This articles details breaking changes and workarounds for customers upgrading from older versions of InstantKB to the InstantKB 2016-1 release.
InstantKB 2015-2 to 2016-1
If your upgrading from InstantKB 2015-X to InstantKB 2016 or InstantKB 2016-1 you will need to ensure the InstantASP_CryptographyMethod within the InstantKB 2016 web.config is set to use AES encryption as shown below. This was the default encryption used for sensitive data such as user passwords stored within your InstantKB 2015 database.
<add key="InstantASP_CryptographyMethod" value="AES"/>
If your upgrading from InstantKB 2015-2 to InstantKB 2016-1 and continue to use AES encryption you don't need to add the pepper as discussed below. The pepper discussed below only applies to customers upgrading from InstantKB 2016 to InstantKB 2016-1.
InstantKB 2016 to 2016-1
With InstantKB 2016 we switched to using a one way SHA512 salted hash for user passwords. With InstantKB 2016-1 for an additional layer of security we also introduced a new global pepper that is combined with each unique user salt before generating password hashes.
If your upgrading from InstantKB 2016 to InstantKB 2016-1 you will need to ensure the new InstantASP_CryptographyHashPepper application setting within the web.config is removed or set to 0 to the pepper is not applied to passwords previously hashed in InstantKB 2016. For example...
<add key="InstantASP_CryptographyHashPepper" value="0"/>
Making these changes will ensure you can continue to login after upgrading from either InstantKB 2015-X or InstantKB 2016 to the newer InstantKB 2016-1 release.
As always if we can assist with any additional questions or upgrade concerns please don't hesitate to submit a support request.