ptg 1234 CHAPTER 27 Using ASP.NET Membership WARNING Make sure that you change the value of the decryptionKey attribute before using the web configuration file in Listing 27.19. You can generate a new decryptionKey with the GenerateKeys.aspx page described in the “Using Forms Authentication Across Applications” section, earlier in this chapter. Modifying User Password Requirements By default, passwords are required to contain at least 7 characters and 1 nonalphanumeric character (a character that is not a letter or a number such as *,_, or !). You can set three Membership provider attributes that determine password policy: . minRequiredPasswordLength—The minimum required password length. (The default value is 7.) . minRequiredNonalphanumericCharacters—The minimum number of non-alphanu- meric characters (The default value is 1.) . passwordStrengthRegularExpression—The regular expression pattern that a valid password must match (The default value is an empty string.) The minRequiredNonAlphanumericCharacters attribute confuses everyone. Website users are not familiar with the requirement that they must enter a nonalphanumeric character. The web configuration file in Listing 27.20 illustrates how you can disable this require- ment when using the SqlMembershipProvider. LISTING 27.20 Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authentication mode=”Forms” /> <membership defaultProvider=”MyProvider”> <providers> <add name=”MyProvider” type=”System.Web.Security.SqlMembershipProvider” minRequiredNonalphanumericCharacters=”0” connectionStringName=”LocalSqlServer”/> </providers> </membership> </system.web> </configuration> From the Library of Wow! eBook ptg 1235 Using ASP.NET Membership 27 Locking Out Bad Users By default, if you enter a bad password more than five times within 10 minutes, your account is automatically locked out. In other words, it is disabled. Also, if you enter the wrong answer for the password answer more than five times in a 10- minute interval, your account is locked out. You get five attempts at your password and five attempts at your password answer. (These two things are tracked independently.) Two configuration settings control when an account gets locked out: . maxInvalidPasswordAttempts—The maximum number of bad passwords or bad password answers that you are allowed to enter (The default value is 5.) . passwordAttemptWindow—The time interval in minutes in which entering bad pass- words or bad password answers results in being locked out. For example, the web configuration file in Listing 27.21 modifies the default settings to enable you to enter a maximum of three bad passwords or bad password answers in 1 hour. LISTING 27.21 Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authentication mode=”Forms” /> <membership defaultProvider=”MyProvider”> <providers> <add name=”MyProvider” type=”System.Web.Security.SqlMembershipProvider” maxInvalidPasswordAttempts=”3” passwordAttemptWindow=”60” connectionStringName=”LocalSqlServer”/> </providers> </membership> </system.web> </configuration> After a user has been locked out, you must call the MembershipUser.UnlockUser() method to reenable the user account. The page in Listing 27.22 enables you to enter a username and remove a lock (see Figure 27.6). From the Library of Wow! eBook ptg 1236 CHAPTER 27 Using ASP.NET Membership FIGURE 27.6 Removing a user lock. LISTING 27.22 RemoveLock.aspx <%@ Page Language=”C#” %> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <script runat=”server”> protected void btnRemove_Click(object sender, EventArgs e) { MembershipUser userToUnlock = Membership.GetUser(txtUserName.Text); if (userToUnlock == null) { lblMessage.Text = “User not found!”; } else { userToUnlock.UnlockUser(); lblMessage.Text = “Lock removed!”; } } </script> From the Library of Wow! eBook ptg 1237 Using ASP.NET Membership 27 <html xmlns=”http://www.w3.org/1999/xhtml” > <head runat=”server”> <title>Remove Lock</title> </head> <body> <form id=”form1” runat=”server”> <div> <asp:Label id=”lblUserName” Text=”User Name:” AssociatedControlID=”txtUserName” Runat=”server” /> <asp:TextBox id=”txtUserName” Runat=”server” /> <asp:Button id=”btnRemove” Text=”Remove Lock” Runat=”server” OnClick=”btnRemove_Click” /> <br /> <asp:Label id=”lblMessage” EnableViewState=”false” Runat=”server” /> </div> </form> </body> </html> Configuring the SQLMembershipProvider The SqlMembershipProvider is the default Membership provider. Unless otherwise config- ured, it stores membership information in the local ASPNETDB.mdf Microsoft SQL Server Express database located in your application’s App_Data folder. This database is created for you automatically the first time that you use Membership. If you want to store membership information in some other Microsoft SQL Server data- base, you need to perform the following two tasks: . Add the necessary database objects to the Microsoft SQL Server database. . Configure your application to use the new database. To complete the first task, you can use the aspnet_regiis command-line tool. This tool is located in the following folder: \Windows\Microsoft.NET\Framework\v4.0.30319 From the Library of Wow! eBook ptg 1238 CHAPTER 27 Using ASP.NET Membership FIGURE 27.7 Using the ASP.NET SQL Setup Wizard. NOTE If you open the Visual Studio Command Prompt, you don’t need to navigate to the Microsoft.NET folder before using the aspnet_regsql tool because that tool is already in the path If you execute the aspnet_regsql tool without supplying any parameters, the ASP.NET SQL Server Setup Wizard appears (see Figure 27.7). You can use this wizard to select a data- base and install the Membership objects automatically. If you prefer, rather than use the aspnet_reqsql tool, you can execute the following two SQL batch files to install Membership: \WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallCommon.sql \WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql If you don’t want to install.NET Framework on your database server, you can execute these SQL batch files. After you have configured your database to support ASP.NET Membership, you must configure your application to connect to your database when using Membership. The web configuration file in Listing 27.23 connects to a database named MyDatabase located on a server named MyServer. From the Library of Wow! eBook ptg 1239 Using ASP.NET Membership 27 LISTING 27.23 Web.Config <?xml version=”1.0”?> <configuration> <connectionStrings> <add name=”MyConnection” connectionString=”Data Source=MyServer;Integrated ➥ Security=True;Initial Catalog=MyDatabase”/> </connectionStrings> <system.web> <authentication mode=”Forms” /> <membership defaultProvider=”MyMembershipProvider” > <providers> <add name=”MyMembershipProvider” type=”System.Web.Security.SqlMembershipProvider” connectionStringName=”MyConnection” /> </providers> </membership> </system.web> </configuration> In Listing 27.23, a new default Membership provider named MyMembershipProvider is configured. The new Membership provider uses a connection string name that has the value MyConnection. The MyConnection connection string is defined in the connectionStrings element near the top of the configuration file. This connection string represents a connec- tion to a database named MyDatabase located on a server named MyServer. Configuring the ActiveDirectoryMembershipProvider The other Membership provider included in ASP.NET Framework is the ActiveDirectoryMembershipProvider. You can use this provider to store user information in Active Directory or AD LDS (Active Directory Lightweight Directory Services). AD LDS is a lightweight version of Active Directory. You can download AD LDS from the Microsoft website (www.microsoft.com/adam). AD LDS is compatible with both Windows Vista and Windows 7. If you want to use ASP.NET Membership with AD LDS, you need to complete the follow- ing two steps: 1. Create an AD LDS instance and create the required classes. 2. Configure your application to use the ActiveDirectoryMembershipProvider and connect to the ADAM instance. From the Library of Wow! eBook ptg 1240 CHAPTER 27 Using ASP.NET Membership FIGURE 27.8 Creating a new AD LDS instance. The following sections examine each of these steps in turn. Configuring AD LDS First, you need to set up a new instance of AD LDS. After downloading and installing AD LDS, follow these steps: 1. Launch the Active Directory Lightweight Directory Services Setup Wizard by select- ing Active Directory Lightweight Directory Services Setup Wizard from Control Panel, Administrative Tools (see Figure 27.8). 2. In the Setup Options step, select the option to create a unique instance. 3. In the Instance Name step, enter the name WebUsersInstance. 4. In the Ports step, use the default LDAP and SSL port numbers (389 and 636). 5. In the Application Directory Partition step, create a new directory application parti- tion named O=WebUsersDirectory. 6. In the File Locations step, use the default data file locations. 7. In the Service Account Selection step, select Network Service Account. 8. In the AD LDS Administrators step, select Currently Logged on User for the adminis- trator account. 9. In the Importing LDIF Files step, select MS-AZMan.ldf, MS-InetOrgPerson.ldf, MS- User.ldf, MS-UserProxy.ldf. After you complete the preceding steps, a new AD LDS instance named WebUsersInstance is created. The next step is to configure an AD LDS administrator account. Follow these steps: From the Library of Wow! eBook ptg 1241 Using ASP.NET Membership 27 FIGURE 27.9 Using ADLDS ADSI Edit. WARNING If you are using Windows XP, and you don’t have an SSL certificate installed, you need to perform an additional configuration step. Otherwise, you receive an error when you attempt to reset a user password. By default, you are not allowed to perform password operations over a non-secured connection to an AD LDS instance. You can disable this requirement by using the dsmgmt.exe tool included with AD LDS. Open the AD LDS Tools Command Prompt and type the following series of commands: 1. Type dsmgmt. 2. Type ds behavior. 3. Type connections. 4. Type connect to server localhost:389. 5. Type quit. 6. Type allow passwd op on unsecured connection. 7. Type quit. If you don’t use an SSL connection, passwords are transmitted in plain text. Don’t do this in the case of a production application. 1. Open the AD LDS ADSI Edit application from the Control Panel, Administrative Tools (see Figure 27.9). From the Library of Wow! eBook ptg 1242 CHAPTER 27 Using ASP.NET Membership 2. Open the Connection Settings dialog box by selecting Action, Connect To. 3. In the Connection Settings dialog box, select the option to connect to a node by using a distinguished name, and enter the name O=WebUsersDirectory. In the Computer group, choose Select or Type a Domain or Server and enter localhost in the field. Click OK. 4. Expand the new connection and select the O=WebUsersDirectory node. 5. Select Action, New, Object. 6. In the Create Object dialog box, select the organizationalUnit class and name the new class WebUsers. 7. Select the OU=WebUsers node and select Action, New, Object. 8. In the Create Object dialog box, select the user class and name the new class ADLDSAdministrator. 9. Select CN=ADLDSAdministrator and select Action, Reset Password and enter the password secret. 10. Select the CN=Roles node and double-click the CN-Administrators node. 11. Double-click the Member attribute and add the distinguished name for the ADLDSAdministrator ADAM account (CN=ADLDSAdministrator,OU=WebUsers, O=WebUsersDirectory). After you complete this series of steps, an ADLDSAdministrator account is configured. You need to use this account when connecting to the ADLDS instance from the ActiveDirectoryMembershipProvider. Configuring the ActiveDirectoryMembershipProvider The next step is to configure your application to use the ActiveDirectoryMembership provider. You can use the web configuration file in Listing 27.24. LISTING 27.24 Web.Config <?xml version=”1.0”?> <configuration> <connectionStrings> <add name=”ADLDSConnection” connectionString=”LDAP://localhost:389/OU=WebUsers,O=WebUsersDirectory”/> </connectionStrings> <system.web> <authentication mode=”Forms” /> <membership defaultProvider=”MyMembershipProvider”> <providers> <add From the Library of Wow! eBook ptg 1243 Using ASP.NET Membership 27 name=”MyMembershipProvider” type=”System.Web.Security.ActiveDirectoryMembershipProvider” connectionStringName=”ADLDSConnection” connectionProtection=”None” connectionUsername=”CN=ADLDSAdministrator,OU=WebUsers,O=WebUsersDirectory” connectionPassword=”secret_” enableSearchMethods=”true” /> </providers> </membership> </system.web> </configuration> The web configuration file in Listing 27.24 configures a new default Membership provider named MyMembershipProvider. This provider is an instance of the ActiveDirectoryMembershipProvider. Several of the attributes used with the ActiveDirectoryMembershipProvider require addi- tional explanation. The connectionStringName attribute points to the connection string defined in the connectionStrings section. This connection string connects to a local ADAM instance that listens on port 389. The connectionProtection attribute is set to the value None. If you don’t modify this attribute, you are required to use an SSL connection. If you do use an SSL connection, you need to change the port used in the connection string (typically port 636). The connectionUsername and connectionPassword attributes use the ADLDSAdministrator account that you configured in the previous section. When you don’t use an SSL connec- tion, you must provide both a connectionUsername and connectionPassword attribute. Finally, notice that the provider declaration includes an enableSearchMethods attribute. If you want to configure users by using the Web Site Administration Tool, you must include this attribute. The ActiveDirectoryMembershipProvider class supports several attributes specific to working with Active Directory: . connectionStringName—Enables you to specify the name of the connection to the Active Directory Server in the connectionStrings section. . connectionUsername—Enables you to specify the Active Directory account used to connect to Active Directory. . connectionPassword—Enables you to specify the Active Directory password used to connect to Active Directory. . connectionProtection—Enables you to specify whether or not the connection is encrypted. Possible values are None and Secure. From the Library of Wow! eBook . Microsoft .NET folder before using the aspnet_regsql tool because that tool is already in the path If you execute the aspnet_regsql tool without supplying any parameters, the ASP. NET SQL Server Setup. folder: WindowsMicrosoft .NET Frameworkv4.0.30319 From the Library of Wow! eBook ptg 1238 CHAPTER 27 Using ASP. NET Membership FIGURE 27.7 Using the ASP. NET SQL Setup Wizard. NOTE If you open the Visual Studio Command Prompt,. /> <membership defaultProvider=”MyProvider”> <providers> <add name=”MyProvider” type=”System.Web.Security.SqlMembershipProvider” maxInvalidPasswordAttempts=”3” passwordAttemptWindow=”60”