Asp.Net components and Internet solutions
Quality Data
  Shopping Cart
Home | Products| Support| Downloads| Contact Us| Your account
Skip Navigation Links

New!

Update your web pages just by sending Email


Send2Page Control »



No MachineKey when resetting password

If you attempt to use Reset Password to change to an Encrypted PasswordFormat but have not specified a MachineKey in web.config, the SqlMembership Provider will throw the following exception:

You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.



This exception is thrown by the SqlMembership provider when you attempt to store a password in an encrypted format but have not created a custom machineKey section in your web.config file. There are several reasons that a custom machineKey section is required by the Membership Provider:
  1. The machineKey defines a validation method, validationKey and decryptionKey which are used in the encryption/decryption algorithm.
  2. Normally, Asp.Net (and the .Net Framework) can autogenerate a machineKey, however, this would not be portable across machines. Since your web site may have to be moved from your development machine to a server or even onto a server farm, the "keys" for encrypting/decrypting passwords would not be available on those separate platforms unless they were explicitly defined.


You could configure a machineKey along with its validationKey and decryptionKey attributes in each server or workstation's machine.config file, which would allow all web sites to use a common set of encryption keys and eliminate the requirement for a custom section in web.config. A simpler and more flexible approach, however, would be to add a machineKey section to the web.config file of your web site. This way, whenever you copy your web site to a remote server, the web.config file will have the required machineKey section.

How to specify a non-autogenerated machine key

Microsoft's MSDN site provides a full explanation of machineKeys and all of the options you have for controlling the way encryption will work in your web application. For many web applications, it may be enough to just add a <machineKey> section to web.config as illustrated here:


<system.web>
...
<machineKey 
validationKey= 
"A0C1DD02D82640507D007C93B1163B97A360F682C7F442592263E30775
22FAD8412782D158FF7A3A684DC6F8DF7A9C230005A018A6C7BBC16602A46B6630C27C" 
decryptionKey=
 "8FC27AD4C8400BBABB7DF6A2BA8562AC59D55D850B7FD4D316F518E0C1270AA6"  
validation="SHA1" 
decryption="AES"/>
...
</system.web>

Note that additional elements may also exist within the <system.web> section of your application's web.config file.

Need a unique MachineKey?


For your convenience, we have used the CryptoServiceProvider to generate a unique <machineKey> section for you.  Just copy it out of the text box below and use it on your own site(s).


 

Other MachineKey related exceptions

If you do not have a MachineKey section in web.config, and attempt to Reset a Password, you may receive a message that indicates that the current password is encrypted but no MachineKey has been defined in web.config.


 

Similarly, if you attempt to Change Question and Answer for a member whose password is encrypted but have removed the MachineKey from web.config, the Change Question and Answer panel will display a message similar to that shown below.



Important


When using Encrypted passwords, be sure to make a backup copy of your original machineKey data as it is the key to decrypting passwords.

 

Related Topics

The Membership Manager Control
Membership Manager Configuration
Asp.Net SqlMembershipProvider Settings
Index was outside the bounds of the array

Tel: (407) 253-2266 | Home | Site Map | Contact us
(c) 2006, Quality Data, Inc.  All Rights Reserved | Legal | Privacy
Quality Data