Solve On-Premises 8.7 FIP Connection Error

Version 8.7 introduces changes that can cause Solve On-Premises (SOP) to fail when FIPS is re-enabled. If you experience this issue, read the following article to learn how to enable FIPS for IIS and restore SOP functionality.

Problem

After you install COP and SOP version 8.7, you receive the following error when you try to access Solve:

From Monitors in Settings, you can see the following error:

Solve connection failed. Please check if the required port (443) is open and proxy settings are configured correctly

In the UserManagementService.log under the path C:\Program Files\ControlUp Inc\ControlUp Server\WebApps\UserManagementService\8_WS, you can see the following log entry:

2023-03-02 11:44:57,971|28| (null)|Un:(null)|(null)|3968|3/2/2023 11:37:01 AM|ERROR|AesHandler FAILED to encrypt data. | System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.RijndaelManaged..ctor()
   at SmartX.UMPrivateCloud.ServerLib.AesHandler.Encrypt(String dataToEnc, Byte[] key, Byte[] iv)

Solution

If you encounter the issue described above, perform the following steps:

1. From Monitors in Settings, right-click on the Site/Monitor column and click Stop all Monitors.
2. Close all ControlUp consoles.
3. Launch the Command Prompt on the COP Server as an administrator and run the following command:

   IISRESET /stop
   

4. Open Services and stop the ControlUp LDAP Directory Service (ControlUp-LDS) and ControlUp Incidents Service.
5. Create a configuration file named "noFipsWeb.config" under the path C:\inetpub\AppPoolClrConfig. If the folder does not exist, create it. Copy and paste the following content to the file:

   <configuration>
     <runtime>
       <enforceFIPSPolicy enabled="false" />
     </runtime>
   </configuration>
   

6. To grant read permissions to the App Pool's identity for the "noFipsWeb.config" file, replace the text <DOMAIN\USERNAME> with your organization's domain and LDS Service username. Run all of the following commands simultaneously on the COP Server:

   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "DOMAIN\USERNAME":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\8_WS.Pool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\ConfigurationPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\DefaultAppPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\HandshakePool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\IncidentsReporterPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\IncidentsViewerPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\InstructionsPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\MasterPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\RealTimeStatsPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\SBAPool":(R)
   icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\UploaderPool":(R)
   

7. To load the configuration file, configure the App Pool's CLRConfigFile property by running all of the following commands simultaneously on the COP Server:

   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='8_WS.Pool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='8_WS.Pool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='ConfigurationPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='ConfigurationPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='DefaultAppPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='DefaultAppPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='HandshakePool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='HandshakePool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsReporterPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsReporterPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsViewerPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsViewerPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='InstructionsPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='InstructionsPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='MasterPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='MasterPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='RealTimeStatsPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='RealTimeStatsPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='SBAPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='SBAPool'].managedRuntimeLoader:""  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='UploaderPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
   %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='UploaderPool'].managedRuntimeLoader:""  /commit:apphost
   

8. Open Computer Management and add the ControlUp-LDS service account to the IIS_IUSRS local user group in the COP Server. If the SQL Service account differs from LDS, add both service accounts to the group.
   
9. Open Services and start ControlUp-LDS and ControlUp Incidents Service. Reset IIS by running the following command:

       iisreset
   

10. Open a ControlUp console. From Monitors in Settings, right-click on the Site/Monitor column and click Start all Monitors. Open SOP to confirm restored functionality.