ASP.NET 2.0 Membership and Roles Tutorial Series

Scott Mitchell has continued the great ASP.NET 2.0 Membership, Roles and Profile Tutorial series he started a few months back, and has now posted parts 3 and 4 on it.  You can read the series here:

Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)

Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)

Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)

Examining ASP.NET 2.0's Membership, Roles and Profile (Part 4)


In part 4 he discusses the Membership API's support for locking out users, as well as temporarily disabling accounts after too many failed login attempts.  Specifically, you can configure ASP.NET to automatically disable an account after a specified number of failed login attempts (to avoid password dictionary remote hack attempts).  You can then use the "UnlockUser()" method on the MembershipUser class to re-enable an account.  I've seen several questions recently from people wondering how to-do this -- so it is great to see him cover it here.


One other question I see asked a lot on the forums is how someone can build their own custom admin pages for managing Membership and Roles information for their site.  Peter Kellner wrote two great articles for MSDN that walkthrough how to build something like this (even using a GridView + ObjectDataSource to bind against the users in the database).  You can check them out here:


Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 1: Security and Configuration Overview

Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation


For more information on ASP.NET 2.0 Security Topics, please checkout (and potentially bookmark) this blog post of mine here.  I'm trying to link off to good security resources + samples I find on the web with it, and make it a one-stop place people can go to find good security related information.


Hope this helps,





  • Hello Scott!

    It was interesting to study all your video examples and examples from Mitchell and Kellner about implementation security controls into applications.

    Is any example or video about "How to create your own membership provider?". I wish to do new one different form: SqlMembershipProvider or ActiveDirectoryMembershipProvider.

    Sincerely, LukCAD

  • Regarding admin screens, the download available at Part 4 of my article series includes some fairly basic Admin screens for viewing the users in the system along with their Lock Out / Inactive / administrative role status, with the ability to easily toggle the inactive / locked out / administrative role status.

  • Scott, you have saved my life! I have a looming deadline and didn't have time to spend weeks developing a user account manager - this should do the trick if I can work out some kinks with my hosting service.

    There wouldn't happen to be an email verification component for membership, is there?

  • Hi Scott,

    I have implemented the Membership and Roles services in my new application, do you have any tutorials on hand that can give me hints on how to build an admin section so administrators can easily administers users(delete users, lockout user, edit user roles, etc)

  • Hi Scott,

    I have read the article "Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation" talking about how to implement admin pages for the ASP.NET 2.0 membership enabled website.

    Yet in addition to this I would like to add a search button which filters the username like this:

    protected void SearchButton_Click(object sender, EventArgs e)


    ObjectDataSourceMembershipUser.FilterExpression = "UserName LIKE '%" + SearchTextBox.Text + "%'";


    But I got the error: The data source 'ObjectDataSourceMembershipUser' only supports filtering when the SelectMethod returns a DataSet or a DataTable.

    May you kindly show me how to get around this?


  • why i can not find any video to study. would you like to tell me where i can download from. thanx

  • Hi Charles,

    What you should use instead is the Membership.FindUsersByName("string") method. This will do a filter in the database and be much more efficient.

    Hope this helps,


  • Hi Scott, I'd really appreciate your help, I've read through Scott Mitchell series and your article on "How to add a Login, Roles and Profile system to an ASP.NET 2.0 app in only 24 lines of code", and they really explained a lot to me, but I'm sitting with what seems to be a rather uncommon issue.

    I have a website that uses forms authentication and I've added properties in the web.config to store the users name and business name when they register - that's working perfectly.

    I now have a windows form application that needs to validate the user, and that sends the username and password to a webservice where I call Membership.ValidateUser(username, password) to validate the credentials, and that also works perfectly. (I've specified the membership and profile providers in the web.config and also the same profile properties as I specified on the websites web.config).

    My problem is how can I access the users profile properties from the webservice, I can't seem to  even access the ProfileCommon Class, and when I try access the ProfileBase classes property values they are just empty strings.

    Thanks, I really appreciate it.

  • Hi Andy,

    I think from a web-service you might need to access the Profile object in a late-bound way (so via the late-bound proeperty accessors on the ProfileBase class).

    To get a specific instance of the ProfileBase for a specific user, you can write code like so:

    ProfileBase settings = ProfileBase.Create(userName);

    string business = (string) settings["business"];

    Hope this helps,


  • membership.deleteuser() fails because of FK constraint violations. How can this be, given that its a MS product? I am getting the same error on 2 sql server 2005 instances where I have installed the membership, profiles and roles objects.

  • Hi Robert,

    It is pretty odd that you are seeing a FK constraint violation. If you want to send me an email describing it more (, I can help investigate.



  • Hi,

    How would you handle this scenario with 2.0 membership? I have an application where users can register for the site and then save items. This works fine, though I now need to have an admin side to the system, for the owners to manage the items available. What happens if an admin and a user choose the same username, is there a best practice way to handle this scenario?

  • Hi Kieran,

    If you use the same membership database, then the Membership API will automatically prevent you from re-using the same user-name.

    Hope this helps,


  • Hi Kieran,

    You can't have two users with the same username I''m afraid. One approach you could use, though, is to use Roles to differentiate the users (as opposed to hard-coding a name).

    This tutorial talks about how to use Roles with ASP.NET:

    Hope this helps,


  • Hi Scoot,

    Were you able to provide a solution for Robert’s FK constraint issue? Membership.DeleteUser(newUser.UserName, true); Fails because of FK constraint "FK_aspnet_Me__UserI__15502E78" violations. I see that this constraint references the aspnet_Applications table and the aspnet_Membership table FK references both the aspnet_User and aspnet_Applications tables. At the point where I’m trying to delete the user only these three tables have user data. I assume that the Membership.DeleteUser() method has the logic to handle the FK constraints. Do I need to set something to allow it to handle cascading deletes?

    Thanks for the help.


  • Hello Scott! Your articles are very helpful; however, I still don't know how to add user name and password to aspnet_user table. can any one in this forum point me to the link for this issue? Additionally, I still can not configure my sql server 2005 developer version with 2.
    Thanks for any tip.

  • Hi Peter,

    This post describes how to configure your SQL Server 2005 developer version with the ASP.NET 2.0 tables:

    Hope this helps,


  • Laura was touching the subject earlier. What if you would like the users to verify their e-mail before you let them in. Any advice on how to achieve that?

    /hansi, Sweden

  • Hi Hansi,

    One approach you could use would be to set the IsApproved property on the MembershipUser object to false on a user when you create them in the Membership database. You could then send them an email and have them click a link in it to return to the site. On that page you could then set the IsApproved property to true - which will unlock the user account and enable logins.

    Hope this helps,


  • Could some one direct me to an example that uses "ActiveDirectoryMembershipProvider" in windows authentication ?

Comments have been disabled for this content.