System.Web.Providers.DefaultMembershipProvider behavior differs from SqlMembershipProvider when dealing with password compatibility - by ChrisKinsman

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


2
0
Sign in
to vote
ID 734341 Comments
Status Closed Workarounds
Type Bug Repros 1
Opened 3/29/2012 6:45:12 PM
Access Restriction Public

Description

If you switch from the SqlMembershipProvider to the new DefaultMembershipProvider in ASP.NET MVC 4 aside from needed to clean up schema and copy data to the new tables authentication won't work.  This is due to a change in behavior in how the HashAlgorithmType is chosen.  SqlMembershipProvider checks some settings and reverts to SHA1 from the default HMACSHA256.  DefaultMembershipProvider leaves out this check and so the authentication fails.

SqlMembershipProvider:

    private HashAlgorithm GetHashAlgorithm()
    {
        if (this.s_HashAlgorithm == null)
        {
            string hashAlgorithmType = Membership.HashAlgorithmType;
            if (this._LegacyPasswordCompatibilityMode == MembershipPasswordCompatibilityMode.Framework20 && !Membership.IsHashAlgorithmFromMembershipConfig && hashAlgorithmType != "MD5")
            {
                hashAlgorithmType = "SHA1";
            }
            HashAlgorithm hashAlgorithm = HashAlgorithm.Create(hashAlgorithmType);
            if (hashAlgorithm == null)
            {
                RuntimeConfig.GetAppConfig().Membership.ThrowHashAlgorithmException();
            }
            this.s_HashAlgorithm = hashAlgorithmType;
            return hashAlgorithm;
        }
        else
        {
            return HashAlgorithm.Create(this.s_HashAlgorithm);
        }
    }


DefaultMembershipProvider:

private HashAlgorithm GetHashAlgorithm()
    {
        if (this._HashAlgorithm == null)
        {
            string hashAlgorithmType = Membership.HashAlgorithmType;
            HashAlgorithm hashAlgorithm = HashAlgorithm.Create(hashAlgorithmType);
            if (hashAlgorithm != null)
            {
                this._HashAlgorithm = hashAlgorithmType;
                return hashAlgorithm;
            }
            else
            {
                object[] objArray = new object[1];
                objArray[0] = this._HashAlgorithm;
                throw new ConfigurationErrorsException(string.Format(CultureInfo.CurrentCulture, ProviderResources.Invalid_hash_algorithm, objArray));
            }
        }
        else
        {
            return HashAlgorithm.Create(this._HashAlgorithm);
        }
    }

Notice the second one doesn’t have the check that reverts to SHA1 if _LegacyPasswordCompat mode is set?  Looks like a bug to me…


Workaround is to specify hashAlgorithmType="SHA1" in the web.config to override the default HMACSHA256.
Sign in to post a comment.
Posted by Microsoft on 10/26/2012 at 4:39 PM
This issue has been fixed in latest release. We added support passwordCompatMode for LegacyPasswordCompatibilityMode. since Universal Provider is new provider, default value for DefaultMembershipProvider's passwordCompatMode is set to Framework40.
Posted by MS-Moderator10 [Feedback Moderator] on 3/30/2012 at 3:18 AM
Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by MS-Moderator01 on 3/29/2012 at 7:53 PM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)