Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> Commerce Server >> Commerce Server 2007

Profile encryption

Hi

Could somebody explain how the default encryption for the UserObject profile works? We have added users and organizations using the Customers and Orders Manage UI tool. When the password and password answer fields are encrypted how is this done? Does it use a one way hash?

The problem I am having is that the user is being able to login, but there is always a failure when it tries to reset the password. I have made sure that the user has the right to reset the password themselves (rather than the UI tool only), but we are getting an error everytime the password reset is attempted.

Any help would be appreciated.

Regards

Paul

[712 byte] By [PaulTew] at [2008-1-7]
«« XMLDocument.Validate works on some machines but not on others
»» How can i use internet explore on click of menu in smart phone 2003 in c#.
# 1

Yes, passwords are one way hash and credit cards are two way. You can set any value of the profile definition for encryption using Commerce Server Manager and navigating to the global resource for profiles.

You will also need to set the encryption keys for the site as well as the web service. under the root folder of Commerce Server 2007 there is a folder called tools you should find the encryption tool for profiles.

This is also very well documented in the help files.

How Does the Profiles System Encrypt Data

How to Configure Encryption Keys for Profiles System Data

Good luck,

-Max

MaxAkbar at 2007-10-2 > top of Msdn Tech,Commerce Server,Commerce Server 2007...
# 2

Hi Max

Thanks for the links. Unfortunately this didn't solve the problem. I've made sure the passwords etc have been reset so they used the new encryptions keys.

The problem we have is while the login section works, the password reset does not.

Regards

Paul

PaulTew at 2007-10-2 > top of Msdn Tech,Commerce Server,Commerce Server 2007...
# 3
Are you using the Starter Site or your own code, if so can you give some details as to what is not working? Are you getting an error if so please provide error message and please provide step by step repro.

Thanks,
-Max

MaxAkbar at 2007-10-2 > top of Msdn Tech,Commerce Server,Commerce Server 2007...
# 4

Hi Max

Yes the code is my own, but I used the password reset from the starter site. The error I'm getting is as follows:

Code Snippet

An exception occurred in the UPM Membership Provider: System.Web.Security.MembershipPasswordException: Invalid password answer was supplied.
at Microsoft.CommerceServer.Runtime.Profiles.UpmMembershipUser.ResetPassword(String passwordAnswer)
at System.Web.Security.MembershipUser.ResetPassword(String passwordAnswer, Boolean useAnswer, Boolean throwOnError)
at System.Web.UI.WebControls.PasswordRecovery.AttemptSendPasswordQuestionView()
at System.Web.UI.WebControls.PasswordRecovery.AttemptSendPassword()
at System.Web.UI.WebControls.PasswordRecovery.OnBubbleEvent(Object source, EventArgs e)
at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args)
at System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.forgotpassword_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)

Password reset page:

Code Snippet

<asp:PasswordRecovery ID="PasswordRecovery1" runat="server" MembershipProvider="UpmProvider" UserNameInstructionText="Enter your Email Address to receive your new password." UserNameLabelText="Email Address" UserNameRequiredErrorMessage="Email address is required.">
<MailDefinition From="[Email Address]" Priority="High" Subject="New Password" />
<UserNameTemplate>
<h2>Forgot your password?</h2>
<table border="0" cellspacing="0">
<tr>
<td colspan="2">Enter your email address to receive your new password</td>
</tr>
<tr>
<td>Email Address:</td>
<td><asp:TextBox ID="UserName" runat="server"></asp:TextBox><asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" ValidationGroup="UsernameGroup">*</asp:RequiredFieldValidator></td>
</tr>
<tr>
<td class="error" colspan="2"><asp:Literal ID="FailureText" runat="server"></asp:Literal></td>
</tr>
<tr>
<td> </td>
<td><asp:Button ID="SubmitButton" runat="server" CommandName="Submit" Text="Submit" ValidationGroup="UsernameGroup" /> <asp:Button ID="CancelButton" runat="server" Text="Cancel" OnClick="CancelButton_Click" CausesValidation="False" /></td>
</tr>
</table>
</UserNameTemplate>
<QuestionTemplate>
<h2>Identity Confirmation</h2>
<table border="0" cellspacing="0">
<tr>
<td colspan="2">Answer the following question to receive your password.</td>
</tr>
<tr>
<td><asp:Label ID="QuestionLabel" runat="server" AssociatedControlID="Question" >Question:</asp:Label></td>
<td><asp:Literal ID="Question" runat="server"></asp:Literal></td>
</tr>
<tr>
<td><asp:Label ID="AnswerLabel" runat="server" AssociatedControlID="Answer">Answer:</asp:Label></td>
<td><asp:TextBox ID="Answer" runat="server"></asp:TextBox><asp:RequiredFieldValidator ID="AnswerRequired" runat="server" ControlToValidate="Answer" ValidationGroup="QuestionGroup">*</asp:RequiredFieldValidator></td>
</tr>
<tr>
<td class="error" colspan="2"><asp:Literal ID="FailureText" runat="server"></asp:Literal></td>
</tr>
<tr>
<td> </td>
<td><asp:Button ID="SubmitButton" runat="server" CommandName="Submit" Text="Submit" ValidationGroup="QuestionGroup" /> <asp:Button ID="CancelButton" runat="server" Text="Cancel" OnClick="CancelButton_Click" CausesValidation="false" /></td>
</tr>
</table>
</QuestionTemplate>
<SuccessTemplate>
<table border="0" cellspacing="0">
<tr>
<td>Your new password has been email to <asp:Label ID="EmailLabel" runat="server" /></td>
</tr>
<tr>
<td>Click <asp:HyperLink ID="lnkLogin" runat="server" NavigateUrl="~/Login.aspx">here</asp:HyperLink> to login.</td>
</tr>
</table>
</SuccessTemplate>
</asp:PasswordRecovery>

web.config:

Code Snippet
<profiles>
<userProfile profileDefinition="UserObject" userIdProperty="GeneralInfo.user_id" organizationIdProperty="AccountInfo.org_id" catalogSetIdProperty="AccountInfo.user_catalog_set" userIdSource = "ASP.NET" userIdKey = "GeneralInfo.email_address" userIdTarget = "GeneralInfo.user_id" />
<organizationProfile profileDefintion="Organization" organizationIdProperty="GeneralInfo.org_id" catalogSetIdProperty="GeneralInfo.org_catalog_set" />
<encryption>
<keys keyIndex="1">
<add type="publicKey" value="registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Commerce Server 2007 Keys\Default,PublicKey" />
<add type="privateKey1" value="registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Commerce Server 2007 Keys\Default,PrivateKey" />
</keys>
</encryption>
</profiles>
<membership defaultProvider="UpmProvider" userIsOnlineTimeWindow="60">
<providers>
<clear/>
<add name="UpmProvider"
type="Microsoft.CommerceServer.Runtime.Profiles.UpmMembershipProvider"
enablePasswordReset="true"
enablePasswordRetrieval="false"
profileDefinitionName="UserObject"
logonNameProperty="GeneralInfo.email_address"
passwordFormat="Hashed"
requiresApproval="false"
requiresQuestionAndAnswer="true"
writeExceptionsToEvenLog="true"
/>
</providers>
</membership>
<system.net>
<mailSettings>
<smtp deliveryMethod="Network" from="[email address]">
<network host="[host]" userName="[username]" password="[password]" />
</smtp>
</mailSettings>
</system.net>

I have also tried setting the userIdProperty of the User profile to "GeneralInfo.email_address" as well.

Any help would be appreciated.

Paul

PaulTew at 2007-10-2 > top of Msdn Tech,Commerce Server,Commerce Server 2007...
Commerce Server
Commerce Server 2007

Commerce Server Hot Topic

Commerce Server New Topic

Commerce Server

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified