encrypted or hashed password logon problems

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
1/13/2009 3:33:19 PM
cadeIT
Gravatar
Total Posts 7
View Posts

encrypted or hashed password logon problems

Hello,

So now that I have release 2.2.7.9 working (on win2003, IIS6, mssql), there are a few things happening.

1. Whenever I try to use encrypted or hashed passwords I cannot log in anymore (get an error for hashed passwords, just gives me a logon failed message for encrypted). Changed the password format in mp_sites back to 0 and I was still unable to log on. Can you confirm that this feature is working in the latest version? (We currently cannot use the current version because we have not moved up to .NET 3 yet)

2. This is probably a configuration error somewhere but when I bring up our default site, I am prompted for a user/password first before I can even access the page. I log in with a priviledged domain account and am able to access the site. However, in the IIS settings for the site, I have anonymous access enabled with an account that is also a dbo on the database...

1/14/2009 5:29:38 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: encrypted or hashed password logon problems

Hi,

1. Its not a good idea to change password formats frequently, yes it works but you should decide up front what you will use and then change it but don't change it back and forth.

Clear Text and Encrypted passwords can be recovered using the password recovery from the profile page (assuming smtp is properly configured so it can send the password by email.

Hashed passwords can not be decrypted, so password recovery is not possible, a password reset feature is needed for hashed passwords but is not currently implemented unfortunately.

So when you change from clear text to encrypted the existing password is encrypted, if you change back to clear text it would be decrypted, but once you have changed to hashed decrypting is not possible so if you change back to clear text a random password is generated and you would have to recover it or look it up directly in the db in mp_Users. If you change from hashed to encypted a random password will be generated then encrypted and stored in the db, it can be recovered by the recovery email but you can't look it up in the db because its encrypted there.

Since you manually changed back to clear text in the db, then you need to manually put a clear text password on the user in mp_Users in order to login again.

Be aware (since I know your other post is about ldap) that when using ldap with version 2.2.7.9 you need to leave password format as clear text. We do not store the ldap password in the db at all, we only pass it to the ldap server for authentication, if it passes authentication we assign a login cookie and the user is logged in. There is a minor bug in 2.2.7.9 where if password format is set to encrypted or hashed and using ldap, then it gets encrypted or hashed before it is passed to the ldap server and therefore login fails at the ldap server.

2. Sounds like the IIS site is configured for Basic or Digest Authentication and it throws this popup before any mojoportal code is executed. For an internet site you should configure it for Integrated Windows and Anonymous and not use digest or basic. Basic particularly is very insecure and its dangerous becuase you enter domain credentials and they are not encrypted across the wire fromthe client to the server. I would not use the anonymous user for the db connection. I would use a sql user and remove the anonymous user from the dbo group.

Hope it helps,

Joe

 

1/15/2009 9:46:22 AM
cadeIT
Gravatar
Total Posts 7
View Posts

Re: encrypted or hashed password logon problems

Hello Joe,

Thanks for the comments but the issues still persist for me.

When I first installed mojoportal, I immediately switched over to using hashed passwords. However, I found that I was then unable to log in.

So I cleared out the database and re-ran the setup. I then changed the fresh install to use encrypted passwords. That still did not work. I was then able to find a forum post about a similar issue and looked at the mp_Users and mp_Sites tables. The password was not encrypted and when I switched the password format back to 0, I was still unable to log in.

I actaully have not been using LDAP at all yet and my other question about it was, in a sense, misguided. I agree that when this becomes a public facing site, it should not have mixed authentication. So, not a big deal - was more for a ease in testing type of scenario!

I guess the above is possibly not such a big deal anymore as we are running the last .NET 2 version of mojoportal (and not even using the latest version)! When we do decide to pursue the use of mojoportal, we will most likely be using your latest version and will have made the switch to .NET 3.

For #2

This one is a bit strange for me because we are using Integrated Windows and Anonymous (and are not using digest or basic encryption). I've bumped down the anonymous user's rights in the db. Unfortunately, we do not allow for the use of sql accounts here...

1/15/2009 9:54:47 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: encrypted or hashed password logon problems

I will see if I can replicate the problem.

I left out one step, after you changed it back to clear text in the db, it was still cached in sitesettings in memory so it still thought it was configured as encrypted and therefore login failed. To clear the cache, you can touch Web.config by type a space in it and save. This will recycle the app and clear the cache.

Are you sure your web server is not behind some kind of proxy server that may be imposing the extra login dialog? Its also possible if the web server is a member of a domain that some settings are being pushed down by group policy.

Best,

Joe

1/16/2009 11:45:28 AM
cadeIT
Gravatar
Total Posts 7
View Posts

Re: encrypted or hashed password logon problems

So, for issue #2, it did boil down to a wrong password! I apparently thought that account's password was one character different than what it actually was. Put that one down as a boneheaded user error! I think I will try the encyption option again later today to see if I can get it to work (now that I have some extra useful info from you). I'll let you know if it worked or not. Thanks for the help!
1/16/2009 1:21:51 PM
cadeIT
Gravatar
Total Posts 7
View Posts

Re: encrypted or hashed password logon problems

Issue 1 still persists. I jsut retried it (only with encrypted passwords this time). After I switch it to encrypted, I save it and log out. Then I even went and updated the web.config files just in case the site had to clear its cache - still not working. In any case, the recovery back to clear text worked now. The updating of the web.config file did the trick! Thanks
1/16/2009 2:08:31 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: encrypted or hashed password logon problems

I tested this today and it works fine for me. I changed to encrypted and looked in the db and it did change to encrypted, I changed it back and it decrypted them. There are only about 40-50 users in the db I tested and I was using MS SQL, so if you're using something else let me know.

It may be wise after making this change to do as you did and touch web.config to clear the cache, but after that it should work.

In any case if you are going to use ldap as indicated in yur other psots you shouldleave it as plain text.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.