1

I am in the process of setting up SSO for a legacy WebForms 4.61 application with a newly minted MVC application. Following along using the references cited in this original SO Post.

The web.config in the WebForms app looks as follows:

<authentication mode="Forms">
  <forms loginUrl="~/account/login" timeout="120" defaultUrl="~/" />
</authentication>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
  <providers>
    <add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
  </providers>
</roleManager>
<membership defaultProvider="DefaultMembershipProvider">
  <providers>
    <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
  </providers>
</membership>
<httpRuntime targetFramework="4.6.1" maxRequestLength="20480" requestValidationMode="2.0" executionTimeout="300" />

I can log in and all is as expected. Now however I want to add the following machineKey configuration:

<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />

to replace what is default behaviour (when nothing is specified) of:

<machineKey decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" validationKey="AutoGenerate,IsolateApps" />

However as soon as I add the machineKey entry to the web.config and re-run the application up I can no longer log in. I am using a standard asp:Login control to do the authentication.

Why does authentication stop working as soon as I add the machineKey?

PS. Specifying a decryptKey and validationKey makes no difference to the behaviour, I cannot log in.

TheEdge
  • 9,291
  • 15
  • 67
  • 135
  • Is there a specific reason you want to remove `IsolateApps`? – mjwills Jun 20 '17 at 13:02
  • "The IsolateApps modifier specifies that ASP.NET generates a unique encrypted key for each application using the application ID of each application". As I want to use this across applications I cannot keep using this specifier. – TheEdge Jun 21 '17 at 02:11
  • What happens when you try to log in? Does https://stackoverflow.com/questions/21731831/changing-machinekey-prevents-login-of-existing-users/21733831#21733831 help? – mjwills Jun 21 '17 at 04:19
  • As I am not specifying anything in membership, but in machineKey that is what is being used. Although I see that I am not specifying a decryption attribute. Hmmm,,, Do you know if that should be SHA1 or AES in my case? When I try to log in I am ultimately getting the LoginError event from the asp:Login component. – TheEdge Jun 21 '17 at 04:40

1 Answers1

1

For completeness I am posting my answer after @mjwills put me on the road to making it work with his referenced SO post. Ultimately I found this SO post.

It has a link to http://geekswithblogs.net/DavidHoerster/archive/2010/06/15/asp.net-membership-password-hash----.net-3.5-to-.net-4.aspx which mentions that the default hash algorithm changed to SHA256 as a breaking change to .NET 4. So as I was following old articles that were written they talk about SHA1.

So if you have a .NET 4 application then all you need to do when adding your machine key is specify as follows:

<machineKey decryption="AES" validation="HMACSHA256" decryptionKey="AutoGenerate"  validationKey="AutoGenerate"  />

AES and HMACSHA256 are the default settings for the ciphers used for decryption and validation respectively.

TheEdge
  • 9,291
  • 15
  • 67
  • 135