topic SQL Server Identity Provider with Encrypted Passwords in ArcGIS Enterprise Questions

SQL Server Identity Provider with Encrypted Passwords

MatejVrtich1 — Wed, 18 Sep 2013 08:08:57 GMT

Hi,

We are migrating AGS security from 10 to 10.2 version.
In AGS 10, we are using SQL Server database with Encrypted passwords (not Hashed) as identity provider.
After setting this SQL Server database as identity provider in AGS 10.2, we are unable to validate passwords and create new users.

This is the User Store Configuration:
{
"type": "SQL_SERVER",
"properties": {
    "passwordFormat": "Encrypted",
    "applicationName": "esriags",
    "connectionString": "Data Source={HOSTNAME}\\SQLEXPRESS;Initial Catalog={DBNAME};Integrated Security=SSPI"
}
}

Creating new user throws this error message:
"You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key."

Is there any way how to set machineKey in AGS 10.2?

Thanks,
Matej

Re: SQL Server Identity Provider with Encrypted Passwords

DanielWalton — Thu, 07 Nov 2013 13:19:34 GMT

I have the exact same issue. I don't see any place where this can be configured. Have you figured it out yet?

Re: SQL Server Identity Provider with Encrypted Passwords

MatejVrtich1 — Wed, 20 Nov 2013 12:00:24 GMT

As we did not find any way how to use encrypted passwords, we ended with converting the database with passwords into hashed format.

Matej

Re: SQL Server Identity Provider with Encrypted Passwords

DanielWalton — Wed, 20 Nov 2013 12:03:57 GMT

I was afraid you'd say that. We have opened a ticket with ESRI since we really need to use encryped passwords so our applications and data can be accessed with a single login. But since AGS server no longer runs on IIS and ASP.NET, I have my doubts as to whether or not backend password decryption is possible anymore. Thanks for posting back!

Re: SQL Server Identity Provider with Encrypted Passwords

JasonReid — Mon, 25 Nov 2013 16:18:39 GMT

I am having this exact same issue. Trying to get a support ticket started and get confirmation from ESRI that 10.1 (and 10.2) don't support encrypted user stores. Or if it does where to set those values for a machine key because it is not obvious where to do that now in 10.1, and the new server architecture.

Re: SQL Server Identity Provider with Encrypted Passwords

RuchiraWelikala — Thu, 30 Oct 2014 21:01:17 GMT

Was anyone able to resolve this? I'm trying to change the "applicationName" property to the default asp.net applicationName of "/" that many of the users and roles in our database was made using. However, changing it in the store configuration JSON did not do anything. Any ideas?

Re: SQL Server Identity Provider with Encrypted Passwords

DanielWalton — Thu, 11 Dec 2014 19:01:11 GMT

We were able to get this working using the stock ESRI SQL Configuration by setting the MachineKey section settings in the server's machine.config files.

Re: SQL Server Identity Provider with Encrypted Passwords

Rainer_Herzog — Thu, 25 Jun 2015 13:29:16 GMT

Hi,

I have the exact same issue. I tried to workaround that issue with the settings in the server's machine.config as you mentioned. But unfortunately it doesn't work.

Could you please provide some more details?

Thanks

Re: SQL Server Identity Provider with Encrypted Passwords

DanielWalton — Fri, 26 Jun 2015 14:27:51 GMT

Here are the steps I had to take to get this working:

Copy the machineKey section from your old server's web.config to your new server's machine.config files (I did all 4 since I'm not sure what framework version or x86 or x64 are being used by Java).
Edit your security-config.json file with the following settings:

"userStoreConfig": {

"type": "SQL_SERVER",

"properties": {

"applicationName": "your-application-name",

"connectionString": "Data Source=your-server;Initial Catalog=your-db;User ID=your-username;Password=your-pw"

}

"roleStoreConfig": {

"type": "SQL_SERVER",

"properties": {

"applicationName": "your-application-name",

"connectionString": "Data Source=your-server;Initial Catalog=your-db;User ID=your-username;Password=your-pw"

}

3. Reboot the server.

4. Test the config settings.

Re: SQL Server Identity Provider with Encrypted Passwords

Rainer_Herzog — Mon, 29 Jun 2015 21:55:38 GMT

Thanks a lot for your quick reply and the full description of your settings. But unfortunately this does not solve my problem. As I did exact the same things you descripted I'm wondering what else could cause the difference.

Just to be sure: if you add new users to your user-store in your SQL Server / SQL Server Express-DB, the password there would get a passowrd with the format encrypted and not hashed (PasswordFormat = 2 in the table aspnet_Membership)?

If this is the case - congrats! 😉

Re: SQL Server Identity Provider with Encrypted Passwords

DanielWalton — Tue, 30 Jun 2015 03:24:46 GMT

No, I believe in order to achieve that you will have to implement a custom provider. In our case all we needed was to be able to validate existing users with encrypted passwords.

Re: SQL Server Identity Provider with Encrypted Passwords

Rainer_Herzog — Tue, 30 Jun 2015 06:59:35 GMT

ok, in this case it makes sence. Thanks a lot for your help!

Now I know I have to find another approach.