Using the "Change password" button and entering a new password for the user.
If an admin uses the "Change password" feature a 68 char HASH value is created and saved in the database (userPassword field) - but the user can't login using the defined password. The only password that works is the single password generated when the solution was in v7.6.
In effect that means that only 1 user can login.
I've tested copying the HASH value of the working user to the other users in the DB - they can now login using the same password. Obviously this is not a solution.
So the the password validation is working, but validation and generation is out-of-sync.
In the log it simply says "login failed" no additional explanation, since the validation method just sees the password as not matching.
The UmbracoMembershipProvider is configures like so:
The passwordConfig for all users is: {"hashAlgorithm":"HMACSHA256"}
The site was installed on a staging server - and both website and database was moved to production in one go. There is no machineKey in the Web.config.
After that go to umbraco web config file and find out for setting Allow manually changing password & set it to true.
Then you can change user passwords through your code also and change password method implicitly convert it to HMACSHA256 hash you don't have to worry about that.
This seems to change nothing. Setting a password via the admin-interface simply does not produce valid Hashes.
However I have found that setting the user password (by copying the HASH in the DB) to the one working password allows the user to use that login and once logged in use the "Your profile - Change password" function. Which seems to work - oddly enough.
When I create a new user and manually set the password through the admin interface (Users section) the login doesn't work. But when I copy/paste an existing hashed password from the initial Administrator user straight in the database, or when I use the 'reset password' feature to set the password the login works just fine.
@Arjan H.
No, the issue was never fixed - I even noticed that the problem is on other Umbraco sites also - other versions/other servers. The "workaround" is to use the built-in generate password function for new users. That works for some reason - and then letting the user change the password through the "Your profile->Change password"-feature.
For existing users, there is no way to have a new password generated so - only the database copy-HASH-method works.
If I only know my own Admin password - I copy that in the DB to the user - login as that user "Your profile->Change password". That way I don't hand over my Admin password.
Working - but not ideal.
If anyone has fixed a non-working "Admin->Users->Change password" - I would still like to know!
I managed to narrow it down to the 'allowManuallyChangingPassword' setting for the 'UsersMembershipProvider' in the web.config. When I leave that out the 'Change password' function works fine again. But you obviously should be able to use this setting, because it needs to be set to 'true' if you wish to change a user's password from code. So it's definitely a bug.
The Change password function in Umbraco admin generates invalid password hashes
I've recently upgraded from version v7.2.5 to v7.6 (created a new admin user) and then upgraded to v7.10.3.
But now admins can't assign passwords to new users using the Umbraco admin interface. For example - for user id 2: http://mysite.dk/umbraco#/users/users/user/2?subview=users
Using the "Change password" button and entering a new password for the user.
If an admin uses the "Change password" feature a 68 char HASH value is created and saved in the database (userPassword field) - but the user can't login using the defined password. The only password that works is the single password generated when the solution was in v7.6.
In effect that means that only 1 user can login.
I've tested copying the HASH value of the working user to the other users in the DB - they can now login using the same password. Obviously this is not a solution.
So the the password validation is working, but validation and generation is out-of-sync.
In the log it simply says "login failed" no additional explanation, since the validation method just sees the password as not matching.
The UmbracoMembershipProvider is configures like so:
The passwordConfig for all users is:
{"hashAlgorithm":"HMACSHA256"}
The site was installed on a staging server - and both website and database was moved to production in one go. There is no machineKey in the Web.config.
What steps can I go through to solve this issue?
Firstly Set machine key
After that go to umbraco web config file and find out for setting Allow manually changing password & set it to true. Then you can change user passwords through your code also and change password method implicitly convert it to HMACSHA256 hash you don't have to worry about that.
If you notice in the membership-provider section in the post it states:
So that should be allowed. I found the old web.config containing a machineKey and input that:
This seems to change nothing. Setting a password via the admin-interface simply does not produce valid Hashes.
However I have found that setting the user password (by copying the HASH in the DB) to the one working password allows the user to use that login and once logged in use the "Your profile - Change password" function. Which seems to work - oddly enough.
Hi Stephan
Have you read the upgrade instructions for v7.6 : https://our.umbraco.org/documentation/Getting-Started/Setup/Upgrading/version-specific#version-760
Especially the part about legacyEncoding
Yes, sure.
I'm not trying to re-use any of the passwords encoded before v7.6 - all users will get new passwords. That's why I want the admin interface to work.
In the DB it's easy to see the different - the old password-hashes are 28 chars and the new are 68 chars long.
So legacyEncoding is out of the picture.
I'm having the same issue with a fresh 7.12.2 installation.
I've installed a machine key during the initial setup (web.config):
And I'm using the following settings for the UsersMembershipProvider:
When I create a new user and manually set the password through the admin interface (Users section) the login doesn't work. But when I copy/paste an existing hashed password from the initial Administrator user straight in the database, or when I use the 'reset password' feature to set the password the login works just fine.
@Stephan: Did you ever manage to fix this issue?
@Arjan H. No, the issue was never fixed - I even noticed that the problem is on other Umbraco sites also - other versions/other servers. The "workaround" is to use the built-in generate password function for new users. That works for some reason - and then letting the user change the password through the "Your profile->Change password"-feature.
For existing users, there is no way to have a new password generated so - only the database copy-HASH-method works.
If I only know my own Admin password - I copy that in the DB to the user - login as that user "Your profile->Change password". That way I don't hand over my Admin password.
Working - but not ideal.
If anyone has fixed a non-working "Admin->Users->Change password" - I would still like to know!
I've reported an issue:
https://github.com/umbraco/Umbraco-CMS/issues/3015
Maybe you can also reply to that issue to let them know it's not just versions 7.12.2 and 7.12.3?
@Arjan H.
Done.
I managed to narrow it down to the 'allowManuallyChangingPassword' setting for the 'UsersMembershipProvider' in the web.config. When I leave that out the 'Change password' function works fine again. But you obviously should be able to use this setting, because it needs to be set to 'true' if you wish to change a user's password from code. So it's definitely a bug.
i can confirm that arjan's solution works. on 7.13, when you try to change the password, it only presents you with new password, and repeat password.
when you omit the allowManuallyChangingPassword setting, an "old password" field appears. you can then successfully change the password.
is working on a reply...