YAFLogo

asifshiraz
  • asifshiraz
  • 52.4% (Neutral)
  • YAF Forumling Topic Starter
13 years ago
Hi,

I have just installed YAF 1.9.3 and ported my existing aspnet membership users into the yaf_prov_membership table.

The trouble I am having is that my existing usernames (which were stored as encrypted) are not being validated by yaf. Specifically, in class YafMembershipProvider.cs, Method EncodeString(...) seems to be failing at this line:

encodedPass = Convert.ToBase64String((new YafMembershipProvider()).EncryptPassword(buffer));

If I plug out yaf membership from web.config and put sqlmembership (which I previously had), then the same users are able to login?

Is it that yaf by default uses a different encryption algorithm? I did not copy the "machinekey" settings over into my yaf web.config though.

Asif

Sponsor

jshepler
13 years ago
asifshiraz wrote:

Hi,

I have just installed YAF 1.9.3 and ported my existing aspnet membership users into the yaf_prov_membership table.

The trouble I am having is that my existing usernames (which were stored as encrypted) are not being validated by yaf. Specifically, in class YafMembershipProvider.cs, Method EncodeString(...) seems to be failing at this line:

encodedPass = Convert.ToBase64String((new YafMembershipProvider()).EncryptPassword(buffer));

If I plug out yaf membership from web.config and put sqlmembership (which I previously had), then the same users are able to login?

Is it that yaf by default uses a different encryption algorithm? I did not copy the "machinekey" settings over into my yaf web.config though.

Asif

It probably has to do with the salt, but I don't really know - just a shot in the dark.

The yaf providers are for when you aren't using any other providers - like the sql provider for asp.net membership/roles/profiles. Yaf will work just fine with the sql providers, you don't need to move the membership users. The only thing yaf requires is to configure the tag's inherits attribute (in web.config) to be yaf's profile class (or any class derived from it).


not jsheLPer

test2005
13 years ago

jshelper is correct. You can not encrypt a password using ASP membership, then use YAF membership to resolve the encryption.

You will need to reset your users passwords to use the YAF membership class, email those passwords to the user explaining the reason behind the password change and telling them to reset it after login. I do this often, a mild iritation to existing users, but a neccessary evil where encrypted passwords are concerned. Alternatively, you could ask your users to use the password recover feature. Then only one change is required.

HTH

:)


.....the man in black fled across the desert..........and the gunslinger followed.....

Mek
  • Mek
  • 100% (Exalted)
  • YAF Developer
13 years ago
Quote:

jshelper is correct. You can not encrypt a password using ASP membership, then use YAF membership to resolve the encryption.

I respectfully disagree; should be no problems there whatsoever. I have some further work to do on the Membership provider before final; so i'll tell test the encryption to ensure this works before.

@asifshiraz:

Could you please post your web.config provider settings before you moved to the YAF Providers, and after you moved...


UserPostedImage

"It's a case of RTFM.. the only problem being we don't have a manual!"

When I post FP:Mek in a topic, I'm leaving my footprint there so I can track it once I get into coding/supporting. (Yes I stole this off Ederon 🙂 )

test2005
13 years ago
Don't want to step on toes, but if he's using a different provider, won't the salt encryption be different?

I've never been able to bounce between providers when the user passwords are stored encrypted for this reason, or so I thought!

School me Mek! :cheesy:

8)


.....the man in black fled across the desert..........and the gunslinger followed.....

Mek
  • Mek
  • 100% (Exalted)
  • YAF Developer
13 years ago
Encryption method is the same between providers, and the salts stored in the table next to the password; shouldn't be an issue. Or am I being naive :-)

Edit: If it was some unknown provider you'd be right, but from what i've gathered its the standard asp.net one.


UserPostedImage

"It's a case of RTFM.. the only problem being we don't have a manual!"

When I post FP:Mek in a topic, I'm leaving my footprint there so I can track it once I get into coding/supporting. (Yes I stole this off Ederon 🙂 )

jshepler
13 years ago
I would think it depends on the configuration settings. We won't know until he posts both configs, but he could have conflicting settings. For example, different algorithms (MD5 vs SHA1) or different password formats (Encrypted vs Hashed).


not jsheLPer

asifshiraz
  • asifshiraz
  • 52.4% (Neutral)
  • YAF Forumling Topic Starter
13 years ago
Hi,

Thanks for the information. I am attaching the file I am using. The changes I have made are:

1. Deployed totally new unzipped yaf application.

2. Changed db.config to point to my database.

3. Copied dev-recommended-web.config to root. Set trace to false.

4. Changed "applicationName" attribute of YafRoleProvider, YafMembershipProvider, YafProfileProvider to my own application name.

5. Added element

Doing the above does not let me login and gives a failed login response. Then I proceeded as follows:

6. Commented out the following:

7. Added the following:

This lets me login. So what am I doing wrong here.?

------------

On Another note, I have one more question. I thought of using it without the yaf provider and continue with aspnet provider, since providers are supposed to be "pluggable". But I found that the system doesn't let me work that way, because I got other issues related to validating correct roles and forum memberships. Apparently, providers depend on each other at the stored procs level, where roles are obtained by assuming that correct records in membership tables are available, even though I would think that role and membership providers should interact only at the "code" level and not database level, so they can be easily swapped with different ones? Is that really the "ideal" scenario of how providers should work, or is it just a matter of style that an application may require one membership provider to work with its corresponding role provider?

jshepler
13 years ago
asifshiraz wrote:

Hi,

Thanks for the information. I am attaching the file I am using. The changes I have made are:

1. Deployed totally new unzipped yaf application.

2. Changed db.config to point to my database.

3. Copied dev-recommended-web.config to root. Set trace to false.

4. Changed "applicationName" attribute of YafRoleProvider, YafMembershipProvider, YafProfileProvider to my own application name.

5. Added element

Doing the above does not let me login and gives a failed login response. Then I proceeded as follows:

6. Commented out the following:

7. Added the following:

enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="BrassTacks" description="Stores and retrieves membership data from the local Microsoft SQL Server database" />

This lets me login. So what am I doing wrong here.?

I believe the highlighted settings are the problem. You had the sql provider configured to use encryption - which is not the default. You did not configure the yaf provider the same, so it's using defaults (hashing instead of encryption).

You should probably copy the other attributes (enablePasswordReset, requiresQuestionAndAnswer, minRequiredPasswordLength, minRequiredNonalphanumericCharacters, requiredUniqueEmail) as well so the provider operates the same as what you had.

In fact, you could probably just take the sql provider configuration you had and just change the type to yaf's. I haven't verified that the yaf provider supports all the same attributes, but I would assume so.

asifshiraz wrote:

On Another note, I have one more question. I thought of using it without the yaf provider and continue with aspnet provider, since providers are supposed to be "pluggable". But I found that the system doesn't let me work that way, because I got other issues related to validating correct roles and forum memberships. Apparently, providers depend on each other at the stored procs level, where roles are obtained by assuming that correct records in membership tables are available, even though I would think that role and membership providers should interact only at the "code" level and not database level, so they can be easily swapped with different ones? Is that really the "ideal" scenario of how providers should work, or is it just a matter of style that an application may require one membership provider to work with its corresponding role provider?

I don't know how well a mixed provider environment would (should) work, but there is no need to use any of the yaf's providers. You can use the built-in sql providers for all 3: membership, roles and profile. Yaf's forum permissions uses its own groups table (yaf_Group) that is linked to roles. Like I mentioned earlier in this thread, if you choose to use the built-in sql provider for profile, you need to configure the tag's "inherits" attribute to yaf's UserProfile class (or a class derived from it).


not jsheLPer

asifshiraz
  • asifshiraz
  • 52.4% (Neutral)
  • YAF Forumling Topic Starter
13 years ago
You highlighted the setting for password format, but isn't it that we can dynamically change this value, and it should be read off from what is stored in the database record, instead of use the same one globally based on web.config? I thought format setting here only governed new accounts.

Just to give you a little more insight, i'm also coyping below the database data I am testing with:

username: yaftest

password: testing123

yaf_prov_application:

ApplicationID ApplicationName ApplicationNameLwd Description

d1683089-b399-4224-9adf-38f52835a509 BrassTacks brasstacks NULL

yaf_prov_membership:

UserID ApplicationID Username UsernameLwd Password PasswordSalt PasswordFormat Email EmailLwd PasswordQuestion PasswordAnswer IsApproved IsLockedOut LastLogin LastActivity LastPasswordChange LastLockOut FailedPasswordAttempts FailedAnswerAttempts FailedPasswordWindow FailedAnswerWindow Joined Comment

6C498676-500D-466C-A77F-F42C4EAC24D3 d1683089-b399-4224-9adf-38f52835a509 yaftest yaftest 3BFumVPyiGCljmoFZ+DtwPfEqHVixG1mL3ABich4wLbq7y4yunoJWA== zt4rk6dCZzHkr7ZolukFfg== 2 asifshiraz@yahoo.com asifshiraz@yahoo.com NULL NULL True False 2/26/2009 6:34:35 PM 2/26/2009 6:34:35 PM 2/26/2009 6:34:35 PM 2/26/2009 6:34:35 PM 0 0 2/26/2009 6:34:35 PM 2/26/2009 6:34:35 PM 2/26/2009 6:34:35 PM NULL

aspnet_applications:

ApplicationName LoweredApplicationName ApplicationId Description

/ / 88f873fe-6197-4c81-a5a7-8bbbce3765a4 NULL

BrassTacks brasstacks d1683089-b399-4224-9adf-38f52835a509 NULL

aspnet_membership:

ApplicationId UserId Password PasswordFormat PasswordSalt MobilePIN Email LoweredEmail PasswordQuestion PasswordAnswer IsApproved IsLockedOut CreateDate LastLoginDate LastPasswordChangedDate LastLockoutDate FailedPasswordAttemptCount FailedPasswordAttemptWindowStart FailedPasswordAnswerAttemptCount FailedPasswordAnswerAttemptWindowStart Comment

d1683089-b399-4224-9adf-38f52835a509 6c498676-500d-466c-a77f-f42c4eac24d3 3BFumVPyiGCljmoFZ+DtwPfEqHVixG1mL3ABich4wLbq7y4yunoJWA== 2 zt4rk6dCZzHkr7ZolukFfg== NULL asifshiraz@yahoo.com asifshiraz@yahoo.com NULL NULL True False 2/26/2009 6:34:30 PM 2/26/2009 6:34:30 PM 2/26/2009 6:34:30 PM 2/26/2009 6:34:30 PM 0 2/26/2009 6:34:30 PM 0 2/26/2009 6:34:30 PM NULL

aspnet_users:

ApplicationId UserId UserName LoweredUserName MobileAlias IsAnonymous LastActivityDate

d1683089-b399-4224-9adf-38f52835a509 6c498676-500d-466c-a77f-f42c4eac24d3 yaftest yaftest NULL False 2/26/2009 6:34:35 PM

asifshiraz
  • asifshiraz
  • 52.4% (Neutral)
  • YAF Forumling Topic Starter
13 years ago
Using same settings as asp provider and just changing the type to yaf didn't throw any exceptions, but didn't login also. Same password error message.
jshepler
13 years ago
asifshiraz wrote:

You highlighted the setting for password format, but isn't it that we can dynamically change this value, and it should be read off from what is stored in the database record, instead of use the same one globally based on web.config? I thought format setting here only governed new accounts.

If by "dynamically change this value" you mean the password, then no - that's not what that setting means. You can always change the password. The difference between Encrypted and Hashed is basically with Encrypted, you could decrypt and return the cleartext password. Hashed is 1-way encoding that can't be decrypted and so the password cannot be retrieved. Common encryption algorithms are AES and 3DES (or triple DES). Common hashing algorithms are MD5 and SHA-1.

The default for membership provider is hashed using SHA-1. Since you had configured the sql provider to use encryption instead of hashing and left yaf to its default, it wouldn't have been able to correctly validate the password.

asifshiraz wrote:

Using same settings as asp provider and just changing the type to yaf didn't throw any exceptions, but didn't login also. Same password error message.

Hmm, dunno. I would have thought it'd work. I haven't used the yaf providers to know if there are any limitations. Yaf works with the sql membership/role/profile providers so I've never had a need to use the yaf providers. Like I said before, yaf only provides its providers for when you don't have any others. Yaf doesn't require you to use its providers.


not jsheLPer

BoyIdentity
12 years ago