + KB960011) 12.0.0.6331 MOSS 20071 or WSS 3.0 October 08 cumulative Update (KB957691 + KB957693,KB958567 and KB958569) 12.0.0.6327 MOSS 20071 or WSS 3.0 August 08 cumulative update (KB956056 & KB956057) 12.0.0.6318 MOSS 20071 or WSS 3.0 Infrastructure Update (KB951695 & KB951297) 12.0.0.6303 MOSS 20071 or WSS 3.0 post-SP1 hotfix (KB948945) 12.0.0.6301 MOSS 20071 or WSS 3.0 post-SP1 hotfix (KB941274) 12.0.0.6300 MOSS 20071 or WSS 3.0 post-SP1 hotfix (KB941422) 12.0.0.6219 MOSS 20071 or WSS 3.0 SP1 12.0.0.6039 MOSS 20071 or WSS 3.0 October public update 12.0.0.6036 MOSS 20071 or WSS 3.0 August 24, 07 hotfix package 12.0.0.4518 MOSS 20071 or WSS 3.0 RTM 12.0.0.4407 MOSS 20071 or WSS 3.0 Beta 2 TR 12.0.0.4017 MOSS 20071 or WSS 3.0 Beta 2 12.0.0.3111 Office 12 (PDC image – pre-beta) – This version of Office does not have a support link in the Add/Remove programs dialog box.
1To confirm that a particular service pack/hotfix is install on SharePoint Server you must either check the version numbers of specific dlls as specified in the related Microsoft Knowledge Based article or:
I had this problem that I first noticed when a users profile picture was not being updated. He had updated his pic on his MySite but it would not appear on “People and Groups” inside the top level Site Collection.
The next day I attempted to back up (using Central Admin) my farm and it just sat there at initializing. I checked the timer jobs and noticed that nothing had run since this was installed. A quick search on Bing and Google suggested clearing the cache. That didn’t work for me, but in summary, I’ll repost from here:
1. Stop the Timer service. To do this, follow these steps: Click Start, point to Administrative Tools, and then click Services. Right-click Windows SharePoint Services Timer, and then click Stop.
2. Clear the cache. To do this, follow these steps: Open the following folder: %ALLUSERSPROFILE% \Application Data\Microsoft\SharePoint\Config\ Open the cache.ini file and change the value to 1. Save the change and close the cache.ini file.
3. Delete or move all of the XML files.
4. Start the Timer service. To do this, follow these steps: Click Start, point to Administrative Tools, and then click Services. Right-click Windows SharePoint Services Timer, and then click Start.
OK, so that may work for some people. Just a note, on Windows Server 2008 (my deployment) the location for step 2 is actually:
C:\ProgramData\Microsoft\SharePoint\Config\
As I said though, that didn’t work. There were no event log errors and nothing obvious in the ULS (honestly didn’t look that hard), I was pulling my hair out. Well, I found out that the password for the farm account had been changed. Apparently, after changing it, no one ran the STSADM command:
That didn’t entirely fix my problem still. The backup did run, so I’m happy for now but there are alot of errors.
While I’m on the subject of changing passwords, I am seeing many organizations (like DoD or non-profits) enforcing 90 day password changes. I think if you followed Microsofts Best Practices for service accounts (Plan for administrative and service accounts), that should suffice. Changed service account passwords are a hassle!
I was traveling recently and decided to take my travel laptop (due), its lighter. When I finally got to my room and settled in I fired up my laptop.
To my demise.. I mean surprise, it had Ubuntu Linux (6.04) installed. I rebooted to make sure GRUB (the Linux Bootloader) didn’t have “WindowsXP” as an option. It didn’t. Oh well, I like Ubuntu, in fact I love it.
I would’ve been perfectly fine with that if it weren’t for another one of the associates here telling me all about using my Blackberry as a modem. I was thinking “heck yeah! I want to try that.”
I learned that Linux and Blackberrys don’t work well (damn you RIM!). To make a long story short, in order to use your phone as a modem you NEED to have Blackberry Desktop Manager installed. I looked for alternatives but I couldn’t find any. So, I thought, well, WINE should be able to run it right?
I got online and downloaded it and just ran the executable under WINE. Things were going well! It started to install, in fact the install completed. It even created a shortcut on my Ubuntu desktop. Next step, run it and connect my Blackberry. That didn’t go so well. For some reason, once installed, it would not load up. It tried but it just didn’t work.
So then, I was thinking, well I need to install Windows now. All I had was my backup ISO image of Windows. Unfortunately Windows doesn’t do network installs, installs off a USB or anything but CD (and floppy I think). That was a show stopper. I tried to find a CD to burn the ISO image on to but I had no luck with that.
Then, I got another fancy idea. How about I just run the Blackberry software in Windows virtualized? I had the ISO, I just needed Xen, VirtualBox, or Virtual PC (why did I think Microsoft made a linux version of Virtual PC??). I chose VirtualBox, it went smooth, I got Windows installed, got Blackberry Desktop Manager installed and running… until one more thing.
The USB interface has to pass through the virtual desktop to Windows. It sort of worked after I made some changes to devsubfs.inf but not really. So then, I started doing some research. It turns out that several people have been able to get the mass storage part to work (so they can transfer contacts, pictures, other media) but not the modem part.
I was sad.
I was carrying my laptop bag around and had some folders in my hand and decided to just consolidate. I opened the bag and placed the folders in a thin compartment when I noticed the manual for the laptop and the original CD’s!! What a dope, I didn’t even realize to look there. Great! I thought, now I could install Windows and all would be fine.
I got back to my room and was so anxious that I just started installing Windows. When I had installed Ubuntu originally, I created 3 partitions for it but left 15GB of unallocated space. I tried to have Windows use it but it complained that it could not create a 4th partition. Darn! Maybe Linux could. I rebooted and used Gparted to create the partition and just in case, I also formatted for FAT32 (NTFS was not an option). I tried the Windows install again and it saw the partition with no problem. The install went really well and I was inside Windows.
Now, the problem is that I need to get at my Linux partition and boot that, primarily. I should have taken this into account BEFORE! The NTLDR (NT Boot Loader) can boot Linux, sort of, it redirects to GRUB or LILO (both Linux boot loaders). Its simple actually, you just take the first 512 bytes of the boot drive BEFORE installing Windows and save that to a text file. Later, you can edit boot.ini and point it to your text file. Nice. I didn’t do that. I now have Windows and no way to boot Linux. Crap.
I have no Linux boot CDs, no rescue disks, no floppy, no.. oh wait: I can boot Linux from my thumb drive. I thought if I just downloaded a rescue disk for a USB thumb drive I could probably get back in and setup the dual boot! As I researched this, it seems its not as easy to do this in Windows as you’d expect. I found a lot of instructions about using a thumb drive to boot, but there were mostly for Linux.
I found a project called GRUB4DOS and WINGRUB. Its a boot loader based on GNU GRUB but it can be used with the Windows Boot Loader (NTLDR). I don’t think its made for the purpose I intended to use it for but I was desperate.
I tried it anyway. I copied the file “grldr” to the root of my C: drive and edited the boot.ini file by adding a line: C:\grldr=”Start GRUB” I saved the file and continued with my research. After some time, I got frustrated, shut down my computer and went to sleep. The next day, I loaded my computer to continue researching this and try to get it to work. As I booted I saw that I had “Start GRUB” as an option. I selected it thinking “Whats the worst that could happen?” It immediately brought up my Linux GRUB screen, I was impressed! I selected Ubuntu and it loaded with no problems. Just to double-check, I rebooted and selected Windows. All worked fine. What a crazy adventure!
So I guess the takeaway from this post, besides the usual (research stuff, know what you’re doing before you start, always have backups, etc!) is that the GRUB4WINDOWS project is actually very useful and I hope development continues on it.
This is an interesting topic that I think does not get a lot of attention. I think Apple has a lot of potential here but there needs to be a huge upfront investment. If you’re going to ask companies to invest upfront, you have to start with yourself.
I’ve worked in mostly Microsoft/Cisco shops and it works really well. Microsoft has an array of product suites to address almost any need. More often than not, using a Microsoft product, rather than a better or cheaper alternative actually costs less (TCO). I think Microsoft has done a great job of addressing TCO especially in enterprise environments.
Apple would need to invest a lot to even begin to compete, but the stage is set. Apple enjoys excellent marketing, like it did in the 1980’s. I remember reading about why most schools and college campuses used Apple computers: they were easy to use and learn and competitively priced. Seeing Apple computers in places of learning was very common place and expected. Not so much today. Part of the reason for this is that schools had to grow out of Apple products in favor of “industry standard” PC’s. If you use a Microsoft system at work, you’ll want that system at home and so schools should also be teaching that (in general).
Apple needs to invest in certifications like Microsoft and Cisco. There should be a Apple Macintosh Certified Associate (AMCA) or something similar as the basic certification. From there, more advanced certificates for different technologies could be offered. AXCA for the Xserve platform? This allows organizations to hire technicians that are familiar with Apple products. Right now, there’s really no way to tell how good your Apple skills are.
Apple also needs to invest in a good user identity platform (like Active Directory) and email services (like Exchange). Finally, system management is too important for admins. As stated in the blog post comments above, admins need a way to set security policies and controls that are easy and that work! Apple’s Remote Desktop 3 is the closest tool to Microsofts SMS and can probably manage a campus full of Macs. I’d love to see it in action.
Actually, all the same goes for any Linux platform. The problem for Linux though is trying to get the community to rally behind a few products (one would be better but Linux enthusiasts try to preserve choice) to address these needs.
The advantage for Apple is that it can set standards on its own technology and it doesn’t have to create all those products itself. They can be contracted out or Apple could provide API’s or similar technologies to 3rd party vendors who already specialize in similar products for Microsoft.
One example of this is a company called Shavlik which provides patch management solutions for Windows. Although Microsoft already provides WSUS for free and SMS for more advanced patching, I found many enterprises still use Shavlik or similar 3rd-party tools. Why not allow Shavlik to create their products for Apple Macintosh and Apple server products?
It doesn’t seem like these things would be hard to do. The question is if Apple cares enough to do it. Is the demand really there?
