I've got a application I've recently ported From IIS6 (Windows 2003) (7 Classic Pipeline) to IIS7 (Windows 2008) Integrated Pipeline.
The problem I've noticed is password hashes built on the IIS6 system no longer match when we try to log in on the IIS7 system. However, when we re-generate the hash on the IIS7 system, it works fine.
I read somewhere that there are differences in the cryptographic systems between the two (2003/2008) and thier respective IIS versions, but I couldn't find any additional information.
I'm at a loss here, I need existing hashes to work on the new system and I can't seem to find an starting point.
If anyone knows of any resources that may help with this, or a setting or something, I'd be greatly appreciative.
Many Cryptography functions in .NET rely on the machineKey, that can be stored in web.config or machine.config. If you need multiple or other IIS servers to be able to encrypt/decrypt the same shared data, all the servers must be configured to use the same machineKey.
"If you use the membership feature, password hashes are stored in the membership database by default. The membership system also supports encrypted passwords. If you select encrypted password format, then the
<machineKey>settings are used when encrypting and decrypting the data."reference: http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_membership
If you have already specified the machineKey, there may be an issue with the default algoritm, which was a breaking change in .Net 4.0. The default is now SHA256; you may need to change this back to SHA1 on the machineKey validation attribute, and also specify the hashAlgorithmType on the membership section:
http://geekswithblogs.net/DavidHoerster/archive/2010/06/15/asp.net-membership-password-hash----.net-3.5-to-.net-4.aspx
https://stackoverflow.com/questions/3438197/hashing-no-longer-works-in-net-4-0-despite-msdn-workarounds
http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770148