UNSOLVED Problems with FOG client and FIPS validation


  • Fog Version: 1.5.0-RC-9
    Fog Client Version: 0.11.12
    Server: Ubuntu Server 16.04.3 LTS

    We recently used GPO to force all our computers to require FIPS compliant encryption suites whenever using encryption to communicate (this is a requirement for PCI compliance). Unfortunately, this seems to have broken the FOG Client. Here are the relevant log entries:

    ----------------------------------------------------------------
    ----------------------------------UserTracker-------------------
    ----------------------------------------------------------------
     11/4/2017 5:27 PM Client-Info Client Version: 0.11.12
     11/4/2017 5:27 PM Client-Info Client OS:      Windows
     11/4/2017 5:27 PM Client-Info Server Version: 1.5.0-RC-9
     [...extraneous lines snipped...]
     11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&configure&newService&json
     11/4/2017 5:29 PM Middleware::Response Success
     11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&mac=40:8D:5C:D5:08:9B&newService&json
     11/4/2017 5:29 PM Data::AES ERROR: Could not decrypt AES
     11/4/2017 5:29 PM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
    

    I don’t suppose anyone else has run into this issue and has any workarounds?

  • Senior Developer

    @Brian-David alright, thanks for testing. This will require a bit more work than I was hoping for it seems.


  • @joe-schmitt Followed your instructions, but unfortunately I am getting the same FIPS error when the client tries to authenticate:

    11/15/2017 8:44 AM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
    
  • Senior Developer

    @Brian-David thanks for the logs, could you try installing a new nightly build? Steps are as follows:

    1. Uninstall the client on a computer
    2. Under the computer’s host page in the fog dashboard, hit Reset Encryption Data
    3. Download and run: https://build.jbob.io/Client/nightly/11-13-2017-pci-compliance-01/SmartInstaller.exe
    4. Restart the computer

    It will likely still fail, but it should be a step in the right direction.


  • @joe-schmitt I followed your instructions, but the FOG Service won’t start after the .dll file is replaced. There were two relevant errors in the event log.

    First:

    Log Name:      Application
    Source:        .NET Runtime
    Date:          11/6/2017 8:24:03 AM
    Event ID:      1026
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:     xxx
    Description:
    Application: FOGService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.IO.FileLoadException
       at Zazzles.Settings..cctor()
    
    Exception Info: System.TypeInitializationException
       at Zazzles.Settings.get_Location()
       at FOG.Program.Main()
    
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name=".NET Runtime" />
        <EventID Qualifiers="0">1026</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-06T14:24:03.000000000Z" />
        <EventRecordID>4459</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Application: FOGService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.IO.FileLoadException
       at Zazzles.Settings..cctor()
    
    Exception Info: System.TypeInitializationException
       at Zazzles.Settings.get_Location()
       at FOG.Program.Main()
    
    </Data>
      </EventData>
    </Event>
    

    Second:

    Log Name:      Application
    Source:        Application Error
    Date:          11/6/2017 8:24:18 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxx
    Description:
    Faulting application name: FOGService.exe, version: 0.0.0.0, time stamp: 0x58f267cf
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f32841
    Exception code: 0xe0434352
    Fault offset: 0x00015608
    Faulting process id: 0xa6c
    Faulting application start time: 0x01d3570ae56270de
    Faulting application path: C:\Program Files (x86)\FOG\FOGService.exe
    Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll
    Report Id: 2c30df72-c2fe-11e7-8288-408d5cd5089b
    Faulting package full name: 
    Faulting package-relative application ID: 
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-06T14:24:18.000000000Z" />
        <EventRecordID>4460</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>FOGService.exe</Data>
        <Data>0.0.0.0</Data>
        <Data>58f267cf</Data>
        <Data>KERNELBASE.dll</Data>
        <Data>6.3.9600.18666</Data>
        <Data>58f32841</Data>
        <Data>e0434352</Data>
        <Data>00015608</Data>
        <Data>a6c</Data>
        <Data>01d3570ae56270de</Data>
        <Data>C:\Program Files (x86)\FOG\FOGService.exe</Data>
        <Data>C:\Windows\SYSTEM32\KERNELBASE.dll</Data>
        <Data>2c30df72-c2fe-11e7-8288-408d5cd5089b</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    
  • Senior Developer

    @Brian-David could you test this build https://build.jbob.io/Zazzles/nightly/PCI-Compliance-01/Zazzles.dll

    To test:

    • stop the client: net stop fogservice,
    • replace C:\Program Files (x86)\FOG\Zazzles.dll with the file I linked to
    • start the client : net start fogservice

    And then monitor the client logs / behavior for any more issues.

  • Senior Developer


  • @joe-schmitt Okay, sounds good. I’ll keep an eye out on future updates and I appreciate the work you do.


  • @Joe-Schmitt You better take a look at this one.

304
Online

8.3k
Users

15.1k
Topics

142.0k
Posts