18

I'm working on an MVC3 site, and I've got a puzzling problem with ASP.NET Membership. I'm using System.Web.Providers 1.0.1 connected to a SQL Azure database.

As it is now, the same username/password that logs me in when running under the Compute Emulator fails when running under Azure proper. I can see that it's using the right database, as the Failed Password Attempts counter in the membership database is being updated.

Kjetil Limkjær
  • 1,550
  • 12
  • 22
  • I can't tell you what the specific issue is, but I will suggest you to enable Intellitrace for your deployment. Having Intellitrace enabled, just deploy the cloud project, make one login attempt, then download the Intellitrace logs. You will discover how powerfull and usefull Intellitrace is, and I am sure you will nail down the issue by looking at the exceptions. – astaykov Dec 07 '11 at 14:22
  • 1
    Thank you for the suggestion, but as far as I know Intellitrace is only supported with VS Ultimate, and I'm not sure I'm prepared to shell out an extra $12,000 on top of our current MSDN subscription for something that may or may not solve my problem. – Kjetil Limkjær Dec 07 '11 at 14:47
  • Hang on...you're saying "under the compute emulator" which implies you're using web roles or worker roles - NOT web sites (i.e. IIS), right? Does the machinekey change below change the behavior of your compute emulator? – Scott Hanselman Jan 09 '13 at 07:20
  • Your comment confused me for a second as I've been out of the Azure loop for a while - I see that the June update introduced Azure "web sites" as opposed to the "web roles" which were the only option back in 2011 when the question was posted :-) Also yes, changing the machine key/hashing algorithm means that the passwords must be regenerated to work under the compute emulator, but they will then work both while testing and externally. If you have a collection of hashed passwords that you need to keep I assume you could clone the existing machine key, but I wouldn't know where to find it. – Kjetil Limkjær Jan 09 '13 at 09:16

1 Answers1

28

I tracked it down, thanks to some info in this article by David Hoerster. The problem is that the default password hashing algorithm on Azure is different from the .NET 4.0 defaults. It is set to SHA1 on Azure, and HMACSHA256 is the new standard setting on 4.0.

This can be fixed by specifying the hash type explicitly in web.config. If you decide to use a method like HMACSHA256, make sure you also specify a machine key - otherwise you will run into similar problems as the autogenerated machine key will differ from server to server.

The configuration element you need to change is <machinekey> under <system.web>:

<machineKey decryptionKey="PUT_DECRYPTION_KEY_HERE"
            validationKey="PUT_VALIDATION_KEY_HERE"
            decryption="AES"
            validation="HMACSHA256" />

You can use this machine key generator to generate random keys in the proper format.

Kjetil Limkjær
  • 1,550
  • 12
  • 22
  • 1
    You're welcome - if it wasn't for you, I wouldn't know JACSHT :-) – Kjetil Limkjær Jan 11 '12 at 20:21
  • 1
    HAHAHA!!! That's hilarious. I need to promote that acronym more. Thanks for the laugh! – David Hoerster Jan 11 '12 at 21:09
  • If I could upvote this more I would. I thought it was a hashing issue as I could see it was hitting the DB and not verifying. Why it was occurring was a mystery. Weird thing was that publish to Azure via Azure Publish the login failed. Publish via Web Deploy it worked. Web deploy must do something different with the machine key I guess. Thanks for this! – GraemeMiller Mar 01 '12 at 12:43
  • Did or do you need to also specifiy hashAlgorithmType="SHA256" in the Membership tag? Or is it hashAlgorithmType="HMACSHA256"? – NER1808 Apr 03 '12 at 09:01
  • I somehow found this answer ages ago, Favorited it, forgot about it, searched for a solution for half an hour then found your solution again. Thanks! – xkingpin Sep 05 '12 at 14:41
  • NER1808, check out http://msdn.microsoft.com/en-us/library/system.web.security.membership.hashalgorithmtype.aspx . It says "If the HashAlgorithmType property is not set, the Membership class uses the hash algorithm set in the validation attribute of the machineKey element." – Concrete Gannet Jan 15 '13 at 03:40