Select to view content in your preferred language

SQL Server Identity Provider with Encrypted Passwords

5058
11
09-18-2013 01:08 AM
MatejVrtich1
Occasional Contributor
Hi,

We are migrating AGS security from 10 to 10.2 version.
In AGS 10, we are using SQL Server database with Encrypted passwords (not Hashed) as identity provider.
After setting this SQL Server database as identity provider in AGS 10.2, we are unable to validate passwords and create new users.

This is the User Store Configuration:
{
  "type": "SQL_SERVER",
  "properties": {
    "passwordFormat": "Encrypted",
    "applicationName": "esriags",
    "connectionString": "Data Source={HOSTNAME}\\SQLEXPRESS;Initial Catalog={DBNAME};Integrated Security=SSPI"
  }
}

Creating new user throws this error message:
"You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key."

Is there any way how to set machineKey in AGS 10.2?

Thanks,
Matej
Tags (2)
0 Kudos
11 Replies
DanielWalton
Frequent Contributor
I have the exact same issue. I don't see any place where this can be configured. Have you figured it out yet?
0 Kudos
MatejVrtich1
Occasional Contributor
As we did not find any way how to use encrypted passwords, we ended with converting the database with passwords into hashed format.

Matej
0 Kudos
DanielWalton
Frequent Contributor
I was afraid you'd say that. We have opened a ticket with ESRI since we really need to use encryped passwords so our applications and data can be accessed with a single login. But since AGS server no longer runs on IIS and ASP.NET, I have my doubts as to whether or not backend password decryption is possible anymore. Thanks for posting back!
0 Kudos
JasonReid
Emerging Contributor
I am having this exact same issue. Trying to get a support ticket started and get confirmation from ESRI that 10.1 (and 10.2) don't support encrypted user stores. Or if it does where to set those values for a machine key because it is not obvious where to do that now in 10.1, and the new server architecture.
0 Kudos
RuchiraWelikala
Regular Contributor

Was anyone able to resolve this? I'm trying to change the "applicationName" property to the default asp.net applicationName of "/" that many of the users and roles in our database was made using. However, changing it in the store configuration JSON did not do anything. Any ideas?

0 Kudos
DanielWalton
Frequent Contributor

We were able to get this working using the stock ESRI SQL Configuration by setting the MachineKey section settings in the server's machine.config files.

0 Kudos
RainerHerzog1
Esri Contributor

Hi,

I have the exact same issue. I tried to workaround that issue with the settings in the server's machine.config as you mentioned. But unfortunately it doesn't work.

Could you please provide some more details?

Thanks

0 Kudos
DanielWalton
Frequent Contributor

Here are the steps I had to take to get this working:

  1. Copy the machineKey section from your old server's web.config to your new server's machine.config files (I did all 4 since I'm not sure what framework version or x86 or x64 are being used by Java).
  2. Edit your security-config.json file with the following settings:

"userStoreConfig": {

    "type": "SQL_SERVER",

    "properties": {

      "applicationName": "your-application-name",

      "connectionString": "Data Source=your-server;Initial Catalog=your-db;User ID=your-username;Password=your-pw"

    }

  },

  "roleStoreConfig": {

    "type": "SQL_SERVER",

    "properties": {

      "applicationName": "your-application-name",

      "connectionString": "Data Source=your-server;Initial Catalog=your-db;User ID=your-username;Password=your-pw"

    }

  }

3. Reboot the server.

4. Test the config settings.

0 Kudos
RainerHerzog1
Esri Contributor

Thanks a lot for your quick reply and the full description of your settings. But unfortunately this does not solve my problem. As I did exact the same things you descripted I'm wondering what else could cause the difference.

Just to be sure: if you add new users to your user-store in your SQL Server / SQL Server Express-DB, the password there would get a passowrd with the format encrypted and not hashed (PasswordFormat = 2 in the table aspnet_Membership)?

If this is the case - congrats! 😉

0 Kudos