How to disable fips in asp .net

前端未结

关注

 1  1717

I want to disalbe fips in asp .net x64 application. In web.config I added


                      
              相关标签:


      
      
        
          1条回答        

        
                         				            
            
           
            
                              
                
              
              
                
                  萌比男神i        
                
              
                            
                2021-01-13 22:55
              
            
            
                                                                       
Solution only works for IIS >= 7.5

It doesn't look like IIS allows you to manipulate this setting through a web application's web.config. One work-around is to create a dedicated App Pool (or multiple), and configure the App Pool's CLR with FIPS enforcement disabled.  IIS 7.5 introduced a CLRConfigFile property that you can use to specify an App Pool's .NET configuration file. This gives us more granular control over which applications the configuration impacts - instead of the shotgun approach where we disable it in machine.config or the group policy setting.

1.Create a configuration file, c:\inetpub\AppPoolClrConfig\noFipsWeb.config, with the following content (the location and name of the file is immaterial):

<configuration>
    <runtime>
        <enforceFIPSPolicy enabled = "false" />
    </runtime> 
</configuration>


2.Grant read permissions on the file to the identity under which the App Pool runs:

icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\YourAppPoolName":(R)


3.Configure the App Pool to load this config file by setting the pool's CLRConfigFile property:

cmd:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools/[name='{AppPoolName}'].CLRConfigFile:"{FilePath}"  /commit:apphost


sample:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost


Due to a bug in IIS 7.5, we need to also clear the managedRuntimeLoader property or else the CLRConfigFile will be ignored:

%windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].managedRuntimeLoader:""  /commit:apphost


4.Restart IIS. Your Asp.NET applications that are using the App Pool above should now be ignoring FIPS.

Credits to:

Scott Forsyth for explaining how to configure an app pool to use a different CLR file than the standard aspnet.config file.

Jose Reyes for documenting the bug in IIS 7.5 that ignored the CLRConfigFile Property
                                                                        
                                                        
            
            
              
                
                0
              
                 
                
               讨论(0)
              
              
                                                   
              
                                                            
            
                      
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
          	          
                             
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复