Password reset configuration with ActiveDirectoryMembershipProvide

[Charlotte]

Hi,

I have an ASP.NET 2.0 web application, which is configured to use
Forms-based authentication and the ActiveDirectoryMembershipProvider for the
membership.
The users are stored in ADAM.
Everything was working properly until I wanted to add the password reset
functionality.
I extended the user schema to add the attributes necessary, and my
web.config is:
<connectionStrings>
<add name="myADAMConnectionString"
connectionString="LDAP://localhost:61000/OU=Users,OU=Matrix5,O=Extranet"/>
</connectionStrings>
<system.web>
<membership defaultProvider="MyCustomProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add
name="MyCustomProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="myADAMConnectionString"
attributeMapUsername="userPrincipalName"
attributeMapEmail="mail"

connectionUsername="CN=MembershipProvider,OU=Users,OU=Matrix5,O=Extranet"
connectionPassword="DataJungle!"
connectionProtection="None"
enableSearchMethods="true"
requiresQuestionAndAnswer="true"
attributeMapPasswordQuestion="blPasswordQuestion"
attributeMapPasswordAnswer="blPasswordAnswer"
attributeMapFailedPasswordAnswerCount="blFailedPasswordAnswerCount"
attributeMapFailedPasswordAnswerTime="blFailedPasswordAnswerTime"

attributeMapFailedPassswordAnswerLockoutTime="blFailedPassswordAnswerLockoutTime"
maxInvalidPasswordAttemps="5"
passwordAttemptWindow="10"
passwordAnswerAttemptLockoutDuration="30"
requiresUniqueEmail="true"
enablePasswordReset="true"
/>
</providers>
</membership>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="30"
name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true"
defaultUrl="matrix.aspx" cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<trust level="Full"/>
</system.web>

When I log into the application, I get a configuration error:
Description: An error occurred during the processing of a configuration
file required to service this request. Please review the specific error
details below and modify your configuration file appropriately.

Parser Error Message: Attribute schema mappings for bad password answer
tracking must be specified to enable password reset functionality.

Source Error:

Line 58: <add
Line 59: name="MyCustomProvider"
Line 60: type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
Line 61: connectionStringName="myADAMConnectionString"
Line 62: attributeMapUsername="userPrincipalName"

Source File: D:\Charlotte\web.config Line: 60

I don't understand why this doesn't work, as I can verify in ADAM-adsiedit
that the user I'm logging in as has the attributes blPasswordQuestion
(Unicode String), blPasswordAnswer (Unicode String),
blFailedPasswordAnswerCount (Integer), blFailedPasswordAnswerTime (Large
Integer/Interval), blFailedPassswordAnswerLockoutTime (Large
Integer/Interval).

Can you please help me figure out what is wrong with my configuration?

Thanks
Charlotte

 

[Steven Cheng]

Hi Charlotte,

Regarding on the AD membership reset password problem, I've checked the c
onfiguration fragment, it seems you've added all the necessary
configurations based on some existing reference about password management
for AD membershpi provider:

http://msdn2.microsoft.com/en-us/library/ms998360.aspx

http://blogs.msdn.com/dansellers/archive/2005/11/09/491152.aspx

Also, I found that someone else met such similar issue that was caused by
some typing error in the configuration file(some attribute value spelled
incorrectly):

#ActiveDirectoryMembershipProvider throws config error, but config appears
to be correct
http://forums.asp.net/p/1064878/1539598.aspx#1539598

I think you may also have a check in your configuration file to see whether
there is such mistakes that may cause this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.






--------------------

 

[Charlotte]

Hi Steven,

Thanks for your answer.
I checked the spelling of attributes in my web.config and didn't find any
mistake.

Do you have any other suggestions on how to find out what could cause this
issue? Or how to verify that my ADAM was configured properly for the
attributes?

Thanks
Charlotte

 

[Charlotte]

Hi Steven,

I also tried the same application but using Active Directory instead of
ADAM, and I get the same error message:
"Attribute schema mappings for bad password answer tracking must be
specified to enable password reset functionality."

Here are the steps I did to create the attributes in AD:
1. In the Active Directory Schema snap-in, create a new attribute
(right-click on Attributes > Create Attribute)
- Common Name: bl-passwordQuestion
- LDAP Display Name: bl-passwordQuestion
- Unique X500 Object ID:
1.2.840.113556.1.8000.2554.51199.4894.55101.18729.39169.15277508.2995713.2.1
- Description: ActiveDirectoryMembershipProvider - password question
- Syntax: Unicode String
- Minimum: 1
- Maximum: 256
2. Repeat for all other 4 attributes, incrementing the OID each time
3. Create a new class
- Common Name: bl-membershipProviderClass
- LDAP Display Name: same
- Unique X500 Object ID:
1.2.840.113556.1.8000.2554.51199.4894.55101.18729.39169.15277508.2995713.1.1
- Description: Class for the attributes with
ActiveDirectoryMembershipProvider attributes.
- Parent Class:
- Class Type: Auxiliary
- Click Next
- In the Optional attributes, add the 5 attributes created above
- Click Finish
4. Add the auxiliary class to the user class
- Right-click on the user class, select properties
- In the tab Relationship, add the auxiliary class created
- Click OK
5. Update the schema cache
- Right-click on Active Directory Schema and select Reload the Schema

Any idea?

Thanks
Charlotte

 

[Steven Cheng]

Hi Charlotte,

Thanks for your reply.

For AD server-side configuration, I haven't done much research on that
though it may also be the potential cause.
Since the configuration schema is the same as suggested, I think the
problem is a environment specific one that maybe hard to locate root cause
from appearance. I suggest you also try posting in some AD specific groups
to confirm whether there is any problems at AD part.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

From: =?Utf-8?B?Q2hhcmxvdHRl?= <[email protected]>
References: <[email protected]>