Help! ASP.NET 2.0 Membership ERROR: The password-answer supplied is wrong.

Discussion in 'ASP .Net Security' started by Guest, Mar 5, 2007.

  1. Guest

    Guest Guest

    Can anyone please comment on this ASP.NET 2.0 Membership error & how to get
    the following code to run?
    ERROR:
    >>> "The password-answer supplied is wrong."


    The Membership database seems to be encrypting randomly & it's causing our
    web app to keep throwing errors & keeping our users from logging in. (See
    below for greater detail.)

    How do we get this line to run?
    >>> //CANNOT RUN:
    >>> string genPassword = mu.ResetPassword("[REMOVED:passwordAnswer]");


    In ASP.NET 2.0 Membership (aspnet_Membership table) can anyone tell me
    whether the web.config machineKey tag (with validationKey & decryptionKey)
    actually controls how the aspnet_Membership.passwordAnswer column is
    encrypted?

    NOTE: In our situation, ALL users have the same static value for
    passwordQuestion & passwordAnswer because we only reset/generate passwords
    programmatically. The passwordAnswer column gets encrypted and it USED TO
    be
    the same value for everyone:
    /BDizKy0FRtHQJxjTO3SnI/H/4g=
    .... but now, it generates completely different values for every user:
    sUmS0wDxiGK52o8r37dZDxbeCjI=
    OdLx8wXO/cgRfvqKHlXV+I12HAg=

    THE ISSUE:
    The other day, we started getting an error when the user clicks the Change
    Password button which calls:
    public void ChangePassword()
    {
    Password = RandomPassword.Generate(8);
    MembershipUser mu = Membership.GetUser(this.UserName);

    //CANNOT RUN:
    string genPassword = mu.ResetPassword("[REMOVED:passwordAnswer]");

    mu.ChangePasswordQuestionAndAnswer(genPassword,
    "[REMOVED:passwordQuestion]", "[REMOVED:passwordAnswer]");
    mu.ChangePassword(genPassword, Password);
    }

    ERROR:
    "The password-answer supplied is wrong."
    (This SEEMS to be an encryption issue, since all passwordAnswers are exactly
    the same.)

    Please help me better understand the process & how to control it.

    Thoughts:
    We do not yet have a machineKey tag in web.config, so it should default to
    AutoGenerate, which may create different values on different machines,
    right?
    So, since I now want to control it (same encryption) across both Development
    and Production machines, I want to add the keys I've generated.

    But, with the machineKey tag, it still generates different keys for users...
    Is this normal?
    Is it perhaps using values from the userid, username, or Salt to create the
    encrypted
    passwordAnswer?

    PROVIDER:
    <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"
    connectionStringName="SqlConn" applicationName="[REMOVED]"
    passwordStrengthRegularExpression="[REMOVED]" minRequiredPasswordLength="8"
    minRequiredNonalphanumericCharacters="1" enablePasswordRetrieval="false"
    enablePasswordReset="true" requiresQuestionAndAnswer="true"
    requiresUniqueEmail="false" passwordFormat="Hashed"
    maxInvalidPasswordAttempts="5" passwordAttemptWindow="10"/>
     
    Guest, Mar 5, 2007
    #1
    1. Advertising

  2. Hi,

    Your "passwordFormat" is set to "Hashed" instead of "Encrypted", which
    means it's not using the MachineKey:

    http://msdn2.microsoft.com/en-us/library/ms998288.aspx#paght000007_membershi
    p

    The "PasswordAnswer" field in table aspnet_MemberShip is also hashed or
    encrypted according to the "passwordFormat" setting. The actual hash
    algorithm to compute the PasswordAnswer is not documented, but it's
    definitely related to the user name.

    Does this issue also occur on a newly created test user account? or is it
    only relate to previous user accounts? Have you changed the
    "PasswordFormat" before?


    Sincerely,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Mar 6, 2007
    #2
    1. Advertising

  3. Hi,

    Please feel free to let me know if you have any questions. Thanks.

    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Mar 8, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alan
    Replies:
    2
    Views:
    2,126
  2. Cirene
    Replies:
    7
    Views:
    371
    Paul Shapiro
    Jun 7, 2008
  3. AAaron123
    Replies:
    2
    Views:
    2,363
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,418
    Oriane
    Jan 16, 2009
  5. Replies:
    5
    Views:
    376
    Dominick Baier [DevelopMentor]
    Jan 12, 2006
Loading...

Share This Page