Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Stephan Thierry 9 posts 30 karma points
    May 01, 2018 @ 19:15
    Stephan Thierry
    0

    The Change password function in Umbraco admin generates invalid password hashes

    I've recently upgraded from version v7.2.5 to v7.6 (created a new admin user) and then upgraded to v7.10.3.

    But now admins can't assign passwords to new users using the Umbraco admin interface. For example - for user id 2: http://mysite.dk/umbraco#/users/users/user/2?subview=users

    Using the "Change password" button and entering a new password for the user.

    If an admin uses the "Change password" feature a 68 char HASH value is created and saved in the database (userPassword field) - but the user can't login using the defined password. The only password that works is the single password generated when the solution was in v7.6.

    In effect that means that only 1 user can login.

    I've tested copying the HASH value of the working user to the other users in the DB - they can now login using the same password. Obviously this is not a solution.

    So the the password validation is working, but validation and generation is out-of-sync.

    In the log it simply says "login failed" no additional explanation, since the validation method just sees the password as not matching.

    The UmbracoMembershipProvider is configures like so:

        <membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
            <providers>
            <clear />
            <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="6" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="true" maxInvalidPasswordAttempts="25" />
            <add name="UsersMembershipProvider" type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="6" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="true" maxInvalidPasswordAttempts="25" />
            </providers>
        </membership>
    

    The passwordConfig for all users is: {"hashAlgorithm":"HMACSHA256"}

    The site was installed on a staging server - and both website and database was moved to production in one go. There is no machineKey in the Web.config.

    What steps can I go through to solve this issue?

  • pranjal 75 posts 188 karma points
    May 02, 2018 @ 06:09
    pranjal
    0

    Firstly Set machine key

    After that go to umbraco web config file and find out for setting Allow manually changing password & set it to true. Then you can change user passwords through your code also and change password method implicitly convert it to HMACSHA256 hash you don't have to worry about that.

  • Stephan Thierry 9 posts 30 karma points
    May 03, 2018 @ 08:44
    Stephan Thierry
    1

    If you notice in the membership-provider section in the post it states:

    allowManuallyChangingPassword="true"
    

    So that should be allowed. I found the old web.config containing a machineKey and input that:

    <machineKey validationKey="233FF9F3BF1A154D[-something-]8871BF1CF3F43D18EE6CCC9" decryptionKey="46817ACE1EC6095F34779D0F[-something-]99BAEA3CF55DC759FD1AC" validation="HMACSHA256" decryption="AES" />
    

    This seems to change nothing. Setting a password via the admin-interface simply does not produce valid Hashes.

    However I have found that setting the user password (by copying the HASH in the DB) to the one working password allows the user to use that login and once logged in use the "Your profile - Change password" function. Which seems to work - oddly enough.

  • Dave Woestenborghs 3504 posts 12134 karma points MVP 9x admin c-trib
    May 03, 2018 @ 09:25
    Dave Woestenborghs
    0

    Hi Stephan

    Have you read the upgrade instructions for v7.6 : https://our.umbraco.org/documentation/Getting-Started/Setup/Upgrading/version-specific#version-760

    Especially the part about legacyEncoding

  • Stephan Thierry 9 posts 30 karma points
    May 03, 2018 @ 09:54
    Stephan Thierry
    0

    Yes, sure.

    I'm not trying to re-use any of the passwords encoded before v7.6 - all users will get new passwords. That's why I want the admin interface to work.

    In the DB it's easy to see the different - the old password-hashes are 28 chars and the new are 68 chars long.

    So legacyEncoding is out of the picture.

  • Arjan H. 226 posts 463 karma points c-trib
    Sep 18, 2018 @ 16:03
    Arjan H.
    0

    I'm having the same issue with a fresh 7.12.2 installation.

    I've installed a machine key during the initial setup (web.config):

    <machineKey validationKey="[...]" decryptionKey="[...]" validation="HMACSHA256" decryption="AES" />
    

    And I'm using the following settings for the UsersMembershipProvider:

    <add name="UsersMembershipProvider" 
         type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco"
         minRequiredNonalphanumericCharacters="1"
         minRequiredPasswordLength="12"
         useLegacyEncoding="false"
         enablePasswordRetrieval="false"
         enablePasswordReset="true"
         requiresQuestionAndAnswer="false"
         passwordFormat="Hashed"
         allowManuallyChangingPassword="true" />
    

    When I create a new user and manually set the password through the admin interface (Users section) the login doesn't work. But when I copy/paste an existing hashed password from the initial Administrator user straight in the database, or when I use the 'reset password' feature to set the password the login works just fine.

    @Stephan: Did you ever manage to fix this issue?

  • Stephan Thierry 9 posts 30 karma points
    Sep 21, 2018 @ 08:40
    Stephan Thierry
    0

    @Arjan H. No, the issue was never fixed - I even noticed that the problem is on other Umbraco sites also - other versions/other servers. The "workaround" is to use the built-in generate password function for new users. That works for some reason - and then letting the user change the password through the "Your profile->Change password"-feature.

    For existing users, there is no way to have a new password generated so - only the database copy-HASH-method works.

    If I only know my own Admin password - I copy that in the DB to the user - login as that user "Your profile->Change password". That way I don't hand over my Admin password.

    Working - but not ideal.

    If anyone has fixed a non-working "Admin->Users->Change password" - I would still like to know!

  • Arjan H. 226 posts 463 karma points c-trib
    Sep 21, 2018 @ 09:31
    Arjan H.
    0

    I've reported an issue:

    https://github.com/umbraco/Umbraco-CMS/issues/3015

    Maybe you can also reply to that issue to let them know it's not just versions 7.12.2 and 7.12.3?

  • Stephan Thierry 9 posts 30 karma points
    Sep 21, 2018 @ 09:45
    Stephan Thierry
    0

    @Arjan H.

    Done.

  • Arjan H. 226 posts 463 karma points c-trib
    Sep 21, 2018 @ 10:23
    Arjan H.
    0

    I managed to narrow it down to the 'allowManuallyChangingPassword' setting for the 'UsersMembershipProvider' in the web.config. When I leave that out the 'Change password' function works fine again. But you obviously should be able to use this setting, because it needs to be set to 'true' if you wish to change a user's password from code. So it's definitely a bug.

  • Satpal Gahir 18 posts 88 karma points
    Jun 17, 2019 @ 09:50
    Satpal Gahir
    0

    i can confirm that arjan's solution works. on 7.13, when you try to change the password, it only presents you with new password, and repeat password.

    when you omit the allowManuallyChangingPassword setting, an "old password" field appears. you can then successfully change the password.

Please Sign in or register to post replies

Write your reply to:

Draft