KB14970 - Why does smart card authentication fail when FIPS mode is enabled?

What does the Odyssey Access Client (OAC) log message “Cryptographic Provider was not specified as FIPS compliant” mean?

When FIPS Mode is enabled OAC ensures that all certificate based authentications are handled with the use of a FIPS compliant Cryptographic Service Provider (CSP). OAC does this by checking the CSP being used against a list of FIPS compliant providers.  If the CSP in use is not in OAC's list of compliant providers, OAC will fail the authentication and insert an error similar to the one below into the debug log.

Example from a level 5 OAC debug log:

Cryptographic Provider "accsp.dll" version "v3, 0, 0, 0" was not specified as FIPS compliant.

Note: Log level 5 is required to see the error message.

 

To resolve the issue, choose one of the following two solutions:

Solution 1 (more secure):

The list of compliant Cryptographic Service Providers is located in:
HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software,Inc.\Odyssey\client\configuration\fipsCompliance\providers

To add a new CSP to the list:

1. First create a new key with the CSP as the name. Using the CSP from our log example the new key would be "accsp.dll".
2. Under the new key create a string value. The name of the string value would be the version of the CSP noted in the log message. Continuing with our example the name of the string value would be "v3, 0, 0, 0". Note that no data value is required.

Solution 2 (less secure)

In the HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\Odyssey\client\configuration\fipsCompliance set the allProviders registry value to 1.  Setting “allProviders” to 1 forces OAC to assume that all CSPs are FIPS compliant.

Note: Both solutions involve making changes to “HKLM\Software\Funk Software”. These keys are included when an OAC Custom MSI or Settings Update file is created allowing an administrator to apply these changes during install.