ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources

I usually try and spend at least an hour or two each night hanging out on the ASP.NET Forums answering questions.  The last week or so I’ve been spending a lot of time in the Security Forum answering a lot of “how to” questions about some of the new features in ASP.NET 2.0 (in particular the new ASP.NET 2.0 Membership, Role Management and Login Controls) and pointing people at resources and samples around the web about them.  What I thought I’d try and do with this post is consolidate a lot of pointers to different ASP.NET 2.0 security resources in one place.

 

Getting Started with ASP.NET 2.0 Membership, Roles and Forms Authentication Video

 

If you haven’t watched this great online video yet you absolutely should.  It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user.  The video shows how to-do all of this from scratch in only 17 minutes.  You can watch it here.  You can also find other great ASP.NET “how to” videos here.

 

ASP.NET 2.0 Membership and Role Management Overview Articles

 

Here are a few good tutorial articles that provide a good conceptual overview of how the new membership and role management system works. 

 

Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)

Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)

Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)

Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 4)

Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 5) 

 

MSDN: Explained: Forms Authentication in ASP.NET 2.0

MSDN: Explained: Windows Authentication in ASP.NET 2.0

 

Scott Allen’s: Membership Providers (Part 1)

Scott Allen’s: Role Providers (Part 2)

 

ASP.NET 2.0 Security, Membership and Role Management Book

 

Stefan Schackow is the ASP.NET Team technical expert and feature-owner for a lot of the core sub-systems in ASP.NET, and he owned the security, membership and role management features for ASP.NET 2.0.  He has recently published an awesome book on ASP.NET Security, Membership and Roles that you can buy for $26 on Amazon here. 

 

 

You can read two big recommendations of it from ASP.NET MVPs here: Dave Sussman and Christoph Wille  I highly recommend getting a copy.

 

Setting up Membership + Roles on a SQL 2000 or SQL 2005 Server

 

By default ASP.NET 2.0 auto-creates and uses a SQL Express database to store Membership, Roles and Profile data.  If you want to instead use a SQL 2000 or SQL 2005 database, you can easily learn how to configure it using this blog post of mine.

 

Don't forget to always set the "applicationName" attribute when configuring ASP.NET Membership, Roles, Profile and other providers.

 

One common issue people forget to-do when registering membership and other providers is to configure the "applicationName" attribute on the provider declaration.  This can prevent logins from seeming to work when you copy an application to another machine.  This blog post covers this scenario more and how to fix it.

 

Custom Membership and Roles Providers

 

ASP.NET 2.0 ships with built-in SQL Server, SQL Express and Active Directory Membership and Role Providers.  The source code for these built-in providers can now be downloaded from here.

 

The nice thing about the system is that it is entirely extensible, which means you can create and configure your own custom credential/role stores into the system as well (either using the source code from the built-in providers, or just by extending the provider contract). 

 

The ASP.NET Provider Toolkit Site provides tons of content on how to create and build your own providers (including Membership and Role Providers).  It also has a link to a fully functional Membership and Role Provider that works with Access databases.  This article also discusses how to build your own Membership Provider, and can be a useful guide to integrating the membership APIs with your own existing database.

 

Here is a list of other free custom Membership and Roles providers (with complete source code) that I know of on the web:

You can download and configure your application to use any of the above providers.  The beauty of the system is that the Membership, Roles APIs + Login Controls don't change at all. 

 

Storing Custom Properties about a User during Registration

 

One very common question I see asked a lot is how to store custom properties about a new user as they register on the system (example: zip code, gender, etc).  The good news is that it is easy to-do this with the new ASP.NET Profile System and the built-in <asp:createuserwizard> control. 

 

I have a sample here that shows how to build a registration system for a site with Membership, Login, Registration, Password Recovery, Change Password, Custom Properties and Roles support – all in 24 lines of code.  If you want, you can combine this with the new SQLTableProvider for the Profile system for greater control over your profile database schema.  You can learn about that in my blog post here.

 

Remote Server Administration Tool Mangement of Membership/Roles

 

The built-in Web Administration Tool with Visual Web Developer and VS 2005 makes it easy to manage the users and roles for a local ASP.NET application. One common question I get asked is how to manage these users/roles against a remote server (for example: an application running on a remote hoster.  This blog post of mine points to two different solutions you can use to enable this.

 

How to Share Forms-Authentication Between ASP.NET V1.1 and ASP.NET V2.0 Apps

 

One common question I’ve seen is whether it is possible to share membership and forms-authentication across multiple applications.  The good news is that this is definitely possible.  Even better, it is possible to-do this across V1.1 and V2.0 applications.  This blog post of mine discusses how to-do this.

 

How to encrypt connection strings and web.config file settings

 

ASP.NET 2.0 now allows you to encrypt all configuration settings within the web.config file.  This article walksthrough how to easily do this to secure private data and configuration.

 

Forms Authentication Timeout Change

 

One change between ASP.NET V1.1 and V2.0 was the default timeout value of forms-auth cookies that are issued.  By default out of the box, ASP.NET 2.0 will time-out authentication cookies after 30 minutes of inactivity by the browser user (requiring the user to login on the next visit to the site).  You can learn more about this, and how to change the timeout to your preferred duration setting in my blog post here.

 

Great ASP.NET Security Blog

 

Dominick maintains a great Security blog at: http://www.leastprivilege.com that I'd recommend subscribing to.  He continually posts good information on building more secure apps and on how to take advantage of ASP.NET features.

 

Building Secure ASP.NET Applications Guide

 

The Microsoft PAG (Prescriptive Architecture Guidance) Team has published a great book online about ASP.NET Security Best Practices.  It is focused on ASP.NET V1.0 – but the core concepts still apply. You can read it here.  You can also then find some good tutoral scenarios here.

 

Security Guidelines/Recommendations

ASP.NET 2.0 Security How-To Listing

 

MSDN has a priceless set of ASP.NET Security How-To Articles now published.  Below is a listing with links to some of them:

 

ASP.NET 2.0

·                     How To: Configure the Machine Key in ASP.NET 2.0

·                     How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0

·                     How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0

·                     How To: Create a Service Account for an ASP.NET 2.0 Application

·                     How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

·                     How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

·                     How To: Instrument ASP.NET 2.0 Applications for Security

·                     How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0

·                     How To: Perform a Security Deployment Review for ASP.NET 2.0

·                     How To: Prevent Cross-Site Scripting in ASP.NET

·                     How To: Protect Forms Authentication in ASP.NET 2.0

·                     How To: Protect From Injection Attacks in ASP.NET

·                     How To: Protect From SQL Injection in ASP.NET

·                     How To: Use ADAM for Roles in ASP.NET 2.0

·                     How To: Use Authorization Manager (AzMan) with ASP.NET 2.0

·                     How To: Use Code Access Security in ASP.NET 2.0

·                     How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

·                     How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0

·                     How To: Use Forms Authentication with SQL Server in ASP.NET 2.0

·                     How To: Use Health Monitoring in ASP.NET 2.0

·                     How To: Use Impersonation and Delegation in ASP.NET 2.0

·                     How To: Use Medium Trust in ASP.NET 2.0

·                     How To: Use Membership in ASP.NET 2.0

·                     How To: Use the Network Service Account to Access Resources in ASP.NET

·                     How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0

·                     How To: Use Regular Expressions to Constrain Input in ASP.NET

·                     How To: Use Role Manager in ASP.NET 2.0

·                     How To: Use Windows Authentication in ASP.NET 2.0

Authentication and Authorization

·                     How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0

·                     How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0

·                     How To: Create GenericPrincipal Objects with Forms Authentication

·                     How To: Protect Forms Authentication in ASP.NET 2.0

·                     How To: Use Authorization Manager (AzMan) with ASP.NET 2.0

·                     How To: Use Forms Authentication with Active Directory

·                     How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

·                     How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0

·                     How To: Use Forms Authentication with SQL Server 2000

·                     How To: Use Forms Authentication with SQL Server in ASP.NET 2.0

·                     How To: Use Windows Authentication in ASP.NET 2.0

Code Access Security

·                     How To: Create a Custom Encryption Permission

·                     How To: Use Code Access Security in ASP.NET 2.0

·                     How To: Use Code Access Security Policy to Constrain an Assembly

Code Review

·                     How To: Perform a Security Code Review for Managed Code (Baseline Activity)

Communications Security

·                     How To: Call a Web Service Using Client Certificates from ASP.NET

·                     How To: Call a Web Service Using SSL

·                     How To: Set Up SSL on a Web Server

·                     How To: Set Up Client Certificates

·                     How To: Use IPSec for Filtering Ports and Authentication

·                     How To: Use IPSec to Provide Secure Communication Between Two Servers

·                     How To: Use SSL to Secure Communication with SQL Server 2000

Configuration

·                     How To: Create a Custom Account To Run ASP.NET

·                     How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

·                     How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

Cryptography

·                     How To: Create a DPAPI Library

·                     How To: Create an Encryption Library

·                     How To: Store an Encrypted Connection String in the Registry

·                     How To: Use DPAPI (Machine Store) from ASP.NET

·                     How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services

Deployment Review

·                     How To: Perform a Security Deployment Review for ASP.NET 2.0

Impersonation and Delegation

·                     How To: Implement Kerberos Delegation for Windows 2000

·                     How To: Use Impersonation and Delegation in ASP.NET 2.0

Input and Data Validation

·                     How To: Prevent Cross-Site Scripting in ASP.NET

·                     How To: Protect From Injection Attacks in ASP.NET

·                     How To: Protect From SQL Injection in ASP.NET

·                     How To: Use Regular Expressions to Constrain Input in ASP.NET

Patching and Updating

·                     How To: Implement Patch Management

SQL Server 2000

·                     How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0

·                     How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0

·                     How To: Protect From SQL Injection in ASP.NET

·                     How To: Use Forms Authentication with SQL Server in ASP.NET 2.0

·                     How To: Use SSL to Secure Communication with SQL Server 2000

Threat Modeling

·                     How To: Create a Threat Model for a Web Application at Design Time

 

Hope this helps,

 

Scott

84 Comments

  • Yet another excellent post. Lot's of valuable info to go through.

  • Scott, your continued and dedicated presence at the ASP.NET Forums has made a huge positive impact there. Thanks!! And thank you for your frequent and highly informative blog posts as well. They are really helping a lot of people come up to speed on ASP.NET 2.0.

  • I am speech-less,

    You are the man.


  • Hi Scott, you have an excellent blog. It is very useful for me.I hop you continue with this work..



    The best wishes for you from Peru :D



    Sorry for my poor english.

  • Thanks for your fabulous contributions!

  • Someone on some other site said they think Microsoft has an entire department named &quot;Scott Gu&quot;. I concur!

  • If possible kindly post such detailed blogs on Profiles also. A detailed blog on &quot; TableProfileProvider &quot; is most welcomed.

  • Our application doesn't fall neatly into the Membership/Roles model because Roles and the Rights assigned to them are user configurable. We looked into extending the Membership model all the way to Membership/Roles/Rights, but we couldn't find enough information. Any pointers.



    For example, instead of User.IsInRole(&quot;Managers&quot;), we want User.CanDo(&quot;EditUsers&quot;), where &quot;EditUsers&quot; can be defined on any one of the Roles that the User is assigned to.



    Thanks!

  • Sweet, Thanks!

  • Hi Scott,

    Fantastic set of resources, thank you very much!

    I’ve already written a couple of custom Membership and Role providers to provide facades for older databases in newer web apps, and found the process pretty painless and sensible. What I'm looking for is guidance on what's sort of the inverse of this process - how best to write new database-driven apps that sit as &quot;team players&quot; in the provider-model world... I haven’t read through all of these resources yet, so there might be a pointer to my questions somewhere in there, but here's what's been going through my head recently:



    Suppose I want my customers to be able to build web apps with my &quot;Product X&quot;. Maybe Product X is even an instance of a Provider itself; let us call it CustomComplexBusinessLogicProvider or something. I want my customers to be able to use whatever Membership, Role or any other providers they like, so the product can be as flexible in deployment as possible. Some customers might want to use their existing Active Directory so they don't have to manage multiple user sets, others might want a standalone web app that could just use the SqlMembershipProvider.



    In an old fashioned monolithic app I’d have a &quot;Users&quot; table in my database, and lots of other tables would have foreign keys for users - any complex app is going to have lots of relationships between users of the system and other entities. But in the provider world, my users and roles live in systems that are unknown to me. I can no longer perform joins across my users and roles tables with the rest of my domain-specific tables.



    Do I have a &quot;stub&quot; Users table in my database to act as a bridge, to provide foreign keys to other tables? Does MembershipUser.ProviderUserKey offer a means of establishing identity across providers? This property is typed object - it might be a GUID in one provider and an int in another. I guess a stub table could be like

    CREATE TABLE Users ( Id INT IDENTITY(1,1) PRIMARY KEY, ProviderKey CHAR(30) )

    Or perhaps the MembershipUser.UserName property would be better as the bridge.



    The temptation would creep in to store more and more redundant user details in this table, so that you could produce queries directly in SQL that included user details that are actually stored in the MembershipProvider (SELECT Users.Username, Users.Email, Jobs.Description, [...] FROM Jobs INNER JOIN Users [...] WHERE Jobs.userID=[...]) You'd then need to have a strategy for keeping your Users table in sync with the MembershipProvider.



    So, I was wondering whether there are any best practices guidelines out there that answer these sorts of questions - or whether they are even the right questions anyway... In short, what do you watch out for when writing your own CustomComplexBusinessLogicProvider in such a way that your customers can use it with their own choice of other providers?



    Tom

  • Excellent resources, what I want exactly.Thank you very much.

  • I was wondering if any additional Login Controls existed. I am trying to construct an admin tool similar to the one that comes with VS. I am able to use the existing CreateUser tool, but now need a Modify User and Remove User function. Anywhere I could get pre-build versions of these?

    Thanks

  • Excellent work. Very nice info in one article!

  • Thanks for a great post, theres a lot of goodies in those links!



    PS Does anyone know if there is a way to programmatically control the &quot;Remember me next time&quot; expiry time for the ASP.NET login control? It seems to forget a login after a few minutes, yet cookies are allowed. Thanks!

  • Scott u r simply out-class :)

    Keep up the good work buddy ;)

  • Hi NZ web guy,



    Can you send me an email with more details on the issue you are having? I can then add more people to the thread and we can figure out what is happening.



    Thx!



    - Scott (scottgu@microsoft.com)

  • THANKS, THANKS, THANKS!!!!

  • hi scott, you're the best ASP.NET blogger. keep it up. Congratualtions from Philippines!

  • Hi I can see that this is a useful addition but it doesnt seem to cover a lot of the things which I need. The sql provider controls access to a web app, adding roles allows me to say a member of role A can access one set of web pages but not others e.g. admin, user type A, user type B. I need to be able to configure access rights to potentially hundreds of 'web parts' (we're actually using components similar to web parts) in a web application and also the database will be behind a firewall (for internet users, domain users will access iis within firewall) which also seems to be an issue? Would I be best to hand code web page based security instead?

  • Hi Phil,

    Webparts have roles attributes that you can use to declaratively control permissions on them. I'd recommend looking at that as one way to lock down capabilities using the built-in role infrastructure.

    Note that you can also build your own providers for membership/roles -- so you can optionally encapsulate any capabilities you want into them.

    Hope this helps,

    Scott

  • Hi Mesfin,

    Are you building your own custom provider? Or are you trying to use the built-in one with ASP.NET?

    Note that the "type" attribute specifies the class name of the provider you want to use.

    Hope this helps,

    Scott

  • Scott, for an internal applications environment such as Intranets, etc. &nbsp;can I still take advantage of Forms Authentification and the membership and role providers using AD authentification? &nbsp;I mean, can I drag on for example a login control and hook it up to AD instead of that DB .NET manages in order to take advantage and force the users to log in via their AD credentials?

  • Hi Dave,

    Typically with Intranets you often configure an ASP.NET app to use “Windows Authentication” instead of Forms Authentication – which will automatically login browsers using the built-in Windows authentication protocols when connecting to a site. This avoids them having to enter their credentials at all.

    However, if you’d prefer to have them login explicitly (using the built-in login controls) you can configure ASP.NET to use the ADMembershipProvider. This will allow you to use Forms Auth and have the Login controls and Membership APIs go against the AD store for credential validation. You can read more about this here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp

    Note that one common option (for both Windows and Forms auth with AD) is to use AD for the username/password credential management, but have the roles and profile information stored in an app-specific database. This is fully supported – just configure Roles and Profiles to go against SQL providers, and have the membership provider go against AD.

    Hope this helps,

    Scott

  • Configuring Role permissions: Am I right in thinking that asp.net 2.0 membership and roles does not support role/permissions and that AzMan (referred to above) is limited to windows authentication? I require a solution whereby permissions for a particular role can be configured using forms authentication. The application then queries whether a user's role assignment has a particular permission, not whether it is a member of a role. Can I still use these new tools to achieve this?

  • Hi Robert,

    The SQLRoleProvider doesn't support sub-permissions -- instead it provides a straight user/role mapping.

    I believe it is possible to use AZMan with non-windows users, although I'm not 100% sure. This article covers using the AZMan API to perform sub-permission checks programmatically: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp

    Hope this helps,

    Scott

  • Scott, We are building an application that needs the "CanDo" style of permission checking as you describe. That is, the appliaction needs to perform logic at the point of inquiry so that this CanDo check is just-in-time determining what the user can do. I guess the best bet for this is just to roll a custom interface for this, perhaps as simple as : enum Actions{ &nbsp;someAction, &nbsp;anotherAction } And then on the user class have CanDo(Actions action) { ...... }

  • Hi Josh,

    Yep -- you could do something like this. If your application runs on the Intranet and uses Windows authentication, you can use AzMan to store and manage all of these "CanDo" permissions for you.

    This article describes how to-do this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp

    Hope this helps,

    Scott

  • Hi Scott, I think this blog of yours on the new features of ASP.NET 2.0 is great - lots of useful links and information. Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles. If this is not possible have you got any bright ideas how I could restrict access to stored procedures to anonymous web users. Many thanks, Mark

  • Hi Mark,

    Unfortunately there isn't a super easy way to-do this (specifically map the ASP.NET role to a SQL Server role). One way I could see you doing this might be to have multiple SQL accounts that you use to connect from ASP.NET to the database with. You could then choose which connectionstring to use on a request based on what role the user is in ASP.NET.

    Alternatively, you'd probably want to just to the authorization check within your middle-tier layer using the ASP.NET role.

    Hope this helps,

    Scott

  • &gt;&gt;Note that one common option (for both Windows and Forms auth with AD) is to use AD for the username/password credential management, but have the roles and profile information stored in an app-specific database.



    perfect, thanks!

  • Hi,

    I am having problems getting the Remember Me button working on my login form. I have searched all over the web and the only solution i could find was setting the forms timeout in the web.config. Unfortunately this did not solve the problem. Any ideas?

    Thanks,
    Darren

  • Hello and thanks for the content. This is comprehensive and useful. Just a quick question: Is there a way i can 'impersonate' any user in the Active Directory, just like how a help desk admin would want to do when someone calls up to troubleshoot? Am not sure if the MSDN link provided here helps in this context. Pls note that in this situation, the helpdesk person cannot ask the user for his password, but should be able to authenticate as the user and perform the necessary operations.
    Kindly let me know.

  • Hi Darren,

    The default cookie timeout policy for authentication changed with ASP.NET 2.0 -- and might be what you are running into with the "Remember Me" functionality. Here is an article I wrote about this and how to change the value: http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx

    Hope this helps,

    Scott

  • Hi Ganesh,

    This article talks about how to use the impersonation features in Windows with ASP.NET 2.0: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000023.asp

    Hope this helps,

    Scott

  • Thanks Scott. I had been to this URL before and let me try to explain my problem better. The URL seems to talk about running the ASP.NET process in the context of a particular user. Pls correct me if am wrong here.
    My requirement is a touch different; where, am not really worried abt the context in which the process runs; but am more concerned abt the 'context' of the logged ON user, particularly when i have performed a forms authentication, typically when an administrator is troubleshooting a user's problem in a website, on his behalf. What we finally figured out was: There is a way to 'reset' the forms authentication cookie to that of another user and that too without the need for the password, like this:
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket();

    string encryptedTicket = FormsAuthentication.Encrypt(ticket);

    HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

    Response.Cookies.Add(authCookie);

    I hope this makes sense. Either we dont understand this URL right or we found a strange way to get the job done :-) comments please !!

    thanks,
    ganesh

  • ASP.NET 2.0 Security (Guidlines) Guidelines

  • Hi Gabriel,

    From the thread you pointed me at, it looks like you now have the issue resolved. Let me know if you still have problems with it.

    Thanks,

    Scott

  • Hi,

    Thanks fo rthe great post.

    I have a situation wherein I need to authenticate the user based on three parameters such as username, password, companyname instead of just username and password. In my database there are several company names and the user name is unique only across the company and not across the application.

    There are several such instances wherein I need to create more parameters in the method definition than that are available in the membership provider class. Since the class is abstract I have to implement the methods with the same signature and this is not going to fulfill my requirements.

    How can I achieve this?

    Thanks in advance

    Sitaram

  • I didn't see any links in your post to any resources on adding Mixed Authentication (Forms and Windows) to an ASP.NET 2.0 application. Is there support in ASP.NET 2.0 for doing this? Do you know of any articles on how to do this?

  • Hi Chris,

    Unfortunately there isn't a built-in mixed mode authentication switch in ASP.NET 2.0.

    A user left this comment on my blog, though, on a way you could implement it: http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx#457103

    Hope this helps,

    Scott

  • Scott,

    Can these frameworks be used to "limit" the data that is seen by a user? As an example, allow a division office user to see all policies but only allow an insured to see their own policy?

    Thanks.

  • Hi Steve,

    Yep -- you could ceretainly use the roles and security features in ASP.NET to limit the views people have on data. This tutorial discusses how to use Role-Based capabilities: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

    Hope this helps,

    Scott

  • Scott,

    I'm looking for a solution to the question Ganesh posted earlier: How do you use the ASP.NET 2 Membership API to programatically log in as a selected user -without- knowing their password?

    Like Ganesh, I have a "help desk" application that needs to enable the support team to login as a user to "shadow" them, allowing them to see the application as the user sees it. Is there a way to do this?

    Thanks~

  • Hi Todd,

    To programmatically log in a user, just write the below code:

    FormsAuthentication.SetAuthCookie("someusername", false)

    This will issue an authentication ticket for the username "someusername" or whatever you provide. You don't actually need to provide the user password for this to work. The browser will then be logged in as that user for the lifetime of the browser session.

    Hope this helps,

    Scott

  • Hi Scott (and readers),

    Im looking for a way to programmatically lock a user account.

    I can see the UnlockUser() to make it active again - but how can I lock it in the first place in code? If for example a user is going on holiday etc and a company wishes to temporarily disable that account. It's a common request in the apps I build (which i used to handle with an active/inactive field in classic asp).

    Is the solution target the IsApproved field (which I already have coded to be solely for accounts that are awaiting approval)?

    Thanks for any tips.

    Sam

  • Hi Sam,

    I just checked with the team and got back an answer from them. What you want to-do is actually set the "IsApproved" property on the MembershipUser to true or false. When it is false, then the user exists but can't login. This is similar to your active/inactive logic

    Once you set this property on the MembershipUser object, you'll also want to call Membership.UpdateUser() and pass in this object to update the database.

    Hope this helps,

    Scott

  • Scott,

    I have a project that is web based with security. I want to use that same security database ( and application Name) for a Windows form project.
    I have seen one article that uses a web service. Is there a better way

  • Hi Mark,

    Unfortunately the best way to handle this is still to expose web-services. In the next release of the the framework (next year) we are planning to-do this for you automatically - but until then you'll need to build your own.

    Sorry,

    Scott

  • Hi Mark,

    The ProfileCommon class is automatically generated by ASP.NET at compile-time - which is why you aren't seeing that depending on how you are using it.

    What you could do, however, is use this tool: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127 which will automatically generate a Profile wrapper for you based on your web.config file that you could use.

    Hope this helps,

    Scott

  • This is great! will always be comming here.
    Keep up the good work

  • Hi, How can I set security for a page like in web.config but in a programmatically way.

    Tnks

  • Hi Gerardo,

    Here is a cool tip/trick you can use to programmatically authorize users: http://weblogs.asp.net/scottgu/archive/2006/10/04/Tip_2F00_Trick_3A00_-Adding-Authorization-Rules-to-Business-and-Data-Layers-using-PrincipalPermissionAttributes.aspx

    Hope this helps,

    Scott

  • Does anyone know how can i install SQLMembershipProvider without using Membership Database ASPNETDB??
    I've already have a sql2005 database with users account's and login, password, etc.
    I just want to use custom membership in my own database without using sql pre-defined one.
    Thanks

  • Hi Joao,

    I'd recommend looking at this post: http://weblogs.asp.net/scottgu/archive/2006/10/13/Tip_2F00_Trick_3A00_-Source_2F00_Documentation-for-Simple-ASP.NET-2.0-SQL-Providers-Published.aspx

    It demonstrates some simple Membership providers that work against SQL. You could adapt these to go against your own schema within the database.

    Hope this helps,

    Scott

  • Hello,
    I'm developing a webportal for our intranet at work. I've setup integrated windows authentication which is working fine. I also have roles enabled and have applied the correct role privileges to the relevant webpages. My question now is how can I tie domain users to the roles? Ideally I'd like to setup an admin page that shows a list of users from the domain and then I can add them to different roles, such as 'admin' 'user' etc which will then provide them access to the relevant webpages.

    Much Thanks,
    Daniel

  • Hi Daniel,

    I actually have a good tutorial that shows how to-do this here: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

    Hope this helps!

    Scott

  • Hi Richard,

    Good question! Can you send me an email directly on it? I can then loop in a few folks from my team who might have an answer.

    Thanks,

    Scott

  • What is the standard for checking authorization? Set it up in web.config or through code?

  • Hi John,

    Often people do authorization via web.config files, and then do additional checks via code.

    Hope this helps,

    Scott

  • Hi Scott,

    I just wanted to let you know that I have implemented a Membership/Role provider for use with NHibernate. You may want to take a look at it and consider including it in your list of custom providers with source code.

    Cheers,

    Leo

  • hi scott
    fantastic....
    absolutley fantastic job.
    Thank u very much for that....



    I need some help :)
    In one of my application I need to uses forms authentication. For this i have to use both AD and DB in the sense I have to Validate if the user exsists in AD and if not found i have to go on search in the DB.
    I have and all ready done this in vs 1.1 but i could not figure out how do we do this in vs 2.0 using Login controls.

    Help me on this :)

  • This is a great tutorial/walk-through. I am learning much.

    The only shortcoming is it assumes one CAN use the website administration tool as it seems a key thing to have. I cannot because I'm using a hosting service and I develop remotely from the server.

    So how do I manage my users and roles without that tool? The walkthrough needs a remote developer section for this, IMO.

  • I am in a bind regarding anonymous user Profiles. All the articles I've come across regarding migrating an anonymous user profile properties to registered user properties make use of the ProfileCommon class and Profile.GetProfile method in the Profile_MigrateAnonymous event handler in Global.asax.cs file. However that does not work when your web site is of the Web application type instead of the 2005 in built website type. How would you migrate an anonymous user's properties to a registered user's when the compiler gives you an error "ProfileCommon cannot be found. Are you missing a using reference?"??
    Thanks

  • Hi Scott,

    None of my comments where published on the blog. What is it that I'm doing wrong?

    Thanks,
    Dako

  • Hi Wil,

    Sorry for the delay in getting back to you. Here is a pointer to a set of web admin pages you can integrate into your site to enable remote administration: http://weblogs.asp.net/scottgu/archive/2006/07/18/Remote-Membership_2F00_Roles-Management-of-ASP.NET-2.0-Applications.aspx

    Hope this helps,

    Scott

  • Hi Dako,

    Sorry for the delay in getting back to you - was traveling this past week and so have been away from my blog for a few days. I just published your questions and am in the process of responding to them here: http://weblogs.asp.net/scottgu/archive/2005/10/18/427754.aspx

    Thanks,

    Scott

  • Hi Palak,

    With a Web Application Project you need to create the profile object explictly. This add-in will help you with it: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127

    Thanks,

    Scott

  • Hi Scott,
    I totaly new to AzMan and i am sorry if this problem raised in earlier in your Blog. I hv been followed the articale "How To: Use Authorization Manager (AzMan) with ASP.NET 2.0" which publish @ MSDN (You also rec'd it). I am runnig vertual PC and loging as local user for the VPC. And for "Role Assignment" i assigned the Logged user as per example.
    my problem is when ever i access secure page it promting the popup for user name and password.
    do u have any idea why is it?

  • Hi Parasa,

    Unfortunately I'm not too familiar with AzMan myself. :-(

    Sorry!

    Scott

  • Hi, I have finally gotten a custom Principal to be set in the HttpContext.Current.User, however, I am using the LoginControl and I want to handle the "LoggedIn" event and based on the User's Role redirect them to the appropriate Page based on this.

    However, the FormsAuthentication is NOT setting the Ticket in the AuthCookie before this event fires. This is causing the code that sets my custom Principal to not execute. So, when it hits the "LoggedIn" event, the Current.User.Identity is just a "GenericIdentity" unauthenticated and with no information.

    Why is FormsAuthentication NOT populating the Ticket before calling "LoggedIn"? I have decompiled the LoginControl and everything "looks" like it should be working correctly.

    Help!

  • Hi tmccurdy,

    The authentication principal won't get set until the next request to the web-server. But you can use the "UserName" property on the Usercontrol within the LoggedIn event to identify the user.

    You can the use the Role APIs and pass the user name to retrieve their role information.

    Hope this helps,

    Scott

  • Hi ScottGu,

    I want create Access Database(mdb file) for Role and Membership like Sql Database which Created by default using aspnet_regsql

    Please help me for create Acess Databse for to store Role and Membership.

    Regards

    Mukesh Vadodariya

  • Hi Mukesh,

    You can download the Access providers here: http://msdn.microsoft.com/vstudio/eula.aspx?id=96713a8e-b8d4-4d6e-bb8f-027e6c8e15d8

    This will enable Role and Membership for Access.

    Hope this helps,

    Scott

  • Hello Scott / tmccurdy,

    I am using a .net 2.0 login control and am trying to set a custom principal object on the current thread after executing custom code that authenticates users. The msdn article listed above for forms authetication (MSDN: Explained: Forms Authentication in ASP.NET 2.0) mentions that to do the above, we need to handle the PostAuthenticate event which gets fired after the cookie is set. Any help in how to accomplish this will be greatly appreciated.

    Thanks!

  • Hello Scott / tmccurdy,

    I am using a .net 2.0 login control and am trying to set a custom principal object on the current thread after executing custom code that authenticates users. The msdn article listed above for forms authetication (MSDN: Explained: Forms Authentication in ASP.NET 2.0) mentions that to do the above, we need to handle the PostAuthenticate event which gets fired after the cookie is set. Any help in how to accomplish this will be greatly appreciated.

    Thanks!

  • Hi Scott,

    We have an existing ASP.NET 1.1 application. The client requires that application provide additional functionalities. The existing functionality has to be enhanced and different new functionality is to be added.
    Please advise :
    1. Should the new functionality be added in ASP.NET 2.0 ? If so, should we migrate existing code to 2.0 ?

    2. If application is moved to 2.0, should user management (UM) functionality of 2.0 be used (Currently the application has its own user schema, role based authorization, etc). What will be the disadvantage of not using 2.0 user management functionality/classes ?

    3. If application is moved to 2.0, should Datagrid paging be replaced with Gridview paging (with or without ASP.NET AJAX) ?

    4. What does .net 3/3.5 offer to ASP.NET applications ? (I understand that workflow and WS can be used in ASP.NET applications) What else (eg new ASP.NET controls) for ASP.NET ?

    Thank You.

  • Hi Scott,

    This question may have an obvious answer...

    Is the Website Administration Tool intended to be used as a solution for website administrators to manage the website that was created for them?

    I have not read anything yet recommending this as common practice.

    Thoughts?

  • Hi,

    I am looking for a code sample for the following scenario: multiple .net 2.0 web applications on the same domain and one login application. I understand that I can use the same provider in all of my applications, but how can I have one login page for all of them without combining the application under one folder? How does the redirection from/to the login page work?

    Thanks!

  • Hi Julia,

    I haven't implemented a single-sign on solution myself before, but I found a few articles that might be useful for you:

    http://msdn.microsoft.com/en-us/library/ms972971.aspx

    http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx

    http://codebetter.com/blogs/sahil.malik/archive/2006/04/27/143591.aspx

    Hope this helps,

    Scott

  • What if your users are in more than one container (Not just in Users container) on the same domain? Should you setup like you were using multiple domains?






    Thanks,
    Steve

  • How do you handle multiple containers or OUs? What if you have accounts in the Users container and then accounts in other OUs, how do you handle that? What would the connection string look like? If it can't be handled are you forced to create all OUs in the same tree (recursive check)?




    Thanks,
    Steve

  • In my site, I want to use e-mail address for user ID ... And also preserve the E-mail address in the E-mail field and pass it to membership orovider so that user can request new password.

    I'm using the standard CreateUser Wizard ... Is there an event or property that I can modify ... so that when I

    -- hide the userID label and text box ... (make it invisible) ...

    I can wire something up to make the e-mail address the text property of UserID ( so that it will pass the must enter edit requirement ) .. and also allow me to validate the e-mail address with regular expression

    etc, etc, etc ...

    Let me know if I need to explain more ...

    Steve

  • Hi Steve,

    Unfortunately I'm not 100% sure on the multiple OU question. Can you email me (scottgu@microsoft.com) and I can loop someone in who might know.

    Thanks,

    Scott

  • Hi Steve,

    There are a few events you might be able to sync to help with this.

    There is an OnActiveStepChanged event that fires each time the step changes and would allow you to handle this.

    The easiest approach, though, might be to just use the generic control, though, and define your own textboxes for each of the gathering stages within that. You could then manually write this code to create the user and log them in:

    Membership.CreateUser(txtUserName.Text, txtPassword.Text)

    FormsAuthentication.SetAuthCookie(txtUserName.Text, false)

    Hope this helps,

    Scott

Comments have been disabled for this content.