tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-03T11:18:13Z
I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue?
I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted.
Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?
Sponsor
tha_watcha
2017-11-03T15:28:57Z
Originally Posted by: tecman 

I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue?
I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted.
Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?



From which version did you upgrade? Did you override your old web.config?


UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-03T15:46:34Z
I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-03T16:09:28Z
I've managed to reset my password using the browser in which I was logged in.

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?
tha_watcha
2017-11-03T16:49:26Z
Originally Posted by: tecman 

I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.



Why did you use the full package, there is an upgrade package? I assume you override your machine key. That would be the reason why you cant login


UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-04T09:34:32Z
Can you tell me more about this machine key?

As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server.

Bump #2. Any chance to get answer to the following question?

Quote:

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?

tha_watcha
2017-11-04T13:53:46Z
Originally Posted by: tecman 

Can you tell me more about this machine key?

As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server.

Bump #2. Any chance to get answer to the following question?

Quote:

Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?



the security question, answer, password and password salt are saved in the yaf_prov_Membership table but all are stored encrypted via the machine key.


UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-06T15:16:40Z
You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read?
BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions!

As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?
tha_watcha
2017-11-07T08:28:01Z
Originally Posted by: tecman 

You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read?
BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions!



The machine key is really important it encrypts the password, the security question and answer and also the viewstate of the page. The Install Instructions of the forums contains how to set up a machine key for the site. Do you have the old web.config before you upgrade, to check if the machine key was set in the web.config?

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string

Originally Posted by: tecman 


As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?



The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API or you create a new user with the password and Security Question/Answer and you copy over the hashed entries from that user to your user account.


UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-07T16:28:22Z
Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key.

I compared the recommended.web.config from the v2.2.3 and 2.2.4.4 installation packages and found this <machineKey> node. As I see, I have never changed its validationKey and decryptionKey attributes. The whole node is even commented out!

Quote:

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string



Where can I find this membership connection string?

Quote:

The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API



Why can't we do that in the interface??
tha_watcha
2017-11-07T16:46:37Z
Originally Posted by: tecman 

Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key.



In the documenation

https://github.com/YAFNET/YAFNET/wiki/Installation 

Originally Posted by: tecman 


Quote:

If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string



Where can I find this membership connection string?



Sorry i forgot to mention, it is also in the web.config

Originally Posted by: tecman 


Quote:

The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API



Why can't we do that in the interface??



Yes thats a good question, i add it to my to do list

UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-07T16:55:12Z
Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have.

Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?
tha_watcha
2017-11-07T17:05:25Z
Originally Posted by: tecman 

Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have.

Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?



But did you change the membership connection string? you would only need to change it back then you can log in again


UserPostedImage
tecman
  •  tecman
  • 100% (Exalted)
  • YAF All-the-Time Topic Starter
2017-11-07T17:12:50Z
Are we talking about the membership node from web.config?

In the v2.2.3 installation package it was

<membership defaultProvider="YafMembershipProvider" hashAlgorithmType="SHA1">

In the v2.2.4.4 it is

<membership defaultProvider="YafMembershipProvider" hashAlgorithmType="SHA256">

I guess, this is the diff that caused the problem?
tha_watcha
2017-11-07T17:25:16Z
Yes looks like the problem.
UserPostedImage

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved