Apr 09

Resolved: You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key

Q) How to resolve the error message “You must specify a non-autogenerated machine key to store passwords in the encrypted format.” when using ASP.Net membership:

When using ASP.Net membership provider you might encounter the error “You must specify a non-autogenerated machine key to store passwords in an encrypted format” like this one:

System.Configuration.Provider.ProviderException was unhandled by user code
Message=”You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.”
Source=”System.Web”
StackTrace:
at System.Web.Security.MembershipProvider.EncryptPassword(Byte[] password)
at System.Web.Security.MembershipProvider.EncodePassword(String pass, Int32 passwordFormat, String salt)
at System.Web.Security.SqlMembershipProvider.CreateUser(String username, String password, String email, String passwordQuestion, String passwordAnswer, Boolean isApproved, Object providerUserKey, MembershipCreateStatus& status)
at System.Web.Security.Membership.CreateUser(String username, String password, String email, String passwordQuestion, String passwordAnswer, Boolean isApproved, Object providerUserKey, MembershipCreateStatus& status)
at System.Web.Security.Membership.CreateUser(String username, String password, String email, String passwordQuestion, String passwordAnswer, Boolean isApproved, MembershipCreateStatus& status)

A) You need to set up an encryption/decryption key first

What is happening here is you are probably using an automatically generated encryption/decryption key or you haven’t set one up yet. For example, the following code uses an Automatically Generated key:

<machineKey validationKey="AutoGenerate, IsolateApps" decryptionKey="AutoGenerate, IsolateApps" validation="SHA1" />

What you need to do is use a tool to generate a new key set and use it on your application. As the error indicates, the use of the keyword autogenerate is causing this issue. By setting it to a static value the application is able to use it safely.

Microsoft’s ASP.Net membership provider requires this keys to encrypt and decrypt the information (aka passwords) stored. We fix them so that the key is persistent throughout the server/application or farm if necessary (reboots, recycles, etc).

As you can imagine, encrypting sensitive information like passwords is very important. Hackers who are able to gain access to your database can extract those passwords and if they are not safely stored your users may be compromised.

There are several tools to create encryption / decryption keys. A simple search online on Google could give you a number of option you should evaluate. One thing to keep in mind is that there are risks to this as potentially the tool provider can store the keys it generates or if you are not using an HTTPS connection a third party could intercept the communication and know your encryption key. I think the best approach nowadays is to use IIS Manager to generate those keys. On IIS 7 you already have a feature to generate those keys:

Kx.CloudIngenium.com - Machine Key on IIS 7

They are stored on the web.config of your application so you can extract the key from there and use it on your configuration files.

Enhanced by Zemanta

Leave a Reply

%d bloggers like this: