This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have successfully configured WAP and ADFS for claims based authentication to the ECP and OWA directories. I am able to successfully log in until I enable "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing." in the mailserver's group policy. FIPS mode is enabled on the WAP and ADFS servers, but when I enable it on the CAS/Mailbox servers, the connection fails.
I receive two errors as follows:
MSExchange Front End HTTP Proxy
EventID 1003
[Ecp] An internal server error occurred. The unhandled exception was: System.ArgumentException: ID6037: Cannot create algorithm with name 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'.
Parameter name: algorithm
at Microsoft.IdentityModel.CryptoUtil.Algorithms.NewDefaultEncryption()
at Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform.Encode(Byte[] value)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.InternalOnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
ASP.NET 4.0.30319.0
EventID 1309
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/18/2021 5:45:48 PM
Event time (UTC): 8/18/2021 9:45:48 PM
Event ID: 714e4414463e446580a2b76abc9ed4b1
Event sequence: 4
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/ecp-1-132737966456709170
Trust level: Full
Application Virtual Path: /ecp
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\
Machine name: EPMX1
Process information:
Process ID: 22544
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: ArgumentException
Exception message: ID6037: Cannot create algorithm with name 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'.
Parameter name: algorithm
at Microsoft.IdentityModel.CryptoUtil.Algorithms.NewDefaultEncryption()
at Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform.Encode(Byte[] value)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.InternalOnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Request information:
Request URL: https://mail.---.com:443/ecp/
Request path: /ecp/
User host address: ---
User: ---
Is authenticated: True
Authentication Type: ADFS
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 17
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.IdentityModel.CryptoUtil.Algorithms.NewDefaultEncryption()
at Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform.Encode(Byte[] value)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.InternalOnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Based on your description, this issue more related with ADFS and Windows Server. So, I removed the Exchange tag. Thanks for your understanding.
I do not understand. You are telling me that an event 1003 error for the MSExchange Front End HTTP Proxy is not related to Exchange?
From the api documentation for Microsoft.IdentityModel.Web.RsaEncryptionCookieTransform it would seem that the Exchange website is incorrectly transforming my rsa256 claim from ADFS to hmac-sha1. This is a front end proxy issue in the exchange application, not Windows server or ADFS specific.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 62%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
@Anonymous , did you ever find an answer?
If you revert back to Forms based Auth in Exchange, it works in FIPS mode. But when I set Exchange to use ADFS, I get the same error you got. ADFS is already in FIPS mode.
I wonder if it's something with DotNet and FIPs?
MS, any ideas?
Steve
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 49%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
@Anonymous , do you have any solution to the above issue? We are also encountering this.
I just upgraded my ADFS farm to 2019, I will test after maintenance tonight. My thought is to go into the relying party trust and change the algorithm from SHA256 to SHA1 if the issue persists. Have not been allowing extranet access to exchange for a while so I have not needed claims.
We are encountering the similar issues or errors. However, we are not using the ADFS for authentication or any ADFS service. We have our own identify access management which will send a token to exchange. We are only using ADFS certificate. We can't find any certificate that is under SHA1. Our authenticated type : Kerberos instead of ADFS
@Anonymous did you manage to fix the issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 31%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
@Anonymous did you ever find out what was wrong? I am having the same issue, I think it's because we have FIPs enabled on our Exchange servers.