1

I have just created a new Web Server (Windows Server 2012) and am trying to login to our website (a direct copy of files from the old web server). From the old web server everything works just fine still. When trying to log in from the new server, my password is rejected. I know that the requests are getting through to the DB server as I can see them through SQL Profiler on the database server.

The old setup had the website and database on the same server, the new setup is simply moving the website on to a dedicated server. The database has remained the same.

The only thing I can think of is that the passwords were being hashed/encrypted using a machine key of the old server, although we do specify a machine key in the web.config, so this shouldn't be an issue.

<!-- Key information as using encrypted passwords     -->
    <machineKey validationKey="xxx,IsolateApps" decryptionKey="xxx,IsolateApps" validation="3DES"/>
    <!-- Membership, Role & Personalisation Providers     -->
    <membership>
        <providers>
            <remove name="AspNetSqlMembershipProvider"/>
            <add name="AspNetSqlMembershipProvider" connectionStringName="SqlAspNetDB" 
         type="System.Web.Security.SqlMembershipProvider, System.Web,    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
         enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" 
         applicationName="/" requiresUniqueEmail="false" passwordFormat="Clear" 
         maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0"/>
        </providers>
    </membership>
John M
  • 14,338
  • 29
  • 91
  • 143
Ben
  • 3,926
  • 12
  • 54
  • 87

2 Answers2

1

Yes it could be a password issue. My gut feeling is....

In your database, execute:

SELECT PasswordFormat FROM aspnet_Membership WHERE UserId = {YourUserId}.

If the value returned is not 0, then this is most likely the problem. The passwordFormat in your config settings must match with the password format of the records in your database. passwordFormat="Hashed" is the most popular choice. (i.e. PasswordFormat = 1 from perspective of database).

So if it is "1" in the database, set your config to passwordFormat="Hashed"

Other options are: "Encrypted" (2)

Con Kouroupis
  • 293
  • 1
  • 15
  • The password format is coming back as Encrypted. The setting in the web.config is also set to Encrypted, so this should be ok, shouldn't it? – Ben Nov 20 '14 at 13:00
  • In the web.config you posted, I see passwordFormat="Clear" ? – Con Kouroupis Nov 20 '14 at 13:02
  • If it is set to Encrypted, in both database and config and to rule out that it is even a password issue, choose a user record from aspnet_Users/aspnet_Membership, Update the PasswordFormat of that user record to 0. Set passwordFormat to "Clear" in your config and re-set the password to something.. and then attempt another login. – Con Kouroupis Nov 20 '14 at 13:23
  • 1
    That worked. I set the Password and PasswordFormat in the database directly, then set the PasswordFormat to Clear in the web.config. This confirms that it's a problem with the encryption and more than likely to do with the machine key being used to salt the encryption. The question is why isn't setting the machine key in the web.config working as expected? – Ben Nov 21 '14 at 15:46
  • Given this new info, I have added another answer – Con Kouroupis Nov 22 '14 at 11:13
1

Assuming that the machineKey config is exactly the same on both servers... I see that you are using IsolateApps.

From MSDN: "The IsolateApps modifier causes ASP.NET to generate a unique key for each application on your server by using your application's application ID".

http://msdn.microsoft.com/en-us/library/ff649308.aspx

The Web Farm Deployment Considerations section from the above link shows how the machineKey configuration should be done.

I have never experienced this before so don't completely trust the next few lines... Unless you can somehow get your new application to have the same application identity, those passwords are now only decryptable by your original application. I think you would have two options from here:

  1. If you don't care about password recovery, switch to Hashed passwordFormat. See this for more help: Changing passwordFormat from Encrypted to Hashed

  2. If you want to stick to Encrypted and if you want to maintain the passwords you will need to extract all the passwords as Clear Text from some hand-crafted .Net code within your first application (similar to code used above). Then after re-configuring your machineKey correctly, re-encrypt those passwords and store into the database. This link looks good for decrypting passwords: Decrypting an 'Encrypted' password from ASP.NET 2.0 Membership

CAUTION: Probably don't need to say this, but test with one user account first before applying to all user account records. :-)

Community
  • 1
  • 1
Con Kouroupis
  • 293
  • 1
  • 15