Ben Ben - 1 month ago 13
ASP.NET (C#) Question

Switching Web Servers stops ASP.Net Membership validating user/password

I have just created a new Web Server (Windows Server 2012) and am trying to login to our website (a direct copy of files from the old web server). From the old web server everything works just fine still. When trying to log in from the new server, my password is rejected. I know that the requests are getting through to the DB server as I can see them through SQL Profiler on the database server.

The old setup had the website and database on the same server, the new setup is simply moving the website on to a dedicated server. The database has remained the same.

The only thing I can think of is that the passwords were being hashed/encrypted using a machine key of the old server, although we do specify a machine key in the web.config, so this shouldn't be an issue.

<!-- Key information as using encrypted passwords -->
<machineKey validationKey="xxx,IsolateApps" decryptionKey="xxx,IsolateApps" validation="3DES"/>
<!-- Membership, Role & Personalisation Providers -->
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider" connectionStringName="SqlAspNetDB"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false"
applicationName="/" requiresUniqueEmail="false" passwordFormat="Clear"
maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>

Answer

Assuming that the machineKey config is exactly the same on both servers... I see that you are using IsolateApps.

From MSDN: "The IsolateApps modifier causes ASP.NET to generate a unique key for each application on your server by using your application's application ID".

http://msdn.microsoft.com/en-us/library/ff649308.aspx

The Web Farm Deployment Considerations section from the above link shows how the machineKey configuration should be done.

I have never experienced this before so don't completely trust the next few lines... Unless you can somehow get your new application to have the same application identity, those passwords are now only decryptable by your original application. I think you would have two options from here:

  1. If you don't care about password recovery, switch to Hashed passwordFormat. See this for more help: Changing passwordFormat from Encrypted to Hashed

  2. If you want to stick to Encrypted and if you want to maintain the passwords you will need to extract all the passwords as Clear Text from some hand-crafted .Net code within your first application (similar to code used above). Then after re-configuring your machineKey correctly, re-encrypt those passwords and store into the database. This link looks good for decrypting passwords: Decrypting an 'Encrypted' password from ASP.NET 2.0 Membership

CAUTION: Probably don't need to say this, but test with one user account first before applying to all user account records. :-)