Hashed or Encrypted passwords are not supported with auto-generated keys

Question

I have create a Membership provider and changed my web.config to

<membership defaultProvider="MyMembershipProvider">
   <providers>
     <clear/>
     <add name="MyMembershipProvider"
          type="Khafan.Providers.SqlMembershipProvider"
          connectionStringName="KhafanConnectionString"  
          maxInvalidPasswordAttempts="5"             
          passwordAttemptWindow="10"
          minRequiredNonalphanumericCharacters="0"
          minRequiredPasswordLength="4"
          passwordStrengthRegularExpression=""
          passwordFormat="Hashed"
          enablePasswordReset="true"
          enablePasswordRetrieval="false"             
          requiresQuestionAndAnswer="false"
          requiresUniqueEmail="true" />
   </providers>
 </membership>

but now, whenever I try to browse to security page of ASP.Net Configuration it gives me the following error:

Hashed or Encrypted passwords are not supported with auto-generated keys

In my database I have used Identity for my PKs. I don't know it is the problem or not. But if it is, how can I solve it? I don't want to change Identity values.

Thanks.

Answer 1

This is because you are hashing passwords but haven't set specific keys in your web.config. There's a "key generator" snippet in this MSDN article, run it twice and shove them in your web.config as:

<system.web>
    <machineKey  
    validationKey="<blah>"           
    decryptionKey="<blah>"
    validation="SHA1"
    decryption="AES"
    />

And that should sort you out. It's like this because otherwise you could take your membership database/app to another machine and none of your passwords would work, as the auto generated machine keys would be different :-)

Answer 2

Was a bit of a schlep to go hunting for the "key generator" snippet in the MSDN link Steven Robbins referred to in his answer, so I am adding it here for quick reference. So this is not a standalone answer. It is supplemental to the accepted answer.

FROM MSDN

The following code shows how to generate random key values. Compile the code to create a console application, and then pass the required key size as a command line argument expressed as the desired number of hexadecimal characters. Each byte is represented by two hexadecimal characters; therefore, to request a 32-byte key, pass 64 as a command line argument. If you do not specify an argument, the code returns a 128 hexadecimal character (64-byte) key.

using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;

class App {
  static void Main(string[] argv) {
    int len = 128;
    if (argv.Length > 0)
      len = int.Parse(argv[0]);
    byte[] buff = new byte[len/2];
    RNGCryptoServiceProvider rng = new 
                            RNGCryptoServiceProvider();
    rng.GetBytes(buff);
    StringBuilder sb = new StringBuilder(len);
    for (int i=0; i<buff.Length; i++)
      sb.Append(string.Format("{0:X2}", buff[i]));
    Console.WriteLine(sb);
  }
}

Also, <machineKey> goes inside of <system.web>, like this:

<system.web>
    <machineKey
        validationKey=""
        decryptionKey=""
        validation="SHA1"
        decryption="AES"
/>