views:

74

answers:

3

I would like to know how I can verify a user's credential against an existing asp.net membership database. The short story is that we want provide single sign on access.

So what I've done is to connect directly to the membership database and tried to run a sql query against the aspnet_Membership table:

private bool CanLogin(string userName, string password)
{
  // Check DB to see if the credential is correct
  try
    {
      string passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1");
      string sql = string.Format("select 1 from aspnet_Users a inner join aspnet_Membership b on a.UserId = b.UserId and a.applicationid = b.applicationid where a.username = '{0}' and b.password='{1}'", userName.ToLowerInvariant(), passwordHash);
      using (SqlConnection sqlConn = new SqlConnection(ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString))
      using (SqlCommand sqlCmd = new SqlCommand(sql, sqlConn))
      {
         sqlConn.Open();
         int count = sqlCmd.ExecuteNonQuery();
         return count == 1;
       }
    }
    catch (Exception ex)
    {
        return false;
    }    
 }

The problem is the password value, does anyone know how the password it is hashed?

A: 

The problem is the password value, does anyone know how the password it is hashed?

Yes - you do! Check your web.config file for something like this:

<membership defaultProvider="MembershipSqlProvider" 
userIsOnlineTimeWindow="15">
 <providers>
  <add name="MembershipSqlProvider" 
    type="System.Web.Security.SqlMembershipProvider, System.Web,
    Version=1.2.3400.0, Culture=neutral, 
    PublicKeyToken=b03f5f7f11d50a3a" 

    PasswordFormat="Hashed" />
 </providers>
</membership>

The PasswordFormat is what you are looking for. It can have the following three values:

  • Clear
  • Encrypted
  • Hashed

And, Microsoft sets the default value to Hashed for PasswordFormat.

rlb.usa
A: 

Why don't check it automatically via System.Web.Security.Membership.ValidateUser() ?

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>    
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear />
                <add name="MyMembershipProvider" type="MyApplication.MyMembershipProvider" connectionStringName="MyConnString" />
            </providers>
        </membership>
    </system.web>
</configuration>
abatishchev
Do you know what the web.config settings are required? We cannot change the authentication mode to forms as this will break the SharePoint site
Ekk
@Ekk: I edited my answer
abatishchev
+2  A: 

if you have two asp.net apps on the same IIS server, you can do SSO like this. I asked this question and answered it myself.

here

Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config

<authentication mode="Forms" />
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              applicationName="/"
              />
  </providers>
</membership>
<roleManager enabled="true" />

make sure both have the same applicationname property set.

I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config

<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />

That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.

jim