I have a web application running in a production server and I made a backup of the database which includes the membership tables. After that, I restored it to the PC where the project is being developed. The "applicationname" field in the "aspnet_users" table in the production server is different than the one in my PC. I tried to type my credentials and I am not able to be validated so I changed the "applicationname" to match that of the production server and another message tells me that the provider cannot decode the password. The machineKey entries in the web.config file are the same in both machines (validationKey, decryptionKey, validation and decryption). What else should I consider in order to bring the users in the production server membership tables to my PC.
Best regards,
Jorge Maldonado
Restoring users from production server to my development PC
Please give us the following information:
1) the version of ASP.NET you are using. Is it the same on your production and development workstations?
2) the version (x.xx.xxx) of your dotConnect for PostgreSQL. You can find it in the Tools > PostgreSQL > About menu of Visual Studio;
3) give us the exact text of the error and your call stack;
4) as I understood, all your passwords are stored in the database in the Encrypted format (neither Clear nor Hashed). Please specify:
4.a) your decryption and validation algorithms;
4.b) you have set explicitly the decryptionKey and validationKey values as hexadecimal strings of the appropriate lengths (the same in your production and development environments), haven't you?
http://www.asp.net/security/tutorials/f ... -topics-vb > Step 3 > Setting the Validation and Decryption Keys.
You can post here or contact us via our contact form.
1) the version of ASP.NET you are using. Is it the same on your production and development workstations?
2) the version (x.xx.xxx) of your dotConnect for PostgreSQL. You can find it in the Tools > PostgreSQL > About menu of Visual Studio;
3) give us the exact text of the error and your call stack;
4) as I understood, all your passwords are stored in the database in the Encrypted format (neither Clear nor Hashed). Please specify:
4.a) your decryption and validation algorithms;
4.b) you have set explicitly the decryptionKey and validationKey values as hexadecimal strings of the appropriate lengths (the same in your production and development environments), haven't you?
http://www.asp.net/security/tutorials/f ... -topics-vb > Step 3 > Setting the Validation and Decryption Keys.
You can post here or contact us via our contact form.
Here is the information you requested:
1. ASP.NET 3.5 in both production server and development PC.
2. dotConnect for PostgreSQL 5.10.96.0
3. I do not get an exception if the "applicationname" field of table "aspnet_users" remains as it is in the production server (which actually is /) but I cannot validate my user credentials because I get a message saying that the username does not exist.
On the other hand, if I change the "applicationname" field of the "aspnet_users" table to the one that corresponds in my development PC I get the exception "Provider cannot decode password". Here is the exception information:
Server Error in '/Restaurant 01.00.01' Application.
--------------------------------------------------------------------------------
Provider can not decode password
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Configuration.Provider.ProviderException: Provider can not decode password
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ProviderException: Provider can not decode password]
Devart.Common.Web.Providers.DbMembershipProvider.a(String A_0, MembershipPasswordFormat A_1) +172
Devart.Common.Web.Providers.DbMembershipProvider.a(String A_0, String A_1, MembershipPasswordFormat& A_2, String& A_3) +230
Devart.Common.Web.Providers.DbMembershipProvider.ValidateUser(String username, String password) +51
System.Web.UI.WebControls.Login.AuthenticateUsingMembershipProvider(AuthenticateEventArgs e) +60
System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +119
System.Web.UI.WebControls.Login.AttemptLogin() +115
System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +166
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618
4.
4.a) validation="SHA1" decryption="Auto"
4.b) Yes, I got the validationKey and decryptionKey from https://www.grc.com/passwords.htm (64 random hexadecimal characters). You can see a reference to this web site at the end of step 3. The keys are the same in both machines.
Regards,
Jorge Maldonado
1. ASP.NET 3.5 in both production server and development PC.
2. dotConnect for PostgreSQL 5.10.96.0
3. I do not get an exception if the "applicationname" field of table "aspnet_users" remains as it is in the production server (which actually is /) but I cannot validate my user credentials because I get a message saying that the username does not exist.
On the other hand, if I change the "applicationname" field of the "aspnet_users" table to the one that corresponds in my development PC I get the exception "Provider cannot decode password". Here is the exception information:
Server Error in '/Restaurant 01.00.01' Application.
--------------------------------------------------------------------------------
Provider can not decode password
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Configuration.Provider.ProviderException: Provider can not decode password
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ProviderException: Provider can not decode password]
Devart.Common.Web.Providers.DbMembershipProvider.a(String A_0, MembershipPasswordFormat A_1) +172
Devart.Common.Web.Providers.DbMembershipProvider.a(String A_0, String A_1, MembershipPasswordFormat& A_2, String& A_3) +230
Devart.Common.Web.Providers.DbMembershipProvider.ValidateUser(String username, String password) +51
System.Web.UI.WebControls.Login.AuthenticateUsingMembershipProvider(AuthenticateEventArgs e) +60
System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +119
System.Web.UI.WebControls.Login.AttemptLogin() +115
System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +166
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618
4.
4.a) validation="SHA1" decryption="Auto"
4.b) Yes, I got the validationKey and decryptionKey from https://www.grc.com/passwords.htm (64 random hexadecimal characters). You can see a reference to this web site at the end of step 3. The keys are the same in both machines.
Regards,
Jorge Maldonado
I have tried the following scenario: one database (remote), and test application (Membership.ValidateUser("testuser", "his!password");) was run from a couple workstations - validation successful in both cases. ASP.NET 3.5. dotConnect for PostgreSQL v 5.10.96.0.
1. Try setting the section locally (in web.config of your application).
2. Leave applicationname as "/".
3. How did you backup/restore your database? Can the problem be here?
4. Make sure that you are checking a valid user/password when validation fails.
At the moment I can reproduce:
1) the situation when validation fails only when applicationname is changed;
2) the "Provider can not decode password" error when decriptionkey is changed.
We are investigating the issue.
1. Try setting the section locally (in web.config of your application).
2. Leave applicationname as "/".
3. How did you backup/restore your database? Can the problem be here?
4. Make sure that you are checking a valid user/password when validation fails.
At the moment I can reproduce:
1) the situation when validation fails only when applicationname is changed;
2) the "Provider can not decode password" error when decriptionkey is changed.
We are investigating the issue.
I want to make another comment to this issue and provide additional information.
Actually, I have a backup of my site's database that I got using pgAdmin III; it is compressed and with Win1252 encoding. The rest of the parameters are left unchanged. I created a new web site in my production server, restored the database to it and user validation worked fine. In this case I see that the applicationname in both sites is the same (/) and maybe this is the reason why it works correctly. If I add a new user account in my development PC, the applicationname assigned to it is different than those the already exist. The applicationname in the restored database is "/"; the applicationname of a new account is the name of the folder in my development PC.
The following are the answers to your 4 questions:
1. I am using the web.config file to set the machineKey values.
2. I am not changing te applicationname anymore.
3. I perform the backup in the production server as described at the beginning of this reply. I restore to my development PC using pgAdmin III and checking 2 options: "Clean before restore" and "Single transaction". I get a "Process returned exit code 0." at the end of the restore process.
4. I am sure I use a valid user account, in fact, it is my personal user account.
The login process is made using the "asp:login" control, I only added code to catch the specific error in case there is one. The ID of the control is ctrLogin and this is the code I added:
The condition that is met in the "if" statement is the first one so the message I get when I try to validate is "The user account does not exist in the database."
I hope this information is useful.
Regards,
Jorge Maldonado
Actually, I have a backup of my site's database that I got using pgAdmin III; it is compressed and with Win1252 encoding. The rest of the parameters are left unchanged. I created a new web site in my production server, restored the database to it and user validation worked fine. In this case I see that the applicationname in both sites is the same (/) and maybe this is the reason why it works correctly. If I add a new user account in my development PC, the applicationname assigned to it is different than those the already exist. The applicationname in the restored database is "/"; the applicationname of a new account is the name of the folder in my development PC.
The following are the answers to your 4 questions:
1. I am using the web.config file to set the machineKey values.
2. I am not changing te applicationname anymore.
3. I perform the backup in the production server as described at the beginning of this reply. I restore to my development PC using pgAdmin III and checking 2 options: "Clean before restore" and "Single transaction". I get a "Process returned exit code 0." at the end of the restore process.
4. I am sure I use a valid user account, in fact, it is my personal user account.
The login process is made using the "asp:login" control, I only added code to catch the specific error in case there is one. The ID of the control is ctrLogin and this is the code I added:
Code: Select all
Protected Sub ctrLogin_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles ctrLogin.LoginError
' The username is ALWAYS converted to uppercase.
ctrLogin.UserName = ctrLogin.UserName.ToUpper
Dim userInfo As MembershipUser = Membership.GetUser(ctrLogin.UserName)
Dim ctrLabel As Label = ctrLogin.FindControl("lblMensajeError")
If userInfo Is Nothing Then
ctrLabel.Text = "The user account does not exist in the database."
Else
If Not userInfo.IsApproved Then
ctrLabel.Text = "The user account is not approved."
ElseIf userInfo.IsLockedOut Then
ctrLabel.Text = "The user account has been locked out."
Else
ctrLabel.Text = "Invalid user account."
End If
End If
End Sub
I hope this information is useful.
Regards,
Jorge Maldonado
Please refer to http://weblogs.asp.net/scottgu/archive/ ... iders.aspx.
So try adding an “applicationName” attribute to your membership provider declaration in web.config with the application name value that is the same as the value in the "applicationname" column of aspnet_users. Notify us about the results.
So try adding an “applicationName” attribute to your membership provider declaration in web.config with the application name value that is the same as the value in the "applicationname" column of aspnet_users. Notify us about the results.