ASP.NET 4 Membership Machine Key - asp.net

I have had a working asp.net 4 membership wesite for about 5 months and today I changed the regex to loosen the password restrictions. I can still create and access new accounts, but can no longer access any of the previously registered ones.
I have checked the database and confirmed that they are all still there. My initial thought was an incorrect password. I've checked two accounts that I knew the password for and both are inaccessable. I attempted to use the password recovery option, but when I type in the username I'm told that the user does not exist.
When I check the databases and consult both the membership and profile tables, the old and new users, pre and post regex change, are all in the same table. This leads me to my final discovery and the one that I have no experience. Is there a new Machine Key that is creating the new users but cannot decipher the old ones, hence making them unavailable? If so, how can I fix this?

Like your comment my first thought was that the application key has been altered. This key is stored in web.config/system.web/membership:
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
...
applicationName="YOUR_KEY_HERE" />
</providers>
</membership>
This key allows different applications with the same membership provider (e.g. the System.Web.Security.SqlMembershipProvider in your case) to utilize the same database for storing membership data.
One provider will not see users from the other provider and vice versa, because they take the aplication name into account when querying the database. But when you look at the Users table, you may not notice immediately the relation, since the SqlMembershipProvider uses a Guid in the Users table. But it's a foreign key to the Applications table, where you can find the application name.
See also: Always set the "applicationName" property when configuring ASP.NET 2.0 Membership and other Providers

My problem was slightly different* but I specified my own machine key in web.config. See the details here: http://msdn.microsoft.com/en-us/library/ff649308.aspx
(* my app was wandering from server to server in a large virtualized server farm hence changing the machine key with each hop causing the app being unable to read the cookies it has previously set.)

Related

ASP.net Membership Validation is not working in other system

I have created User,Roles and assign Roles to User through the functions provided by Membership functions("CreateUserRole","CreateMembershipUser" and "AssignUserToRole") in the aspnet database.The User,Roles are created successfully.I am able to login too in my system.
Same credentials I need to be configured in other machines too.So inserted same User/Password/Salt Password through scripts in all the membership tables.It is not working in other machines.Though the data is successfully inserted in other machines in the start up of the project.The function "ValidateUserCredentials" is giving error in other machines.Is there any setting to create password and Salt password while generating the first time?
If you are using ASP.Net Membership Provider, you need to check the following -
Both web.config files are same (except connection string).
ApplicationName is same in both Databases as well as both web.config files.
Password Format is Hashed, set hashAlgorithmType explicitly in membership tag inside both web.config, because different membership providers use different hashed algorithms.
For example,
<membership defaultProvider="..." hashAlgorithmType="SHA1">
Rule of thumb is you want to include same machine key in both web.config even if Password Format is Hashed. (If Password Format is Encrypted, machine key is mandatory and same machine key must be included in both web.config files)

ASP.NET beginners quetions

I am trying to create my first web application using ASP.NET. I've created new sample ASP.NET project application.
First of all I want to understand how do I switch from local App_Data file to proper database and how whole authentication process is working.
Db switch. What I did is, attached current example of .mdf file through SQL management studio on a server. But I am not sure how should I modify my connection string. Could you help me please?
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true"
Could you please explain how authentication is working? Say after user enter its credentials and hits enter, somewhere in a code it has to validate username and password, but I can't find where it happens.
Lets say my user A is Moderator and user B is simple user. How should I detect which one it is? How do I display extra features for user A, since he is a Moderato?
For the connection string, the best option is to use Visual Studio. Go to Data -> Add New Data Source and follow the UI. Failing that, connectionstrings.com is a great reference.
There are different types of authentication in ASP.net, but given that you want to implement roles (user/moderator), Forms Authentication is probably a good choice. There are lots of resources on how to set this up, see here for example.
The final step is to implement roles so that your application knows who is a user, and who's a moderator. Once you have this configured correctly, your application can use simple logic like if (User.IsInRole("moderator")) ...
1.) connection string varies by the used database and the actual server settings. Consult this with your hosting provider if you can't figure it by yourself
2.) this depends on the actual implementation. Basic idea looks like this:
Provide user a login form. User sends back the form with filled in credentials. On the server there's a function, that compares these credentials to those stored in persistence medium (like a db) and if they match, the user is authenticated. If they don't match, you get an error.

Is ASP Membership Provider password and salt machine or OS specific?

I have some code in a EF Code First initializer that is grabbing the Membership Provider (ASP Universal Provider) and seeding some users. I know that isn't necessarily normal scenario but it has been working great in local dev. When pushing to Azure I sometimes see it not work. I see the records created in the Membership tables created, but when I log in with the password it doesn't match. Updating the salt and password with values from my local also don't seem to work. Is there something specific about the machine or OS for the salt/password generation or validation? It doesn't make sense because that would mess up any farm scenario, just looking for any help on why I might see something like this.
Yes, if you set the machine key explicitly, Membership Provider uses that key to encrypt the password.
So you need to have same machine key in all web.config files.

ASP.Net Membership in SQL vs. Windows

I just inherited a project for a small company. This is a completely internal web application and the current model for authentication and roleManager is based on their domain policies. Well, I work from home and little experience with windows authentication, and I definitely am not part of a domain.
So, in order to "fake" the same sort of setup that they have, is it a good idea to setup ASP.Net Membership in SQL Server? And I think that you can setup roles in there, too, which I could use to create a one-one mapping of roles in SQL to what they have on their network (there are 5 or so, that's all), correct?
Then, when I push changes to their system, I would just overwrite my web.config with one specific to them, that basically sets Membership auth and rolemanager to user their network setting instead of my SQL ones. This would let me test locally but they could keep their domain driven security model.
Am I crazy, and these 2 things just aren't analogous?
The two things aren't the same so you're not going to be able to work on it as you are thinking. The membership provider would always require a login process and other user management, and the code to check the role membership and user account details would be completely different.
My suggestion would be to see if they have VPN access to their LAN and get them to set you up an account on the domain.

What is the best way to persist login and password SQL Server when used from ASP.NET app that uses SMO?

I am creating a simple web management studio using SMO. Is it secure enough to persist/store user information (login and password for database) using ASP.NET mechanism (e.g. formsauthentication, cookies, etc.).
What will be the best practice to do this?
thanks
Yes it is very secure but you must consider this:
User requireSSL = true
cookieless = false
enableCrossAppRedirects=false
httpOnlyCookies="true"
also for the role manager do not cache the roles in cookie
<roleManager enabled="true" cacheRolesInCookie="false">
non "out of the box" system is 100% what you looking for, and you maybe need to think what other extra messure you need to take for make it even more secure.
Also you can open the database and see what informtions is stored on it, to see if are meet your requirements. The password is not saved, but the salt of it, so you can not read it, and it save is the email/name of your user.
Some extra reference
http://msdn.microsoft.com/en-us/library/ff650037.aspx
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
http://msdn.microsoft.com/en-us/library/ms972969.aspx
http://msdn.microsoft.com/en-us/magazine/cc163807.aspx

Resources