Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Help! ASP.NET 2.0 Membership ERROR: The password-answer supplied is wrong.

Reply
Thread Tools

Help! ASP.NET 2.0 Membership ERROR: The password-answer supplied is wrong.

 
 
Guest
Posts: n/a
 
      03-05-2007
Can anyone please comment on this ASP.NET 2.0 Membership error & how to get
the following code to run?
ERROR:
>>> "The password-answer supplied is wrong."


The Membership database seems to be encrypting randomly & it's causing our
web app to keep throwing errors & keeping our users from logging in. (See
below for greater detail.)

How do we get this line to run?
>>> //CANNOT RUN:
>>> string genPassword = mu.ResetPassword("[REMOVEDasswordAnswer]");


In ASP.NET 2.0 Membership (aspnet_Membership table) can anyone tell me
whether the web.config machineKey tag (with validationKey & decryptionKey)
actually controls how the aspnet_Membership.passwordAnswer column is
encrypted?

NOTE: In our situation, ALL users have the same static value for
passwordQuestion & passwordAnswer because we only reset/generate passwords
programmatically. The passwordAnswer column gets encrypted and it USED TO
be
the same value for everyone:
/BDizKy0FRtHQJxjTO3SnI/H/4g=
.... but now, it generates completely different values for every user:
sUmS0wDxiGK52o8r37dZDxbeCjI=
OdLx8wXO/cgRfvqKHlXV+I12HAg=

THE ISSUE:
The other day, we started getting an error when the user clicks the Change
Password button which calls:
public void ChangePassword()
{
Password = RandomPassword.Generate(;
MembershipUser mu = Membership.GetUser(this.UserName);

//CANNOT RUN:
string genPassword = mu.ResetPassword("[REMOVEDasswordAnswer]");

mu.ChangePasswordQuestionAndAnswer(genPassword,
"[REMOVEDasswordQuestion]", "[REMOVEDasswordAnswer]");
mu.ChangePassword(genPassword, Password);
}

ERROR:
"The password-answer supplied is wrong."
(This SEEMS to be an encryption issue, since all passwordAnswers are exactly
the same.)

Please help me better understand the process & how to control it.

Thoughts:
We do not yet have a machineKey tag in web.config, so it should default to
AutoGenerate, which may create different values on different machines,
right?
So, since I now want to control it (same encryption) across both Development
and Production machines, I want to add the keys I've generated.

But, with the machineKey tag, it still generates different keys for users...
Is this normal?
Is it perhaps using values from the userid, username, or Salt to create the
encrypted
passwordAnswer?

PROVIDER:
<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlConn" applicationName="[REMOVED]"
passwordStrengthRegularExpression="[REMOVED]" minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="1" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true"
requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" passwordAttemptWindow="10"/>


 
Reply With Quote
 
 
 
 
Walter Wang [MSFT]
Guest
Posts: n/a
 
      03-06-2007
Hi,

Your "passwordFormat" is set to "Hashed" instead of "Encrypted", which
means it's not using the MachineKey:

http://msdn2.microsoft.com/en-us/lib...0007_membershi
p

The "PasswordAnswer" field in table aspnet_MemberShip is also hashed or
encrypted according to the "passwordFormat" setting. The actual hash
algorithm to compute the PasswordAnswer is not documented, but it's
definitely related to the user name.

Does this issue also occur on a newly created test user account? or is it
only relate to previous user accounts? Have you changed the
"PasswordFormat" before?


Sincerely,
Walter Wang ((E-Mail Removed), remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
 
Walter Wang [MSFT]
Guest
Posts: n/a
 
      03-08-2007
Hi,

Please feel free to let me know if you have any questions. Thanks.

Regards,
Walter Wang ((E-Mail Removed), remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Membership.CreateUser: The E-mail supplied is invalid. Alan ASP .Net 2 10-03-2007 01:50 PM
pysqlite2.dbapi2.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 0, and there are -1 supplied. F. GEIGER Python 3 05-18-2005 03:46 PM
Validating XML against a DTD that is not supplied in the XML Schema Ben Jessel Java 0 08-05-2004 11:45 AM
Change url of supplied page without doing a redirect? Martin ASP .Net 4 06-25-2004 06:26 AM
Evaluates a supplied string mg ASP .Net 0 12-23-2003 07:30 PM



Advertisments