Help! ASP.NET 2.0 Membership ERROR: The password-answer supplied is wrong.

[Guest]

Can anyone please comment on this ASP.NET 2.0 Membership error & how to get
the following code to run?
ERROR:
The Membership database seems to be encrypting randomly & it's causing our
web app to keep throwing errors & keeping our users from logging in. (See
below for greater detail.)

How do we get this line to run?

//CANNOT RUN:
string genPassword = mu.ResetPassword("[REMOVEDasswordAnswer]");

In ASP.NET 2.0 Membership (aspnet_Membership table) can anyone tell me
whether the web.config machineKey tag (with validationKey & decryptionKey)
actually controls how the aspnet_Membership.passwordAnswer column is
encrypted?

NOTE: In our situation, ALL users have the same static value for
passwordQuestion & passwordAnswer because we only reset/generate passwords
programmatically. The passwordAnswer column gets encrypted and it USED TO
be
the same value for everyone:
/BDizKy0FRtHQJxjTO3SnI/H/4g=
.... but now, it generates completely different values for every user:
sUmS0wDxiGK52o8r37dZDxbeCjI=
OdLx8wXO/cgRfvqKHlXV+I12HAg=

THE ISSUE:
The other day, we started getting an error when the user clicks the Change
Password button which calls:
public void ChangePassword()
{
Password = RandomPassword.Generate(8);
MembershipUser mu = Membership.GetUser(this.UserName);

//CANNOT RUN:
string genPassword = mu.ResetPassword("[REMOVEDasswordAnswer]");

mu.ChangePasswordQuestionAndAnswer(genPassword,
"[REMOVEDasswordQuestion]", "[REMOVEDasswordAnswer]");
mu.ChangePassword(genPassword, Password);
}

ERROR:
"The password-answer supplied is wrong."
(This SEEMS to be an encryption issue, since all passwordAnswers are exactly
the same.)

Please help me better understand the process & how to control it.

Thoughts:
We do not yet have a machineKey tag in web.config, so it should default to
AutoGenerate, which may create different values on different machines,
right?
So, since I now want to control it (same encryption) across both Development
and Production machines, I want to add the keys I've generated.

But, with the machineKey tag, it still generates different keys for users...
Is this normal?
Is it perhaps using values from the userid, username, or Salt to create the
encrypted
passwordAnswer?

PROVIDER:
<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlConn" applicationName="[REMOVED]"
passwordStrengthRegularExpression="[REMOVED]" minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="1" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true"
requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" passwordAttemptWindow="10"/>

 

[Walter Wang [MSFT]]

Hi,

Your "passwordFormat" is set to "Hashed" instead of "Encrypted", which
means it's not using the MachineKey:

http://msdn2.microsoft.com/en-us/library/ms998288.aspx#paght000007_membershi
p

The "PasswordAnswer" field in table aspnet_MemberShip is also hashed or
encrypted according to the "passwordFormat" setting. The actual hash
algorithm to compute the PasswordAnswer is not documented, but it's
definitely related to the user name.

Does this issue also occur on a newly created test user account? or is it
only relate to previous user accounts? Have you changed the
"PasswordFormat" before?


Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi,

Please feel free to let me know if you have any questions. Thanks.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.