now, is there something i can do to enable already registered users to login. Or what other implications has that change to
my webApp?
(MembershipProvider uses PasswordFormat="encrypted".
Lets start from scratch. Is it a requirement for a webApp to declare the <machineKey> element in its Web.config file?
I host my application with a machineKey element with the form of:
<machineKey validationKey="0000..." decryptionKey="0000...." Validation="SHA1" />, Is this something i have to do? or
I can simply ommit totaly this configuration, or let machineKey to autogenerate.
I hope this is clear (but is my first time to face this situation) - thanks
this something i have to do? or
I can simply ommit totaly this configuration, or let machineKey to autogenerate.
No you don't have to because if you don't specify a machine key. ASP.NET will generate one for you. But it will generate a new machine key each time the application pool recycles, and when that happens, it will cause users (when using formsauthentication) that
are authenticated to be redirected to the login page on their first request after the application pool recycles, and this could also result in the infamous "Validation of ViewsState MAC ...." error, so I think it is good practice to always add a machine key,
instead of ASP.NET generating one for you....
Ok. Now what do you suggest to do in case I would like to keep the default settings of IIS. ( Remember that I already provide a machineKey with web.Config, and there are some users registered).
*Other view, If I have to provide the settings for machinekey, which is the best way to find that settings(i mean validationKey, ecryptionKey)
etc,. Ask my hosting provider? use a Tool to generate those values? copy-paste those values from my local machine ? what else.
If I have to provide the settings for machinekey, which is the best way to find that settings(i mean validationKey, ecryptionKey)
etc,. Ask my hosting provider? use a Tool to generate those values? copy-paste those values from my local machine ? what else.
hello again, I decided to remove completely the <machineKey> element from my web App.
Now I get the following when I try to create a new User through CreateUserWizard:
"You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key."
The <machineKey> is used by many ASP.NET features like forms authentication, viewstate, membership, etc... And if you use the default "auto-generated" setting, each time the application restarts, some of the state management related data of your ASP.NET
application(like page's viewstate ) and forms authentication ticket at client-side will become invalid.
And it is surely good idea to have a fixed machinekey for your ASP.NET web application so as to avoid the issues that might happen for "auto-generated" case. And for generating machinekey, you can just create it yourself just like you create the strong-name
key files for signing your .NET assemblies.
And regarding on the error you encounter, it has explained that for using encrypted password, you have to supply a definte machinekey so that the runtime can help generate a fixed key (for encrypting/decrypting the password) derived from the machineKey.
psid
Member
2 Points
18 Posts
machineKey element configuration
Apr 12, 2012 06:45 AM|LINK
Hi, I do the following
I change <machineKey> from non-autogenerated to autogenerated, like that:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" />
now, is there something i can do to enable already registered users to login. Or what other implications has that change to
my webApp?
(MembershipProvider uses PasswordFormat="encrypted".
Any help much appreciated.
hans_v
All-Star
35986 Points
6550 Posts
Re: machineKey element configuration
Apr 12, 2012 08:19 AM|LINK
Authenticated user will need to login again.
Be aware that when the application pool recycles, a new key is generated, forcing authenticated users to login again
Why?
psid
Member
2 Points
18 Posts
Re: machineKey element configuration
Apr 12, 2012 10:27 AM|LINK
Lets start from scratch. Is it a requirement for a webApp to declare the <machineKey> element in its Web.config file?
I host my application with a machineKey element with the form of:
<machineKey validationKey="0000..." decryptionKey="0000...." Validation="SHA1" />, Is this something i have to do? or
I can simply ommit totaly this configuration, or let machineKey to autogenerate.
I hope this is clear (but is my first time to face this situation) - thanks
hans_v
All-Star
35986 Points
6550 Posts
Re: machineKey element configuration
Apr 12, 2012 10:34 AM|LINK
No you don't have to because if you don't specify a machine key. ASP.NET will generate one for you. But it will generate a new machine key each time the application pool recycles, and when that happens, it will cause users (when using formsauthentication) that are authenticated to be redirected to the login page on their first request after the application pool recycles, and this could also result in the infamous "Validation of ViewsState MAC ...." error, so I think it is good practice to always add a machine key, instead of ASP.NET generating one for you....
psid
Member
2 Points
18 Posts
Re: machineKey element configuration
Apr 12, 2012 01:19 PM|LINK
Ok. Now what do you suggest to do in case I would like to keep the default settings of IIS. ( Remember that I already provide a machineKey with web.Config, and there are some users registered).
*Other view, If I have to provide the settings for machinekey, which is the best way to find that settings(i mean validationKey, ecryptionKey)
etc,. Ask my hosting provider? use a Tool to generate those values? copy-paste those values from my local machine ? what else.
thanks.
hans_v
All-Star
35986 Points
6550 Posts
Re: machineKey element configuration
Apr 12, 2012 01:40 PM|LINK
http://aspnetresources.com/tools/machineKey
psid
Member
2 Points
18 Posts
Re: machineKey element configuration
Apr 12, 2012 03:14 PM|LINK
hello again, I decided to remove completely the <machineKey> element from my web App.
Now I get the following when I try to create a new User through CreateUserWizard:
"You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key."
What I have to do next?
Steven Cheng...
Contributor
4199 Points
548 Posts
Microsoft
Moderator
Re: machineKey element configuration
Apr 13, 2012 03:31 AM|LINK
Hi pisd,
The <machineKey> is used by many ASP.NET features like forms authentication, viewstate, membership, etc... And if you use the default "auto-generated" setting, each time the application restarts, some of the state management related data of your ASP.NET application(like page's viewstate ) and forms authentication ticket at client-side will become invalid.
#How To: Configure MachineKey in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649308.aspx
#Explained: Forms Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647070.aspx
And it is surely good idea to have a fixed machinekey for your ASP.NET web application so as to avoid the issues that might happen for "auto-generated" case. And for generating machinekey, you can just create it yourself just like you create the strong-name key files for signing your .NET assemblies.
And regarding on the error you encounter, it has explained that for using encrypted password, you have to supply a definte machinekey so that the runtime can help generate a fixed key (for encrypting/decrypting the password) derived from the machineKey.
Feedback to us
Microsoft One Code Framework