2

I am trying to move my membership database, created in .Net 4, to a newly created .Net 4.5 membership database. The .Net 4.5 database has a different schema that the old .Net 4 database. So I created a new 4.5 membership database and am trying to recreate the users.

I am selecting my users, from the old database, and then using Membership.CreateUser() to recreate thse users in the new membership database. Since I also need their passwords, I am using an SQL UPDATE statement to set the Password and PasswordSalt fields, in the Membership table, to the same values it has in the old database.

Any new users can login without any issues but users copied, as described, cannot login ("Your login attempt was not successful. Please try again.")

I can see the "FailedPasswordAttemptCount" increasing as hy try to login..so it is finding the user..the issue must be with the password or the decryption of the password.

What am I doing wrong, trying to copy the passwords accross? Both databasis are on the same machine...surely the password and passwordsalt should be enough to decrypt it?

Basquiat
  • 119
  • 5
  • 15

1 Answers1

1

First off, passwords in your situation are not decrypted, the password the user submits is hashed and that has is compared to the hash stored in the database. The hash normally works off the machine key, although this can be altered in the Web.Config and different versions of IIS.

You could try making a copy of the original database then run the .net 4.5 ASPNET_REGSQL against it to see if it will update it properly, I doubt it will, but its worth a shot.

The first thing I'd do is look in your Web.Config file at the Providers section and verify it is the same as it was for the old project version. This determines the password format, if your lucky this will be the problem, however I doubt it is.

You may also (depending on how many users are in the database,) be able to decrypt their passwords via some program or website. This is dated but may help. If it is possible to retrieve their plain text passwords, you could just recreate the user like that.

I couldn't find anything saying the hashing process changed from version 4.0 to 4.5, but if it did you may need to define a custom hashing algorithm. Basically, you will need to recreate the hash the way .net 4.0 does.

You could also try a second manual validation on the password if the first validation failed. Something like this.

The PasswordFormat value is specified in the providers section of the Web.config file for the ASP.NET application.

Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the machineKey element in your configuration. Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.

A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership configuration element. If you choose encryption, default password encryption uses AES. You can change the encryption algorithm by setting the decryption attribute of the machineKey configuration element. If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the machineKey element. The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.

Garrett Fogerlie
  • 4,450
  • 3
  • 37
  • 56
  • Thanks Garrett. Correct, the passwords are hashed. I looked at the decryption link you provided...but does that also apply for hashed passwords? I'm a bit confused..running regsql produces the same schema as under .net 4..I dont think there is a new regsql created for 4.5 – Basquiat Aug 23 '12 at 11:15
  • @Basquiat I'm fairly sure there is a regsql for 4.5, http://stackoverflow.com/a/9100752/985284 – Garrett Fogerlie Aug 23 '12 at 11:21