EnforceFilePermissions.psm1 hashes with MD5 which is not compliant with FIPS security setting in Windows, causing MID Server Issue error 'This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms'.
This script implements the "File permission access" feature mentioned in the Orlando MID Server release notes.
The script's purpose is to lock down the folder permissions of the "agent" folder and its sub-folders to just:
- Builtin/Administrators (local Administrators)
- if applicable, the specific user running the MID Server Windows service ("Log on as" user)
Steps to Reproduce
- Install a MID Server on a Windows Server with FIPS enabled
- Check the MID Server Issues table for the MID Server, and you see this error:
An unexpected error occurred: Exception calling "Create" with "1" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At C:\ServiceNow\Prod_Disco_MID\agent\bin\scripts\EnforceFilePermissions.psm1:365 char:5
+ $algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('MD5')
+ CategoryInfo : NotSpecified: (:) , MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
You cannot call a method on a null-valued expression.
At FC:\ServiceNow\Prod_Disco_MID \agent\bin\scripts\EnforceFilePermissions.psm1:368 char:5
+ $algorithm.ComputeHash($bytes) |
+ CategoryInfo : InvalidOperation: (:) , RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.
As a workaround, you can also avoid this security concern by using SHA1 instead for building hashes:
You need to follow below steps to enable SHA1 for hashing:
- Login to the mid server host
- Stop the mid server service
- Go to MID Server agent > bin >scripts folder.
- Open the EnforceFilePermissions.psm1 PowerShell Module file and find the below line in the script. (This should be around the line 365)
$algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('MD5')
- Replace the above line with the below :
$algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('SHA1')
- Save the file and restart the mid server service
Note: This error should only prevent the file system permission enforcement from happening, but it should not prevent the MID Server from working properly.
The workaround would be temporary as this file (bundled with the MID and not synced from the instance) would get overridden during the next upgrade or patch, and will need re-implementing.
Related Problem: PRB1383368