I'm posting this question to ask if there is anyone who can advise me on whether a site setup without machine keys and using hashed methods for membership management can be switched over to machine key / encryption method and if so what is the procedure?

I'm wondering how to approach this. Do I need to drop all the users? is there some sql script I can run to change the existing users (lots I'm afraid) from one method to another?

I've exhausted every possible search method I know to give me this answer and was hoping that perhaps someone with some hands on knowledge regarding membership management could shed some light.

Thanks

Nina

Hi Robert - that is an incredibly clear and details website that has enlightened me enormously and thanks so much for posting it.

I was interested to see that I had recognised many of the smaller details based on my 15 hours or so I've spent trying to work out a rubiks cube of choices in something that I simply can't quite work out.

I feel I'm nearly there but it's still out of my skill level because I am only able to make small changes in very simple sql terms.

I found that I had to change the ApplicationID memebership provider to the dotnetnuke one - there was another one in there and my attempt to deleted it helped bring up the places where it was sitting.  So I did that in the two tables.

I then found that there are two password formats - 1 & 2, with 1 being in nearly all of them and a couple that were 2 based on me adding in a new user after I was unable to log in and had machine keys in the config file.  And changing the format from 1 to 2 stopped me being able to log in - I was unable to find any reference regarding the implications of changing this setting, nor was there anywhere that covered how this is handled.  I think that is a sticking point.

I also found that when creating a new user, and using the same password as before, the password and password salt were different to the ones that were in the hashed format and I think this is where the trouble lies. I am not sure how to create encrypted passwords, nor have the understanding or confidence to change everything en mass.. we are talking about close on 80,000 users and I have been toying with the idea of rebuilding from scratch but  I will lose all the forums and orders, even if I take out the other logistics.

I guess I'm just out of my depth and I didn't just decide to move from encrypted to hashed - it was something done a couple of years ago and we haven't used it for some time, but alas, I was not as aware of the implications as I am now.

Thanks for this information - I guess I'll be making a decision shortly on cutting my losses and just rebuilding from scratch in the next couple of hours.

Nina

Thanks Robert - Here is the scenario -

This site was completely built from new in October 2007, using a compiled version of DNN and it ran like a rocket.  Before any comments are made about the fact this might be the issue, I can assure you it is not as I have swapped several sites in and out of this build.  It works flawlessly but the sites have not had much involvement in reference to membership management.

This build was 4.8.3 and everything seemed to work ok until I upgraded Catalook store because I wanted to use one of it's new features of all downloads being visible on one page. I had never had issues before. I also installed a couple of other modules but not related or problematic at this poing.  Aft that, the site stopped me from being able to use the settings on some pages and the link click behaviour was not working as expected, step 2 of the cart process was not working, although if I got past that, it would work, but would require login to view the cart.. so it all got a bit messy.

Once you got through the order process  you couldn't see the downloads page, nor could I review orders and in many instances, I had so many errors that came back with a list of errors in the site log that blew the site out to over 2gb in the database.

I initially thought it was because browsers have been updated and before we've had a few issues cross browser with javascript and ajax.  So I turned off all ajax and I put default skins on thinking perhaps it was to do with solpart actions where we have also had quirky behaviour from time to time.

I had previously moved from sql 2k5 to sql2k8 without issue and that is the current sql version it is on and was upgraded on that version of sql.

I have an exact dev environment for this where I did all my testing and it's still running.

I brought it back to hashed for now and used the other membership provider in the connection string and left the password format to 1 and people can now log in and downloads work (but i'm going to double check that now just in case)- but here is the small dilemma that keeps it from working - After reading the really good information, and also learning some of the connection strings back to front - here is what I have summised -

No really one uses the hashed methodology in DNN - so perhaps there are elements that are not tested so thoroughly - for example even when the config file is set to 'reset'  passwords, the page coming up says - password retrieval is not allowed - but i haven't selected that - i want 'reset password'  and that doesn't work, so all the time even though it's still configured to use hashed, it's  not working.

Interestingly - when logged in as host/admin to reset the password - it will do so for unauhorised users, minus the verfication code, so, when you go to log in again, if you are not authorised, it doesn't send you the code, so when you go to log in, with your new password, it asks for the authentication code which you can't get because you can't get the password reset.. .. sort of like that 'hole in my bucket dear liza' song.

So, now that I am logged in as host /admin - can click the 'reset password' and it does reset which I will do manually for people who cannot remember their password - but we get hundreds of these and I'll handle it while problems are getting fixed.

Now, the issue with the hashed concept while good offers a bit of a scary option - firstly I don't believe, but I could be wrong, that the question and answer function worked correctly in DNN for some time and if not used, allows anyone to reset your password without asking any questions - it just resets and sends you a new one and although that might sound like more of a nuisance - it can actually do this to the host account, and of course what you think happens with the host account - you get a bunch of stars and you can't log in.

So let's just say this has been fixed in DNN - which I can't confirm at the moment, what happens to the people who registered on the website without it previously when it wasn't working??? I thought I could get around that - but I have no where to put in their 'answer' to a question for a reset that doesn't work anyway.  This really is frustrating for users from my perspective, and with my website I use a store to handle the free downloads and that pushes things a bit but it's the only way I can really manage products at that level since I haven't seen a downloader solution that I really like that shows off the skins or gives other features that the store module does.

Annnyway- you get the picture more now I guess - I've mucked around with the config file to the point where I've exhausted what skills I have, and have managed to get it working and although not resolved, will buy me the time I need to get this fixed. I can actually live with hashed if it works correctly - but now, I can see that perhaps there is a bug in DNN that does not actually set the right information in the 'send password' option and if that was fixed, then I guess it would work.  But I have yet to test sending a password and requesting a question and answer to people who are in the list and have no q&a already filled.  Also it does not ask you for it by default when you log in, but

I do have good backups of websites and am experienced in the 'snapshot' scenario and on a site this size and this busy would never consider doing any upgrade without backing up.

I did use a fairly slow procedure to switch over to the pure dnn build, and then chose the old fashioned - one version at a time approach to upgrading - but this time used the install method rather than upgrade, having experienced some issues with files missing in some of the upgrades builds when upgrading from much earlier versions of dnn - so that's what I used.

Long winded again I know - and I'm learning about things I didn't really want to and sometimes to be honest it's very discouraging because I am not a developer or sql expert so knowing how to explain the problem or the words to use to find an answer simply elude me.

Thanks for looking at this and your kind comments. I hope this gives you a better picture of the scenario that has evolved .. I should have backed up before updating  Catalook so I have no one to blame but me in reality.

Nina