YAFLogo

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue?

I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted.

Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?

Sponsor
tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue?

I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted.

Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?

Originally Posted by: tecman 

From which version did you upgrade? Did you override your old web.config?

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.
tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
I've managed to reset my password using the browser in which I was logged in.

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.

Originally Posted by: tecman 

Why did you use the full package, there is an upgrade package? I assume you override your machine key. That would be the reason why you cant login

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
Can you tell me more about this machine key?

As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server.

Bump #2. Any chance to get answer to the following question?

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

Can you tell me more about this machine key?

As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server.

Bump #2. Any chance to get answer to the following question?

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?

Originally Posted by: tecman 

the security question, answer, password and password salt are saved in the yaf_prov_Membership table but all are stored encrypted via the machine key.

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read?

BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions!

As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read?

BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions!

Originally Posted by: tecman 

The machine key is really important it encrypts the password, the security question and answer and also the viewstate of the page. The Install Instructions of the forums contains how to set up a machine key for the site. Do you have the old web.config before you upgrade, to check if the machine key was set in the web.config?

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string

As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?

Originally Posted by: tecman 

The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API or you create a new user with the password and Security Question/Answer and you copy over the hashed entries from that user to your user account.

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key.

I compared the recommended.web.config from the v2.2.3 and 2.2.4.4 installation packages and found this node. As I see, I have never changed its validationKey and decryptionKey attributes. The whole node is even commented out!

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string

Where can I find this membership connection string?

The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API

Why can't we do that in the interface??

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key.

Originally Posted by: tecman 

In the documenation

https://github.com/YAFNET/YAFNET/wiki/Installation 

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string

Originally Posted by: tecman 

Where can I find this membership connection string?

Sorry i forgot to mention, it is also in the web.config

The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API

Originally Posted by: tecman 

Why can't we do that in the interface??

Yes thats a good question, i add it to my to do list

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have.

Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago

Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have.

Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?

Originally Posted by: tecman 

But did you change the membership connection string? you would only need to change it back then you can log in again

tecman
  • tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
7 years ago
Are we talking about the membership node from web.config?

In the v2.2.3 installation package it was

In the v2.2.4.4 it is

I guess, this is the diff that caused the problem?

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
7 years ago
Yes looks like the problem.