Hashing no longer works in .Net 4.0 despite MSDN workarounds

Question

I have an existing app in production that uses SqlMembershipProvider and has a specified machine key:

<machineKey validationKey="..." decryptionKey="..." 
            validation="SHA1" decryption="AES"/>

It runs under .Net 2.0 AppPool currently.

I'm writing a new application that has to use the existing database, which I have a backup of. I'm trying to get SqlMembershipProvider working with it (which it does) but I can't get a known username/password working. This account works in prod, and the password hash and salt are the same on both databases (prod and mine). However at the point where the SqlMembershipProvider compares the password from the database with the hashed password entered, they aren't the same.

This article suggests breaking changes with the default hashing algorithm in ASP.Net in .Net 4.0: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes

However I am already specifying a machine key as suggested. Further, I've stripped out the .Net 4.0 components and dropped it back to 3.5 (which is CLR 2) and the hash of the entered password is still the same.

Furthermore, I tried redeploying this new temporary app to the same server production is on, and it still fails to login (although I can't verify if it fails due to password hash mismatch).

What else can I try here?

Answer 1

You need to specify the hashAlgorithmType of the membership provider in the web.config as the default has changed with .net 4.

The value that you want is most likely SHA1.

Please see the following page for more details: http://geekswithblogs.net/DavidHoerster/archive/2010/06/15/asp.net-membership-password-hash----.net-3.5-to-.net-4.aspx

Answer 2

First copy the production app to dev/test and run it there to see if it works as expected. If it does, proceed to upgrade the project to run under .NET 4.0, but do not modify any other code (ie. don't try to make it work with SQLMembershipProvider) - retest the application If that works, you know it's not an environment issue, and it's not a .NET breaking change issue, which would point to something in your code not working as you expect it should work. My guess is that the hashing algorithm you're using in the new application is different from the one being used in the old application. Were you salting the password in the old application? Are you using the same salt in the new application?