Cannot access web server after enable FIPS compliant cryptography

[Jener Silva]

I have a Windows 2003 Enterprise server hosting my web service and it has
the System cryptography set to run in FIPS complaint mode.
When I try to run my asp.net application, which resides on another 2003
server, I get an exception:

The underlying connection was closed: Could not extablish secure channel for
SSL/TLS.

If we disable FIPS compliant cryptography, the application works fine.
Those servers are within the same network, there is no firewall between
them.

When I try to add a web reference to a new asp.net project, VS.NET 2003
shows the initial page in the wizard, but the button to add the reference is
disabled and a message shows up that says:

There was an error downloading 'https://servername/webservice.asmx'.

The underlying connection was closed: Could not establish secure channel for
SSL/TLS.

Can anyway tell me what's wrong?
Thanks.

 

[[MSFT]]

Can you browse a HTML page or ASP.NET web page on the Windows 2003 Server
after enable FIPS compliant cryptography, for example, from your
application server?

Luke

 

[Jener Silva]

Yes!!!
If I launch IE and browse to https://myserver/myservice.asmx , I see the web
service page.

 

[[MSFT]]

I suggest you may test the web service with a win form app first. I suspect
the problem may be caused by that the account your ASP.NET app used cannot
access the client certificates or the certificate has been installed well.

Luke

 

[Jener Silva]

I created a WinForm application and added a web reference to the web
service.
To do that I had to disable FIPS compliant cryptography on the server.
The WinForm application behaves just like the ASP.NET application: the
service can be called if the web server is not operating in FIPS mode.
When I enable FIPS compliant cryptography, I get the same exception:

The underlying connection was closed: Could not establish secure channel for
SSL/TLS.

 

[Chris Botha]

I'm not familiar with FIPS, but can tell you that if IE prompts you to
accept the certificate, for example if it is a test certificate, etc, then
you will have this problem. In this case write a class that implements the
ICertificatePolicy interface. Give it a shot in any case. For an example,
have a look at
http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx

 

[[MSFT]]

I think the suggestion of Chris should be helpful on this issue. You may
take a try. Following is also an article about this issue:

PRB: "System.Net.WebException. The Underlying Connection Was Closed. Could
Not Establish Trust Relationship with Remote Server." Error Message When
You Upgrade the .NET Framework
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q823177

Luke

 

[Jener Silva]

No, IE does not prompt me to accept the certificate.
There is nothing wrong with the certificate.
The web service works fine if I disable FIPS cryptography in the Local
Security Policy of the server.

 

[Chris Botha]

Sorry, as I said, I am not familiar with FIPS, but know that the
ICertificatePolicy works when regular certificates cause problems. Give it a
shot and see if it works.