Error: Hashed or Encrypted passwords are not supported with auto-generated keys

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Version Affected:  8.0-19.07

    Description:  

    When using an SQL Data Store with the Password Format set to Hashed or Encrypted the following error is seen:

    mceclip0.png

    Additionally the realm logs will contain the following error:

    Hashed or Encrypted passwords are not supported with auto-generated keys

     

    Cause:  

    By default, IdP realms are configured to AutoGenerate Validaton and Decryption Keys.

    mceclip1.png

    This means that IIS will  automatically generate encryption keys each time the worker starts.  That's no good if the values are used to encrypt or hash passwords in the data store, because it will never evaluate the same way twice.  It also means multiple realms using the same data store will have different decryption keys. Therefore such a configuration is prevented.

     

    Resolution:  

    Set static keys in the Post Auth tab | Machine Key section, by clicking on "Generate New Keys".
    Then save the realm.

    If multiple realms are using the same data store, copy the Validation Key and Decryption Key values to those realms.

     

      

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.