SIM and SMP FIPS Support

Article:HOWTO83486  |  Created: 2013-02-01  |  Updated: 2014-04-22  |  Article URL http://www.symantec.com/docs/HOWTO83486
Article Type
How To


Subject


Question:
Do SIM (Symantec Installation Manager) and SMP (Symantec Management Platform) support FIPS ( Federal Information Processing Standard) enabled? 

Answer:

The short answer is SIM and SMP products cannot be installed or run when FIPS enforcement is turned on in Windows.

Symantec SMP version 7.1 requires the Microsoft .NET 3.5.1 framework and Windows Server 2008 R2 to install and run. Whenever .NET 3.5.1 is running on a Windows 7 or Windows 2008 R2 environment and the System cryptography setting is enabled to use FIPS compliant algorithms for encryption, hashing and signing the application is unable to install or launch. This issue occurs because the ScriptResourceHandlerclass that is included in the System.Web.Extensions.dll file is not compliant with the United States Federal Information Processing Standard (FIPS).
For additional information please see the following Microsoft Knowledgebase article:

Problem Resolution
With the release of SIM 7.5.92, SIM detects this setting and warns the user.

In order to resolve this, the following 2 registry settings must be set to a value of 0 to disable system cryptography:
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
 
If the above registry entries are not set to 0 then it will not be possible to perform an installation of Symantec Management Platform (SMP) version 7.1 or third party Microsoft tools required by Symantec such as the Access Runtimeengine 2010 and others. If this setting is enabled subsequent to the SMP installation then the SMP services will be unable to start. 
This setting also affects applications outside of Symantec software. As an example, this registry setting also prevents the latest version of Microsoft Sharepoint 2010 from running. Please see the following URL http://technet.microsoft.com/en-us/library/cc263215(v=office.14).aspx
 
Microsoft does provide a hotfix to resolve this, but Engineering effort is needed on the SMP to accommodate this hotfix. Given the effort needed for this and additional features that are being added to the product creating a resolution for this hotfix in the current version is not possible. Symantec plans to address this issue along with any others related to this setting in a future release after the SMP version 7.5 product is released. Currently targeted timeframe for 7.5 is during the 2nd Calendar Quarter of 2013.
 
 
Note: Please refer to the following KBs in case the change mentioned above doesn't work:
TECH159352 "Error: Symantec Installation Manager failed to initialize. See log for details"
TECH126936 "Getting "Fatal exception" error when running Symantec Installation Manager"

 




Article URL http://www.symantec.com/docs/HOWTO83486


Terms of use for this information are found in Legal Notices