0

I'm transfering an existing ASP.net forms site to MVC 5 and I can't get the user authentication to work. I can't understand what it is that I'm missing. What I've added the database and the connection string and made sure they work. I then pasted the membership part of my previous web.config to the new project:

    <membership defaultProvider="MyProvider" hashAlgorithmType="SHA1">
  <providers>
    <add name="MyProvider"
         connectionStringName="LocalSqlServer"
         applicationName="/"
         description=""
         requiresUniqueEmail="false"
         enablePasswordRetrieval="true"
         requiresQuestionAndAnswer="false"
         passwordFormat="Clear"
         minRequiredPasswordLength="4"
         minRequiredNonalphanumericCharacters="0"
         type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  </providers>
</membership>

When I try to authenticate using Membership.ValidateUser(user.Username, user.Password) it always returns false. Putting a break point at the Membership shows that it uses "MyProvider" but I noticed that it used another hash algorithm so I manually added SHA1. At least this is what I think SQL Membership Provider is using.

So what am I missing here? It's probably something major since nothing seems to work. I even tried inserting the hashed password from the database instead of the one from the one from the model (user.Password) while messing around with the passwordFormat in the web.config without any difference.

Any suggestions are most welcome! Membership providers are really not my strong side.

Peter
  • 3
  • 4
  • Just little note - please consider using IIdentity, IPrincipal instead of membership, it's outdated. – Anton Putau May 25 '15 at 19:11
  • @AntonPutau - Membership and IIdentity/IPrincipal are not related in any way. FormsAuthentication is related to IIdentity/IPrincipal, but Membership has nothing to do with them. – Erik Funkenbusch May 25 '15 at 20:34
  • What do you mean "manually added SHA1"? Why do you have PasswordFormat set to "Clear"? If this is a different server, have you set the machine key to the same value? – Erik Funkenbusch May 25 '15 at 20:36
  • @ErikFunkenbusch, I am agree with you.The only goals I tried achieved is to highlight flexible ways of authentication, not more. – Anton Putau May 25 '15 at 20:39
  • @AntonPutau - But the point is you told him not to use Membership and use IIdentity instead, but they are used for different things.. there is no "instead". Membership is used to store account information in the database. IIdenity/IPrincipal is used to tell ASP.NET that the user is valid, and what roles they have. They are totally separate things and you can't use one in place of the other. – Erik Funkenbusch May 25 '15 at 20:47
  • @ErikFunkenbusch I changed it back when it didn't work. Any idea what it should be set to? The original user identification was added using the forms wizard controls. Not sure what they used but I think its SHA1, right? – Peter May 26 '15 at 05:13
  • @Peter - I asked you three questions, you didn't answer any of them... – Erik Funkenbusch May 26 '15 at 05:41
  • @ErikFunkenbusch 1. What I meant with "manually adding" hashAlgorithmType="SHA1" is that this wasn't in there to begin with and when I looked at the instance at runtime it said HMACSHA256. That's why I added SHA1 because I believe this is what was used originally. 2. PasswordFormat was set to clear in the original project and it worked fine in that one. It's generated from the project configuration in Visual Studio so it's really the framework that put it there. 3. Not sure how to do that. Will have to look into that tonight. Thanks for the tip! – Peter May 26 '15 at 06:07
  • @Peter - if your passwords are hashed, then you weren't using Clear password format... That should be set to Hashed. The default is SHA1. – Erik Funkenbusch May 26 '15 at 06:53
  • @ErikFunkenbusch Thanks, I'll give this a go tonight and I'll also look into the machine key. Isn't the machine key generated by IIS? – Peter May 26 '15 at 07:24
  • @Peter - Yes, but you can override it.. which you have to do if you move your database to a new server, or you are using a server farm. – Erik Funkenbusch May 26 '15 at 14:01
  • @ErikFunkenbusch I've made the changes suggested without any progress. If I change passwordFormat to hashed I get an exception saying that hashed passwords can not be retrieved. Also, after messing around with the machine key in IIS my old forms project has stopped logging in as well. The machine key settings is back to original but none of them are working. I'm about to press the panic button on this one since this is a customer project that just went down a dead end... – Peter May 26 '15 at 18:21
  • @Peter - What you're telling us, and what your responses are don't jive. Yes, hashed passwords can't be retrieved, that's the point of hashing.. if you're using SHA1 then you're hashing. If you're retrieving passwords, then you're not, you're either using Encrypted or Clear. – Erik Funkenbusch May 26 '15 at 18:31
  • As mentioned earlier I added the provider using the ASP.net configuration in Visual Studio. This is the tool that added all the settings, including setting it to clear. – Peter May 26 '15 at 18:53
  • I have no idea where to go from here... – Peter May 26 '15 at 18:53
  • I had to change the password in code to get this up and running again and even by looking at the fields in the database before and after they remained the same. Very, very, strange... – Peter May 26 '15 at 19:20

0 Answers0