CODEWITHSUNDEEP
visual-studio-2015asp.net-membership
John Pasquet
John Pasquet

Reputation: 1842

Passwords not working after having to change machine key for VS2015 upgrade

I'm trying to convert a VS2010 Web Site to a VS2015 Web Application (C#). The latest issue I've run into is that VS2015 requires SHA1 or HMACSHA256,384,512. This is an old site, and it used to 3DES. It uses the .NET 2.0 Membership with Encrypted Passwords. I've read something that says the .NET Membership uses the Machine Key encryption when it has encrypted passwords. I know I need to switch to Hashed Passwords, and that is on the list of items to do.

When using <machineKey compatibilityMode="Framework45" /> or the MachineKey.Protect and 
 MachineKey.Unprotect APIs, the 'validation' attribute must be one of these values: 
 SHA1, HMACSHA256, HMACSHA384, HMACSHA512, or alg:[KeyedHashAlgorithm]

The issue is that I can't seem to login after this has changed. I assume it's because the Validation is using a different algorithm, and so no match is found.

Is there anyway to retain the validation without having to decrypt every password and then hash it or reencrypt it? Or should I just convert all the passwords to hashed to avoid this? Or is there another option?

Upvotes: 1

Views: 433

Answers (1)

John Pasquet
John Pasquet

Reputation: 1842

Ok. It turns out there is a compatibility mode that seems to work and allow me to not change the encryption. All you have to do is add compatibilityMode="Framework20SP2" to the machineKey in the web.config as follows:

<machineKey compatibilityMode="Framework20SP2" validationKey="..."
    decryptionKey="..." validation="3DES" />

Hope this helps anyone else who runs into this.

Upvotes: 2

Related Questions