问题
I want to disalbe fips in asp .net x64 application. In web.config I added
<runtime>
<enforceFIPSPolicy enabled = "false">
</runtime>
I set debug to false.
However my application do not work. Should I declare runtime section in < configSections > ? If yes then is it a proper line
<section name="runtime" type="System.Configuration.IgnoreSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowLocation="false"/>
回答1:
Solution only works for IIS >= 7.5
It doesn't look like IIS allows you to manipulate this setting through a web application's web.config. One work-around is to create a dedicated App Pool (or multiple), and configure the App Pool's CLR with FIPS enforcement disabled. IIS 7.5 introduced a CLRConfigFile property that you can use to specify an App Pool's .NET configuration file. This gives us more granular control over which applications the configuration impacts - instead of the shotgun approach where we disable it in machine.config or the group policy setting.
1.Create a configuration file, c:\inetpub\AppPoolClrConfig\noFipsWeb.config, with the following content (the location and name of the file is immaterial):
<configuration>
<runtime>
<enforceFIPSPolicy enabled = "false" />
</runtime>
</configuration>
2.Grant read permissions on the file to the identity under which the App Pool runs:
icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\YourAppPoolName":(R)
3.Configure the App Pool to load this config file by setting the pool's CLRConfigFile property:
cmd:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools/[name='{AppPoolName}'].CLRConfigFile:"{FilePath}" /commit:apphost
sample:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config" /commit:apphost
Due to a bug in IIS 7.5, we need to also clear the managedRuntimeLoader property or else the CLRConfigFile will be ignored:
%windir%\System32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /[name='YourAppPoolName'].managedRuntimeLoader:"" /commit:apphost
4.Restart IIS. Your Asp.NET applications that are using the App Pool above should now be ignoring FIPS.
Credits to:
Scott Forsyth for explaining how to configure an app pool to use a different CLR file than the standard aspnet.config file.
Jose Reyes for documenting the bug in IIS 7.5 that ignored the CLRConfigFile Property
来源:https://stackoverflow.com/questions/3996459/how-to-disable-fips-in-asp-net