The About screen provides an overview of the current AspNetSqlMembershipProvider
settings as well as a summary of limitations imposed as a result of those settings.
If you have not created a membership provider settings section in the web.config
for your application, then the default membership provider settings which are defined
in machine.config, and also most restrictive, will be in use.
The Membership Provider Configuration section provides a summary
of the effective configuration settings which affect your web application.
As illustrated,
The provider is "SQL membership provider", which corresponds to the description
of the default provider AspNetSqlMembershipProvider.
EnablePasswordReset is true by default, which enables
the Membership.Provider.ResetPassword method. Note that ResetPassword requires
a passwordAnswer by default.
The EnablePasswordRetrieval setting is false, by default,
and cannot be set to true if the passwordFormat is Hashed.
MaxInvalidPasswordAttempts defaults to five (5) which means that
five unsuccessful login attempts will cause the account to be disabled for a period
defined by the PasswordAttemptWindow (see below.)
MinRequiredNonAlphaNumericCharacters causes the provider to reject
passwords that do not contain a certain number of non-alpha characters (numbers,
symbols, etc.) By default, passwords must contain at least one non-alpha character.
Note: If you use the Asp.Net CreateUserWizard to allow for self-service account
creation, please be aware that it displays an error message "please use a different
password" which does not really inform the user that alpha-numeric characters
are required. This message can be adjusted within the control, itself.
MinRequiredPasswordLength causes the provider to reject passwords
that are not of at least a particular length. By default, passwords must be at least
seven (7) characters in length.
PasswordAttemptWindow is the number of minutes which must pass
before a user attempts to log in again after being locked out for too many invalid
password attempts. The default is ten (10) minutes. Here again, the Membership
Manager control is very handy since it allows a Customer Service Representative
to manually unlock a member's password without having to wait the ten minutes.
The default passwordFormat is Hashed (1) which is the
most secure but prevents password retrieval. Other passwordFormats are Clear
(0) and Encrypted (2).
PasswordStrengthRegularExpression is a string that can contain
a regularExpression which defines a required pattern for new passwords.
You might use this, for example to require that the third and eighth characters
are a particular character such as "xx-xxxx-xx". By default, PasswordStrengthRegularExpression
is blank, which means that any pattern may be used.
The requiresQuestionAndAnswer setting is true, by default, which
means that provider methods for resetting or retrieving passwords require that a
non-blank and valid passwordAnswer is provided. Note that the Membership
Manager Control can get around this limitation if the passwordFormat
of a specific membership record is clear. In this particular case, the
password can be retrieved directly from the underlying database instead of through
the provider methods.
RequiresUniqueEmail is false by default and is used to
specify whether the AspNetSqlMembershipProvider will allow more
than one membership account to utilize the same Email address. The username
rather than the e-mail address is considered the primary key for the membership
system.
RoleManager Enabled is actually not a setting for the AspNetSqlMembershipProvider,
rather it is a setting for the roleManager section which defines
how role management is implemented. The AspNetSqlRoleProvider is
the default role provider but, by default, it is disabled. The Membership
Manager Control is initially configured for use only by members of the Administrator
role and if role managment is disabled, the control simply won't work. This is done
intentionally to require that you either implement roles or that you consciously
clear the control's membershiprole property (perhaps you are implementing
the control in a related but secure web site.)
Finally, it is not possible to change the passwordFormat to Encrypted
unless a MachineKey section is defined in web.config. The machineKey
section is separate from the membership section but is also specified
in the application's web.config file under system.web.
Membership Manager Capabilities
While the Membership Manager Control can provide much of the functionality of
AspNetSqlMembershipProvider in a convenient control panel, it is not
intended to circumvent the Microsoft's security model. Apart from a few calls directly
into the AspNet membership and user tables to retrieve data which is already available,
the control is completely dependent on the underlying AspNetSqlMembershipProvider
for most of its own functionality.
Several value-added capabilities, such as the ability for an administrator to reset
a member's password to a known value, are delivered through a combination of calls
to existing provider methods but still require that provider settings allow use
of the methods.
As illustrated, the capabilities section summarizes the limitations of the Membership
Manager Control based on the settings in web.config. Even with the default (most
restrictive) settings, the control may still be used to look up, unlock and add
comments for members. To administratively reset passwords, however, a provider
section must be defined in web.config with less restrictive settings.