Rebuilding or migrating your BugNET system after you lose your machine key
Nov
24
Written by:
11/24/2008 7:13 PM
All the hashing and encryption in ASP.NET 2.0 is done through the machine key. Thats why its uniquie to
each clean installation.
(Here is much more information http://msdn.microsoft.com/en-us/library/ms998288.aspx)
This article will explain which areas of BugNET are affected by lost machine keys, and how to rebuild a
BugNET system without it. In the end you should have a fully fledgedsystem under control of "admin" and
will then need to reset the users passwords to allow them to login.
I present two techniques, one will require some minor code to be written, and the other some SQL scripting.
I have used the SQL technique on a hosted box with success.
(un)Luckily *only* the passwords use the machine key. The attachments are not encrypted, nor are any of the settings in web.config encrypted using DPAPI.
So basically everything is fine, except nobody will login. (Yes thats you "admin")
The easy way (A bit of code required)
-
You can use this website (Generate MachineKey by Scott Forsyth) to generate a new machine key and copy over into your web.config file.
-
Open up VS2005 and create a ASP.net webpage with the following code behind a button or something:
MembershipUser mem = Membership.GetUser(“admin”);
mem.ChangePassword(mem.ResetPassword(), “password”);
-
Compile and deployin BugNET.
-
Run the page (ie using browser) and your admin user is accessable, you just need to change everybody elses password.
Why does this work?
BugNET has the setting “requiresQuestionAndAnswer” in web.config turned false. This means you are not prompted for your secret Question and Answer authentication before password change. By default BugNET does not query the (old machine key) encrypted Answer fields and .NET has no problem in setting the password.
The default Membership provider “AspNetSqlMembershipProvider” is set like this:
requiresQuestionAndAnswer="false"
Pure SQL route
(This is useful if you are in a hosted environment but is a major )
However there is still some tidying up to do with the admin user.
Here is a script I wrote to clean up users, just needs the new admin GUID and the old admin GUID to work.
Warning: I may have missed a few tables on a heavily populated BugNET database.
-- BugNET Admin Cleanup Script
Declare @TargetUser as varchar(40)
Declare @DeadUser1 as varchar(40)
-- TargetUser is the new Admin GUID
Set @TargetUser = '{C339CD01-F20B-495B-BD66-376236D3A1AC}'
-- This is the old Admin GUID
set @DeadUser1 = '{FC356008-386C-4F9F-AE24-29429B797B2C}'
-- Change the bugnet calls and history
print 'Merging bug''s reporteruserid'
update bug set reporteruserid=@TargetUser where (ReporterUserId = @DeadUser1)
-- Assigned to change
print 'Merging bug''s AssignedToUserId'
update bug set AssignedToUserId=@TargetUser where (AssignedToUserId = @DeadUser1)
-- LastUpdateUserId
print 'Merging bug''s LastUpdateUserId'
update bug set LastUpdateUserId=@TargetUser where (LastUpdateUserId = @DeadUser1)
-- Now for the other tables
-- UploadedUserID
print 'Merging BugAttachment''s UploadedUserID'
update BugAttachment set UploadedUserID= @TargetUser where (UploadedUserID = @DeadUser1)
print 'Merging ProjectMailbox' update ProjectMailBox set AssigntoUserID= @TargetUser where (AssigntoUserID = @DeadUser1)
-- CreatedUserID
print 'Merging BugComment''s CreatedUserID'
update BugComment set CreatedUserID= @TargetUser where (CreatedUserID = @DeadUser1)
-- CreatedUserID
print 'Merging BugHistory''s CreatedUserID'
update BugHistory set CreatedUserID= @TargetUser where (CreatedUserID = @DeadUser1)
-- CreatedUserID
print 'Merging BugNotification''s CreatedUserID'
update BugNotification set CreatedUserID= @TargetUser where (CreatedUserID = @DeadUser1)
print 'Deleting BugTimeEntry'
update BugTimeEntry set CreatedUserID= @TargetUser where (CreatedUserID = @DeadUser1)