2013-02-22

SharePoint 2010 upgrade to 2013 FBA MachineKey validation attribute invalid

Issue:
You've upgraded a Forms Based Authentication SharePoint 2010 web application to SP2013, and implemented FBA on the SharePoint 2013 Web Application.
After creating the AspNetSQL membership DB you add the Membership Provider, use passwordFormat="Encrypted". None of the passwords work. You test the AspNetDB on a standalone .net site and get the following:


Cause:
  • SP 2013 uses .net 4.0, which out of the gates defaults to Hash-based Message Authentication Code (HMAC) using the SHA256 hash function for the web.config machineKey.
  • SP 2010 uses .net 2.0 which defaults to SHA1.
  • IIS7.5 IIS manager doesn't even seem to support .net 4.0 properly.

Fix:
  • Don't use Encrypted or Hash passwords... I know, I know that's not a fix, it's a lazy work around.
  • Use the SP 2010 web.config machineKey's or ...
  • Generate a new machineKey using SHA1: Go to http://www.developmentnow.com/articles/machinekey_generator.aspx generate the key and replace the existing ones in all the SP web.config files or C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, and the SecurityTokenServiceApplication web.config
  • Regenerate passwords for all users.
If the machineKey changes, then you may need to reprovision the Security Token Service Application.