SHA512 Forms Authentication in SharePoint 2010

I was recently working through an issue in which I needed to setup the SQL Membership provider to use SHA512 as the hashing algorithm, instead of the default SHA1.  For a normal ASP.Net application, you would set the hashAlgorithmType in the web.config for the application.  For SharePoint 2010, you need to set the attribute on the web.config for the Security Token Service.  By default, this config file is located in the following directory:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken

If you make the change in the Web Application, instead of the Security Token Service, you’ll get the following entry in the ULS logs when you try to logon :

05/17/2011 17:43:19.96 w3wp.exe (0x189C)
SharePoint Foundation
Claims Authentication
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext

Some items to be aware of if you’re making this type of change :

  • There is only one Security Token Service per farm.  This would mean that you can only have one hashAlgorithmType setting per farm.  If you need to have multiple web apps with multiple hash algorithms, you’ll end up building a custom membership provider.
  • Depending on your membership provider, if you try to logon too many times, you’ll get a locked out account. Now you’re troubleshooting your provider configuration along with a locked out account.

If you’re looking for some walkthroughs on setting up forms authentication in SharePoint 2010, Mirjam van Olst has some very good blogs on setting up both SQL and LDAP providers :