How to fix this error: Key not valid for use in specified state after move to another server

Question

I have an asp.net application, using aspnetsqlMembership provider for encrypt/descrypt user profile data. Now, we decided to move our application to a new server, but I am getting this error on the new server when I am trying to create a new user (encrypting):

Key not valid for use in specified state

What I already tried: 1. I Imported the certificate from the old server and it seems to be good/ 2. I Checked the security permissions of the certificate, and they are the same as those on the old server 3. Also the machine key definitions on the IIs seems to be the same. 4. Tried to change sqlmembership format from encrypted to hashed, but the exception still throwed.

I spent al lot of time on trying to solve this problem. Will be happy if anybody here can help me. Thanks, Hana.

Answer 1

The encryption of the passwords for the SqlMEmbershipProvider has nothing to do with a certificate.

Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the machineKey element in your configuration. Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.

A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership Element (ASP.NET Settings Schema) configuration element. If you choose encryption, default password encryption uses AES. You can change the encryption algorithm by setting the decryption attribute of the machineKey configuration element. If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the machineKey element. The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.

Microsoft Docs: SqlMembershipProvider.PasswordFormat Property

Have a look at your web.config file. Is there a section? Are there any values in there?

Make sure the new server has exactly the save values!

If there is no section or no values...

You must have access to the old server once again!

After a bit of digging in the current 4.5 framework, turns out that the auto generated keys are stored in HttpApplication.s_autogenKeys byte array. The validation key is the first 64 bytes, followed by 24 bytes of the decryption key.

@Mr-Curious has written a nice answer on how to resolve the values (keys) for the machineKey section if they are not existent (AutoGenerated).