The "You must specify a non-autogenerated machine key" error
By default, the Asp.Net SqlMembership Provider uses one-way hashing to scramble passwords but gives you the option for encrypting or storing passwords in clear text as well. If you choose to go with an encrypted passwordFormat, you may receive the following error message when creating users:
You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.
This exception is thrown by the SqlMembership provider when you attempt to store a password in an encrypted format but have not created a custom machineKey section in your web.config file.
What is a non-autogenerated Machine Key?
The machinekey is an element in your application's configuration that defines a unique validationKey/decryptionKey pair that is used for encrypting and decrypting passwords and password answers.
When you install the .Net Framework on a particular workstation or server, an "auto-generated" machine key with a unique validationKey/decryptionKey pair is created in a machine-wide configuration file.
While this "autogenerated" machine-key can be used to perform local, machine-level encryption, the designers of Asp.Net knew that a "non-portable" machine key would be inappropriate for web applications that would be moved from development machines to servers or across server farms.
Thus, the SqlMembershipProvider is letting you know that you need to create your own Machine Key that will be used when encrypting and decrypting passwords.
Here is a sample non-autogenerated machine key section:
<system.web> ... <machineKey validationKey= "5AD524EF7BEB32A479F8095F8BF7653680066ADE66B5C78F80C3DC1F90 AA3D766F2B69304BFF88DEABEDE1E66D463C81FDEE0FC1A391AD90A6FD1294E7D243B1" decryptionKey= "0D7AE7BC7581976D76AC1D68C71BCBA978895CB792DC4F7B9F0D67774378A351" validation="SHA1" decryption="AES"/> ... </system.web>
Notice that the machineKey section is added anywhere within the system.web element. Please refer to Microsoft's MSDN site for a full explanation of machineKeys and all of the options you have for controlling the way encryption will work in your web application.
Tip: You can configure the machineKey in your machine.config file to share it with all web applications running on your server.
Where do I get my own non-autogenerated machine key?
For your convenience, we have used the CryptoServiceProvider to generate a unique <machineKey> section for you. Just copy it out of the text box below and use it on your own site(s).
<% =Html.TextArea("non-autogenerated-machine-key-textbox", ViewData["machineKey"].ToString(), 8, 100, new { @class = "learn-markup", style="margin-left:40px;" })%><%=Html.ActionLink("Generate a new unique machine key","you-must-specify-a-non-autogenerated-machine-key") %>
Do I need a non-autogenerated machine key when using a Hashed passwordFormat?
Generally, you do not need to create a machine key section when using Hashed or Clear passwordFormats with the SqlMembership provider. When using the ActiveDirectory membership provider, it appears that you need to provide a non-autogenerated machine key.
Remember to back up and safeguard your machine key.
Once you start encrypting passwords with a particular machine key, that same machine key must be available to decrypt the data. You should back up the file containing your machine key (usually web.config) and also safeguard it from unauthorized access.