Problems with FOG client and FIPS validation
-
Fog Version: 1.5.0-RC-9
Fog Client Version: 0.11.12
Server: Ubuntu Server 16.04.3 LTSWe recently used GPO to force all our computers to require FIPS compliant encryption suites whenever using encryption to communicate (this is a requirement for PCI compliance). Unfortunately, this seems to have broken the FOG Client. Here are the relevant log entries:
---------------------------------------------------------------- ----------------------------------UserTracker------------------- ---------------------------------------------------------------- 11/4/2017 5:27 PM Client-Info Client Version: 0.11.12 11/4/2017 5:27 PM Client-Info Client OS: Windows 11/4/2017 5:27 PM Client-Info Server Version: 1.5.0-RC-9 [...extraneous lines snipped...] 11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&configure&newService&json 11/4/2017 5:29 PM Middleware::Response Success 11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&mac=40:8D:5C:D5:08:9B&newService&json 11/4/2017 5:29 PM Data::AES ERROR: Could not decrypt AES 11/4/2017 5:29 PM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.I don’t suppose anyone else has run into this issue and has any workarounds?
-
@Joe-Schmitt You better take a look at this one.
-
@joe-schmitt Okay, sounds good. I’ll keep an eye out on future updates and I appreciate the work you do.
-
-
@Brian-David could you test this build https://build.jbob.io/Zazzles/nightly/PCI-Compliance-01/Zazzles.dll
To test:
- stop the client:
net stop fogservice, - replace
C:\Program Files (x86)\FOG\Zazzles.dllwith the file I linked to - start the client :
net start fogservice
And then monitor the client logs / behavior for any more issues.
- stop the client:
-
@joe-schmitt I followed your instructions, but the FOG Service won’t start after the .dll file is replaced. There were two relevant errors in the event log.
First:
Log Name: Application Source: .NET Runtime Date: 11/6/2017 8:24:03 AM Event ID: 1026 Task Category: None Level: Error Keywords: Classic User: N/A Computer: xxx Description: Application: FOGService.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileLoadException at Zazzles.Settings..cctor() Exception Info: System.TypeInitializationException at Zazzles.Settings.get_Location() at FOG.Program.Main() Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name=".NET Runtime" /> <EventID Qualifiers="0">1026</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-06T14:24:03.000000000Z" /> <EventRecordID>4459</EventRecordID> <Channel>Application</Channel> <Computer>xxx</Computer> <Security /> </System> <EventData> <Data>Application: FOGService.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileLoadException at Zazzles.Settings..cctor() Exception Info: System.TypeInitializationException at Zazzles.Settings.get_Location() at FOG.Program.Main() </Data> </EventData> </Event>Second:
Log Name: Application Source: Application Error Date: 11/6/2017 8:24:18 AM Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: xxx Description: Faulting application name: FOGService.exe, version: 0.0.0.0, time stamp: 0x58f267cf Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f32841 Exception code: 0xe0434352 Fault offset: 0x00015608 Faulting process id: 0xa6c Faulting application start time: 0x01d3570ae56270de Faulting application path: C:\Program Files (x86)\FOG\FOGService.exe Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll Report Id: 2c30df72-c2fe-11e7-8288-408d5cd5089b Faulting package full name: Faulting package-relative application ID: Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-06T14:24:18.000000000Z" /> <EventRecordID>4460</EventRecordID> <Channel>Application</Channel> <Computer>xxx</Computer> <Security /> </System> <EventData> <Data>FOGService.exe</Data> <Data>0.0.0.0</Data> <Data>58f267cf</Data> <Data>KERNELBASE.dll</Data> <Data>6.3.9600.18666</Data> <Data>58f32841</Data> <Data>e0434352</Data> <Data>00015608</Data> <Data>a6c</Data> <Data>01d3570ae56270de</Data> <Data>C:\Program Files (x86)\FOG\FOGService.exe</Data> <Data>C:\Windows\SYSTEM32\KERNELBASE.dll</Data> <Data>2c30df72-c2fe-11e7-8288-408d5cd5089b</Data> <Data> </Data> <Data> </Data> </EventData> </Event> -
@Brian-David thanks for the logs, could you try installing a new nightly build? Steps are as follows:
- Uninstall the client on a computer
- Under the computer’s host page in the fog dashboard, hit
Reset Encryption Data - Download and run: https://build.jbob.io/Client/nightly/11-13-2017-pci-compliance-01/SmartInstaller.exe
- Restart the computer
It will likely still fail, but it should be a step in the right direction.
-
@joe-schmitt Followed your instructions, but unfortunately I am getting the same FIPS error when the client tries to authenticate:
11/15/2017 8:44 AM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. -
@Brian-David alright, thanks for testing. This will require a bit more work than I was hoping for it seems.
-
S Sebastian Roth referenced this topic on
