We have a couple of ASP.NET WebForms applications that use the ADAM Membership provider, one of which includes the ChangePassword control. The control has started to fail every password change:
Password incorrect or New Password invalid.
New Password length minimum: 6.
Non-alphanumeric characters required: 0.
We can still successfully reset passwords on the ADAM instance, and the logins still authenticate in the applications. There are no exceptions thrown, and no errors in EventViewer.
Here is the provider section of the Web.config:
<membership defaultProvider="ADAMMembershipProvider">
<providers>
<clear/>
<add name="ADAMMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="MembershipConnectionString"
connectionProtection="None"
connectionUsername="[the username]"
connectionPassword="[the password]"
enableSearchMethods="true"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="5"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"/>
</providers>
</membership>
The problem is that ADAM does not allow passwords to be changed over insecure connections by default. There are couple ways around this problem:
Setting your connectionProtection property to "Secure" and having the necessary SSL certificates in place.
or
Using dsmgmt and changing the "Ds Behavior" to "Allow passed op on unsecured connection".
Related
I have an app that I'm trying to implement the following, but can't seem to figure out how:
User signs up, but the system creates its own temporary password for them
Admin approves user and as part of that approval, the user gets sent a temporary username/password.
The problem is that I can't set the MembershipProvider to enable password retrieval as that seems to disable certficate authentication. I do have passwordReset enabled, but when I try to use it in step 2 (trying to create a new password so I can have it in plaintext to email it to the user), it throws an error:
General Error: System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentNullException: Value cannot be null.
Parameter name: passwordAnswer
Is there any way around this?
Here's a code snippet of the relevant code:
MembershipUser mu = Membership.GetUser(Session["UserId"], false);
string password = mu.ResetPassword();
The password is null because nothing got entered. In your code, just use an if:
if (passwordAnswer==null){
//do stuff here
}
While you can write anything there, I recommend, maybe:
if (passwordAnswer==null){
passwordAnswer=" ";//just a space
}
If you want it to be a generated password, research on generating random alphanumeric strings.
I was able to circumvent this issue by adding requiresQuestionAndAnswer="false" to the membership provider in my web.config:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
requiresUniqueEmail="true"
connectionStringName="DB"
applicationName="Acme"
maxInvalidPasswordAttempts="3"
requiresQuestionAndAnswer="false"
enablePasswordReset="true"
minRequiredPasswordLength="15"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="3"
passwordFormat="Hashed" />
</providers>
</membership>
I want use custom membership and custom role providers. I have this classes:
public class CustomRoleProvider : RoleProvider
{
//override methods
}
public class CustomMembershipProvider : MembershipProvider
{
//override methods
}
I want set web.config, Is correct this code?
<membership defaultProvider="CustomMembershipProvider">
<providers>
<clear />
<add name="CustomMembershipProvider" type="Login1.Code.CustomMembershipProvider, Login1, Version=1.0.0.0, Culture=neutral" connectionStringName="LoginDB1Entities" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<clear />
<add name="CustomRoleProvider" type="Login1.Code.CustomRoleProvider" connectionStringName="LoginDB1Entities" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" writeExceptionsToEventLog="false" />
</providers>
</roleManager>
Because when I go to the ASP.NET Configuration, and Security tab, but get this message:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: The method or operation is not implemented.
Issue here seems to be originating from your connectionStringName property.
make sure you define/add the connection string in your Web.config's <connectionStrings> section
<connectionStrings>
<add name="LoginDB1Entities" ... />
</connectionStrings>
Also, if you ahve added already as above, then make sure you are using the correct settings.
First check where exactly your database is? Find out which instance of the SQL Server is the database of your application using. Modify the connection string to point to that instance.
The method or operation is not implemented
This is the message get if you throw NotImplementedException without any arguments.
The most obvious reason is that one of your custom providers has not implemented one of the expected methods. If you can get a stack trace, you'll see which one.
UPDATE in response to comment:
my custom membership is working in site
The membership and role providers contain methods for two purposes:
Methods needed at runtime for authentication (MembershipProvider) and authorization (RoleProvider). For example, at runtime a RoleProvider only uses the methods IsUserInRole and GetRolesForUser.
Methods needed to manage users (MembershipProvider), and roles / role membership (RoleProvider). These methods are needed if you want to manage your provider's data store using the ASP.NET Configuration and Security tab.
It's perfectly valid to create a provider that only provides the runtime functionality - a so-called "readonly" provider, in which case you'll have to provide some other outside mechanism for managing the provider's data store. For example, WindowsTokenRoleProvider is a readonly provider. But if you do this, you won't be able to manage your provider store using the ASP.NET Configuration and Security tab.
It appears you have failed to implement one or more of the management methods, and instead are throwing NotImplementedException.
Incidentally, NotImplementedException is not the best exception to throw for unsupported methods in a readonly provider. It should only normally used to indicate a method has not yet been implemented in a version under development.
If you don't ever intend to implement the method, it's better to throw NotSupportedException - or in the case of a provider, perhaps a ProviderException.
I am working on an ASP.NET 4.0 C# project. The CreateUserWizard is working fine, but the login controls I built are always showing this message:
Your login attempt was not successful. Please try again.
This started happening after I changed the membership and connection string settings in machine.config to experiment, which I changed to default later i.e.:
Here's the connection string settings:
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
And here is the membership section:
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
Also, I have changed my default database to store my websites data to login controls default data i.e. ASPNEDB.mdf by writing two lines in every code behind of page
SqlConnection con = new SqlConnection("data source=.\\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true");
SqlCommand cmd = new SqlCommand();
Even when I finish CreateUserWizard1 successfully and redirect to my homepage.aspx, where I have used default label of asp.net LoginName, the label is showing blank.
And if I manually put Label1 and type Label1.Text = HttpContext.Current.User.Identity.Name;, its still not working.
Will you please help me. I have to show this project to my college and not only that but my team will fail due to my EXPERIMENT.
There are several potential issues here:
You changed the machinekey in the web.config. If so, change it back. If you can't change it back then delete all the users in your table and recreate them. You're using a one way hash algorithm that requires the machinekey to hash the entered password for comparison.
You made changes to the connection string. Are you sure the database even has those user records in it? Next, did you happen to delete / recreate the database? If so those users are gone. See #1.
More to the point it's obvious you haven't put everything back like it was.
So, why are you getting login failed? Potential options are:
The database being accessed isn't the one you think it is.
The user truly doesn't exist in the database its looking at.
The user does exist but the password you are providing isn't the correct one.
The user exists and the password is correct, but the machinekey has changed and therefore the system can't hash it correctly.
Basically it's probably time to start over by clearing out your database and adding users into it again.
So we have been using the same login gode to connect to various domains in asp.net, with and without MVC. The code works.
We have a new server, first one to run server 2008 r2, set up with a directory structure similar to one of the ones that has been working.
Using forms authentication, I set up in the web.config
<add name="ADConnectionString" connectionString="LDAP://10.1.XXX.XXX"/>
and
<!--<authentication mode="Windows" />-->
<membership defaultProvider="MyADMembershipProvider" >
<providers >
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="XXXX\Brown.Eric"
connectionPassword="XXXX"
connectionProtection="None"
/>
</providers>
</membership>
It connects to build the membership provider just fine, but when I tryto use the exact same username and password to login on the forms login page (the stock asp.net stuff) it fails to login.
same user, same password that's being used to connect with the membership provider.
If I change the password in the web.config, I get an error that it's incorrect, so I know that the membership provider is getting connected with those credentials.
What I can't figure out is why can't I use the same credentials to login?
I've checked:
The user is not locked.
the user is not set to change password on next logon.
The user is not expired.
Any help or hints are apprecaited.
Thanks,
Cal-
Figured it out, had indavertantly removed the use SAM Account setting from the above
config, and it was wanting me to use userPrincipalName instead.
Switched it back to sam and all worked as expected.
Cal-
I'm having some trouble with the ASP.NET 2.0 Login Control.
I've setup a database with the aspI.net regsql tool.
I've checked the application name. It is set to "/".
The application can access the SQL Server. In fact, when I go to retrieve the password, it will even send me the password. Despite this, the login control continues to reject logins.
I added this to the web.config:
<membership defaultProvider="AspNetSqlProvider">
<providers>
<clear/>
<add name="AspNetSqlProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
And I added the following to my connection strings:
<remove name="LocalSqlServer" />
<add name="LocalSqlServer" connectionString="Data Source=IDC-4\EXCALIBUR;Initial Catalog=allied_nr;Integrated Security=True;Asynchronous Processing=True"/>
(Note the "remove name" is to get rid of the default connection string in the App_Data directory.)
Why won't the login control authenticate users?
It sounds like you are storing your passwords in plain text, but the default password storage format of SqlMembershipProvider is "Hashed." You would never be able to retrieve a user's password from the database if it is stored as hashed.
A great set of articles about the Memebership Provider was written on the 4 Guys From Rolla site. Check it out, as I think it will help!
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
From Part 4 of the series:
"In the Membership system, there are multiple scenarios by which a user's credentials can be invalid:
The username supplied might not exist in the membership directory
The username may exist, but the supplied password might be incorrect
The username and password may be correct, but:
The user may not yet be approved
The user may be locked out; this can happen if the user attempts to login with an invalid password for a specified number of tries (five, by default)
Unfortunately, the ValidateUser(userName, password) method just returns False if the credentials are invalid, and does not include information as to why, exactly, the credentials are invalid"