An engineer from one of my customers today paused Search but couldn’t resume it. Every time when he resumed the Search turned out timeout error. You know troubleshooting Search in SharePoint is not something you like to do, especially a new Search platform in SharePoint 2013 is quite complicated. It took me an hour to figure out.
I had a look around the ULS View during the resuming the Search Service Application. Because the machine the hosting Administration component which contains Search topology so I was monitoring this one. Everything looked fine (from synchronizing Search service instance, looking around the topology…) until I realized the following information in the ULS Log.
Failed to Cleanup Orphan Systems. Will retry again later. Exception : System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed..ctor() -
-- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object args)
at Microsoft.Office.Server.Search.Administration.Topology.SearchTopologyUtils.GenerateSystemName(String searchAppName)
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at Microsoft.Office.Server.Search.Administration.Topology.SearchTopologyUtils.CleanupOrphanSystem(SearchServiceInstance searchServiceInstance)
In fact SharePoint 2010 and 2013 does not work with FIPS. There is no any official information but this article is applicable to SharePoint 2013.
SharePoint Server 2010 uses several Windows encryption algorithms for computing hash values that do not comply with Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. These algorithms are not used for security purposes; they are used for internal processing. For example, SharePoint Server 2010 uses MD5 to create hash values that are used as unique identifiers. Because SharePoint Server 2010 uses these algorithms, it does not support the Windows security policy setting that requires FIPS compliant algorithms for encryption and hashing
In Windows Server, there is a local security policy named “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. I checked in the machine and saw that the policy was enabled. After disabling the policy and ran the gpupdate /force in order to make the policy change become effective, restarted Search Host Controller service (this service is core service of Search) then resumed the Search Service Application.