I have an ASP.NET WebForms app using Microsoft ASP.NET Universal Providers (NuGet) for membership and roles. Under full trust everything works fine, but when I edit web.config to specify medium trust I get this error when loading a page that accesses the membership:
Type 'System.Web.Providers.DefaultMembershipProvider' cannot be instantiated under a partially trusted security policy (AllowPartiallyTrustedCallersAttribute is not present on the target assembly).
I've searched the web and haven't found much info about whether this is a known limitation or if there is a workaround. I'm working on the open source app Gallery Server Pro, which is distributed in the MS Web Gallery and must support medium trust environments.
Any insight?
[Edit] Per the request, here is the web.config stuff (I'm not using profiles or the session state provider):
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add name="DefaultMembershipProvider" applicationName="Gallery Server Pro" connectionStringName="GalleryDb" passwordFormat="Clear" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="50" minRequiredPasswordLength="2" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
<roleManager enabled="true" cacheRolesInCookie="true" cookieProtection="Validation" defaultProvider="DefaultRoleProvider">
<providers>
<clear />
<add name="DefaultRoleProvider" applicationName="Gallery Server Pro" connectionStringName="GalleryDb" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</roleManager>
I think it may be because of catching role in cookies,
<roleManager enabled="true" cacheRolesInCookie="true" cookieProtection="Validation" ...
Remove that part, or make it false and then check if its working..
As medium security will block cookies and many more things, as cookies are not considered secure. Its basic material for scavengers(hacking data from left over/temp files).
I hope this will do..
Related
We are implementing a load balancer for our web site for redundancy purposes so if website 1 goes down, the load balancer will send all traffic to server 2 and vice versa.
I have implemented a machineKey that I generated in the web.config, but in doing so have broken my membership logins.
From what I've read, the provider should default to "hash" unless I have the provider set to "encrypted" and this shouldn't have affected my login, but it has. I can't seem to log in anymore, receiving an invalid password error.
Here is my relevant web.config code:
<machineKey
validationKey="A181A9E1960ABFC9DF3F2D8AAC8597FFDCA69A87591B5D89D0A539A21AC543022680DFBF181BACC37533D15FCA59A0E4E1A2AA748A268FFED48AAFED00C8BA7A"
decryptionKey="7366076C8BE16F2DA3AF9642071A136E5D8386ECA7659347560063474AFF61BB"
validation="SHA1"
decryption="AES" />
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="ClientRunner"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
What am I doing wrong here?
I'm not exactly sure why this worked for me, but what I ended up doing was to modify my web.config like so:
<membership defaultProvider="DefaultMembershipProvider"
hashAlgorithmType="HMACSHA256">
and
<machineKey
validationKey="50E5BFCB171748F86DA392AC55D5217EDEFCE43C9B6D192C5265D8F0CDDC86CECBA42040C408B7B71EAD6A4CE669545AAFDE76BBA42CA44203223A7ADC442D1E"
decryptionKey="EE9C03B1D922639AB7BA3C00E8C993BD8F6D27635B07979DF09F8C174C91CA65"
validation="MD5" decryption="Auto" />
The existing membership info seems to be allowing me to sign in now.
I have an Azure web site that uses forms authentication with an Azure membership via the standard Microsoft tools and database. When I website administration tool, it sees the database and creates the users correctly. When I try to login however, I receive an authentication error.
The really strange part is that I have another Azure website that also uses a membership database. I copied the membership info directly from that sites web.config file into my broken site. When I go to administer the website, again, it sees the users correctly but when I attempt to login, I get receive an authentication error. To be clear, I can login properly from the working site but when I move the config info over to my new site, the same credentials fail.
How can I determine what is causing the problem? Below is code from web.config:
<add name="StrataluxAuthorize" connectionString="Data Source=xxxxxxx.database.windows.net;Initial Catalog=StrataluxAuthorize;Persist Security Info=True;User ID=xxxxxx;Password=xxxxxxxxxx" providerName="System.Data.SqlClient" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="~/" timeout="600" />
</authentication>
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add connectionStringName="StrataluxAuthorize" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
<providers>
<add connectionStringName="StrataluxAuthorize" applicationName="/" name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</roleManager>
Just a guess based on the info given. Be sure that the "ApplicationName" property of the membership profider matches for both sites that will use the same Membership database. It doesn't appear that you have explicitly defined one so I believe by default it will use the Web Project Name. So if there is a mismatch (presumably there would be) between the 2 website names then the membership db will try to create a new application id in the database.
Sample Config:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add connectionStringName="StrataluxAuthorize" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="" name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
Just a bit more clarification:
If you want the users which originaly appeared in web app "A" to be available in web app "B" then the application name in the configuration of web app "B" should be "A". Otherwise the membership provider will view it as a new application and it will get its own id and unique set of users.
I'm trying to use the "ASP.NET Universal Providers 1.2" from http://nuget.org/packages/System.Web.Providers
using Visual Studio 2010 and Sql Server 2008
Everything works find on my local dev box. However, but when I go deploy the code to a DEV server, I get the following error when first hitting the web site (I have code in application start that creates default roles and a default membership user if not existing):
"The connection name 'LocalSqlServer' was not found in the applications configuration or the connection string is empty."
I've created sql script to create the SqlMembershipProvider tables (reversed engineered from a temp database when provider ran corrrectly locally). The correct tables are there and it works just fine using the main sql server instance on my dev box.
I'm unsure why its trying to use the old provider on the remote DEV server. I'm assuming its a permission error. On my dev box, I am an admin and was using integrated security. For the DEV server, I am using a SQL Server account (see connection string below), which as SELECT INSERT UPDATE DELETE perms on each of the SqlMembershipProvider tables. Are there more perms needed for a SQL Server account?
Here is the provider values from web.config
<profile defaultProvider="DefaultProfileProvider" enabled="true">
<providers>
<add name="DefaultProfileProvider"
type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="MasterSqlClientConnectionString" applicationName="PortalDEV"/>
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
applicationName="PortalDEV" connectionStringName="MasterSqlClientConnectionString" enablePasswordRetrieval="true" enablePasswordReset="true"
requiresQuestionAndAnswer="true" requiresUniqueEmail="true" maxInvalidPasswordAttempts="3" minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordFormat="Encrypted"/>
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider" enabled="true" cacheRolesInCookie="false" cookiePath="/" cookieProtection="All" cookieRequireSSL="true"
cookieSlidingExpiration="true" cookieTimeout="16" maxCachedResults="25">
<providers>
<add name="DefaultRoleProvider"
type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="MasterSqlClientConnectionString" applicationName="PortalDEV"/>
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" compressionEnabled="true" timeout="16">
<providers>
<add name="DefaultSessionProvider"
type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</providers>
</sessionState>
And here is my connection string (with data masked):
Any ideas?
The trick was to add a "< clear / >" line at start of section in config file. ASP.NET Universal Providers 1.2 - "The connection name 'LocalSqlServer' was not found"
I'm developing an ASP.NET MVC 4 website and I'm using the Microsoft ASP.NET Universal Providers. I plan to deploy to Windows Azure and use SQL Database. In order to initialize memberships, profiles and roles on my local SQL Server 2008 database, I created a new user via the ASP.NET Web Site Administration Tool. How do I initialize sessions?
When my application runs, naturally I get a SqlException saying "Invalid object name dbo.Sessions." When testing on Windows Azure, this wasn't an issue; dbo.Sessions was created automatically. I'm able to run locally after generating a create table script from dbo.Sessions on Azure and applying it to my local SQL database.
web.config:
<membership hashAlgorithmType="SHA1" defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" passwordFormat="Hashed" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile enabled="false" defaultProvider="DefaultProfileProvider">
<providers>
<clear />
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<roleManager enabled="false" defaultProvider="DefaultRoleProvider">
<providers>
<clear />
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="Custom" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</sessionState>
This article goes into more detail of the differences between the old aspnet_Memembership vs the Universal Providers.
http://dotnet.dzone.com/articles/stronger-password-hashing-net
The key points from the article:
Firstly, there’s no more aspnet_regsql, you just make sure your connection string is set and the account has DBO rights (don’t worry, it doesn’t have to stay this way) then run the app up and attempt to perform any action which should cause the membership provider to hit the DB (i.e. log on – it doesn't matter that there isn't an account).
Thats it all there is to it, when it works.
When you are using Microsoft ASP.NET Universal Providers to deploy to Windows Azure & SQL Database, it seems there could be some issue with your connection string as table on SQL Database is not created.
The blog below from Soctt shows steps by step details on how to do it so please follow and see what is missing:
Introducing System.Web.Providers - ASP.NET Universal Providers for Session, Membership, Roles and User Profile on SQL Compact and SQL Azure
I recently upgraded MySql Connector /NET 6.0.4.0 to version 6.4.4.0. My site uses the MySql Membership Provider to process logins, but since upgrading no users can log in. That is to say, Membership.ValidateUser(user, password) returns false for previously valid usernames and passwords.
I'm conscious that I haven't specified an encryption/hashing key anywhere in web.config, and maybe the new version hashes passwords differently by default? If I create a new user, they can log in just fine, it's just all the old users who can no longer log in.
Is there a workaround to save hundreds of people from having to set new passwords? Or at least to stop a repeat of this problem if I upgrade again in the future?
web.config
<system.web>
<roleManager enabled="true" cacheRolesInCookie="true" cookieTimeout="240" createPersistentCookie="true" cookieSlidingExpiration="true" defaultProvider="MySQLRoleProvider">
<providers>
<add name="MySQLRoleProvider" autogenerateschema="true" type="MySql.Web.Security.MySQLRoleProvider, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" connectionStringName="LocalMySqlServer" applicationName="/"/>
</providers>
</roleManager>
<membership defaultProvider="MySQLMembershipProvider">
<providers>
<clear/>
<add name="MySQLMembershipProvider" type="MySql.Web.Security.MySQLMembershipProvider, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" connectionStringName="LocalMySqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
...
</system.web>
I'm using ASP.NET 3.5 and connecting to MySql 5.
EDIT This just got wierder; it seems that some users can still log in, but others can't. My old login definitely stopped working, and I've checked that it's not locked out or anything.