ASP.NET Membership - login works locally, fails on Azure

Question

I'm working on an MVC3 site, and I've got a puzzling problem with ASP.NET Membership. I'm using System.Web.Providers 1.0.1 connected to a SQL Azure database.

As it is now, the same username/password that logs me in when running under the Compute Emulator fails when running under Azure proper. I can see that it's using the right database, as the Failed Password Attempts counter in the membership database is being updated.

Answer 1

I tracked it down, thanks to some info in this article by David Hoerster. The problem is that the default password hashing algorithm on Azure is different from the .NET 4.0 defaults. It is set to SHA1 on Azure, and HMACSHA256 is the new standard setting on 4.0.

This can be fixed by specifying the hash type explicitly in web.config. If you decide to use a method like HMACSHA256, make sure you also specify a machine key - otherwise you will run into similar problems as the autogenerated machine key will differ from server to server.

The configuration element you need to change is <machinekey> under <system.web>:

<machineKey decryptionKey="PUT_DECRYPTION_KEY_HERE"

            validationKey="PUT_VALIDATION_KEY_HERE"

            decryption="AES"

            validation="HMACSHA256" />

You can use this machine key generator to generate random keys in the proper format.