The dreaded FIPS complaint setting

(Ok, a typo in the subject, but it was funny so left it in)

The Technet blogs require registration to comment, and don’t allow me to use my Microsoft Live account to log in, much less openID. I didn’t feel like registering for yet another “community” so I left without commenting.

The ISA server product team blog at Technet wrote about a case where the customer Cannot Browse a HTTPs Site Published by ISA Server 2006 without using TLS 1.0 on Internet Explorer
I chuckled reading that headline because I’ve been there before.

When I upgraded to ISA 2004, I installed from scratch and applied a recommended hardening policy. I tested it with my computer using Internet Explorer and Firefox, and went home happy. I couldn’t understand why I received email from my manager reporting that people couldn’t get in.

I figured out relatively quickly that my system had TLS 1.0 enabled and the systems that couldn’t access using IE did not. That lead me to the FIPS compliant setting in group policy. I actually blogged about this in 2006.
The problem also occurs if you configure that setting on the clients. In January 2008, I also wrote about this setting and the FDCC and what a mistake I thought it was to require clients to turn it on.