Tuesday, 16 December 2014

Exchange 2013 OAB generation and FIPS

Recently on a new Exchange 2013 platform that is being built OAB generation and thus the OAB downloads to the Outlook client were not working.

Checking Event Viewer, there were a lot of 17004 events stating that the generation of the OAB was failing:

More interestingly when scrolling through the detail it mentioned FIPS, or 'Federal Information Processing Standard'. You can see in the below screen shot it states:

"System.InvalidOperationExeption: this implementation is not part of the Windows Platform FIPS validated cryptographic algorithms".

After ensuring there were no Group Policy templates applied to the server, I opened the Local Security Policy MMC | Local Policies | and checked the Security Options:

And I could see FIPS was enabled. Disabling it on all the Mailbox Servers that perform OAB generation resolved the issue (disable it on all though if it is a DAG as the mailbox database will move!!!), and the Outlook client could then download the OAB.

But what was the issue here?

Well a look on Bing/Google gave the following Microsoft KB article . It appears the SHA1 hash algorithm that is used for the OAB file hash is not FIPS compliant – thus the OAB generation fails. The platform that is being built is based on Exchange 2013 CU5, as we cannot go to CU6 yet until this is planned – hence the error occurred in all Sysprepped images that have FIPS compliance set to enabled in the local security policies.

This issue however is resolved in Exchange Server 2013 CU6 as it will update the hash algorityhm for OABs , so if you require FIPS compliance ensure you are at least at CU6. 

It appears that as of 3/12/2014 that the health set monitors for Exchange 2013 have been updated to include FIPS. See 'Troubleshooting FIPS Health Set' here.

Oliver Moazzezi - MVP Exchange Server