Passwords after upgrade

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
1/10/2014 11:42:14 AM
Alisa Vaynrub
Gravatar
Total Posts 2
View Posts

Passwords after upgrade

What operating system? Microsoft Windows NT 6.1.7601 Service Pack 1

What database platform? Microsoft SQL Server

What version of mojoPortal? 2.4.0.0

What version of .NET? 4.0 Running in Full Trust

I have upgraded portal from 2.3.7.0 to 2.4.0.0, and no user can login now. When someone recovers a password and sets to the same value, it updates mp_Users.pwd to a different value. For example:

was: 4E-FD-0C-DC-36-DA-BE-9E-A9-8C-F8-3C-8A-9F-3E-72

now: 84-35-13-1D-8C-C7-78-D6-0C-79-BF-B8-30-38-3D-93-AF-A3-41-19-DF-4B-2B-43-FF-FC-C5-5E-CA-6B-4E-92-AD-E4-1B-65-5D-39-82-A9-FC-B6-65-F5-7F-35-00-56-CE-E0-BF-E7-D6-67-0C-F4-7A-F9-4E-41-A6-17-44-8A

The machine code stays the same. We cannot afford to ask all users to reset their passwords. What should we do?

 

1/10/2014 12:09:25 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Passwords after upgrade

Hi,

we changed to stronger password encryption in version 2.3.8.1, but it was designed so that it would not break existing user accounts, it will try the old encryption if login fails and then if the old encryption works it will update the same password to stronger encryption.

Lots of people upgraded and I'm not aware of other people having any major problems with it so I have no idea why it is not working for you unless your machinekey changed in web.config.

For new installations starting with version 2.4.0.0 we do automatically update the machinekey to a new generated one but this should not happen for upgrades unless you added this to user.config:

<add key="TryEnsureCustomMachineKeyOnSetup" value="true" />​

if that is in user.config and it detects the default machinekey then the setup page will try to update the machinekey to a new one.

but we don't ship a user.config file so it should not happen to upgrades of existing sites it should only do that on new installations when the ms web platform installer creates a user.config file by copying user.config.sample as user.config.

If somehow that happened to your site (ie if tha is in your user.config) then it means you were using the old default machinekey which is not secure. 

You could remove that setting from user.config and then restore the old default machinekey:

<machineKey validationKey="55BA53B475CCAE0992D6BF9FE463A5E97F00C6C16DA3D7DF9202E560078AB501643C15514785FEE30FEF26FC27F5CE594B42FFCA55452EF90E8A056B4DAE9F39" decryptionKey="939232D527AC4CD3E449441FE887DA110A16C1A36924C424CBAAE3F00282436C" validation="SHA1" decryption="AES" />​

that would make old accounts able to login but would break accounts that were already upgraded and it would not be secure. If a hacker knows your machinekey they can hack your site and gain administrator access so it is very important to use a unique custom machine key.

I don't really have any other ideas to help you. If you kept a backup of the site files and the database you could go back to your previous version by deleting the files and restoring the files and then restoring the database from backup.

Joe

1/10/2014 3:13:23 PM
Alisa Vaynrub
Gravatar
Total Posts 2
View Posts

Re: Passwords after upgrade

Thanks! I have changed key="CheckMD5PasswordHashAsFallback" to "true", and now it works.

You must sign in to post in the forums. This thread is closed to new posts.