RE: Password reset configuration with ActiveDirectoryMembershipPro

Hi Charlotte,

Thanks for your reply.

For AD server-side configuration, I haven't done much research on that
though it may also be the potential cause.
Since the configuration schema is the same as suggested, I think the
problem is a environment specific one that maybe hard to locate root cause
from appearance. I suggest you also try posting in some AD specific groups
to confirm whether there is any problems at AD part.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
From: =?Utf-8?B?Q2hhcmxvdHRl?= <charlotte.vilarem@xxxxxxxxxxxxxxxxx>
References: <261D0D75-48AE-400C-84DB-5BF19B6A7807@xxxxxxxxxxxxx>
<BxFElI3cIHA.1500@xxxxxxxxxxxxxxxxxxxxxx>
<F6AA2475-63EF-4E46-AEF5-9E81FDC7B2D0@xxxxxxxxxxxxx>
Subject: RE: Password reset configuration with ActiveDirectoryMembershipPro
Date: Wed, 20 Feb 2008 10:40:01 -0800

Hi Steven,

I also tried the same application but using Active Directory instead of
ADAM, and I get the same error message:
"Attribute schema mappings for bad password answer tracking must be
specified to enable password reset functionality."

Here are the steps I did to create the attributes in AD:
1. In the Active Directory Schema snap-in, create a new attribute
(right-click on Attributes > Create Attribute)
- Common Name: bl-passwordQuestion
- LDAP Display Name: bl-passwordQuestion
- Unique X500 Object ID:
1.2.840.113556.1.8000.2554.51199.4894.55101.18729.39169.15277508.2995713.2.
1
- Description: ActiveDirectoryMembershipProvider - password question
- Syntax: Unicode String
- Minimum: 1
- Maximum: 256
2. Repeat for all other 4 attributes, incrementing the OID each time
3. Create a new class
- Common Name: bl-membershipProviderClass
- LDAP Display Name: same
- Unique X500 Object ID:
1.2.840.113556.1.8000.2554.51199.4894.55101.18729.39169.15277508.2995713.1.
1
- Description: Class for the attributes with
ActiveDirectoryMembershipProvider attributes.
- Parent Class:
- Class Type: Auxiliary
- Click Next
- In the Optional attributes, add the 5 attributes created above
- Click Finish
4. Add the auxiliary class to the user class
- Right-click on the user class, select properties
- In the tab Relationship, add the auxiliary class created
- Click OK
5. Update the schema cache
- Right-click on Active Directory Schema and select Reload the Schema

Any idea?

Thanks
Charlotte

"Charlotte" wrote:

Hi Steven,

Thanks for your answer.
I checked the spelling of attributes in my web.config and didn't find
any
mistake.

Do you have any other suggestions on how to find out what could cause
this
issue? Or how to verify that my ADAM was configured properly for the
attributes?

Thanks
Charlotte


""Steven Cheng"" wrote:

Hi Charlotte,

Regarding on the AD membership reset password problem, I've checked
the c
onfiguration fragment, it seems you've added all the necessary
configurations based on some existing reference about password
management
for AD membershpi provider:

http://msdn2.microsoft.com/en-us/library/ms998360.aspx

http://blogs.msdn.com/dansellers/archive/2005/11/09/491152.aspx

Also, I found that someone else met such similar issue that was caused
by
some typing error in the configuration file(some attribute value
spelled
incorrectly):

#ActiveDirectoryMembershipProvider throws config error, but config
appears
to be correct
http://forums.asp.net/p/1064878/1539598.aspx#1539598

I think you may also have a check in your configuration file to see
whether
there is such mistakes that may cause this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach
the
most efficient resolution. The offering is not appropriate for
situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are
best
handled working with a dedicated Microsoft Support Engineer by
contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no
rights.






--------------------
From: =?Utf-8?B?Q2hhcmxvdHRl?= <charlotte.vilarem@xxxxxxxxxxxxxxxxx>
Subject: Password reset configuration with
ActiveDirectoryMembershipProvide
Date: Tue, 19 Feb 2008 09:27:01 -0800


Hi,

I have an ASP.NET 2.0 web application, which is configured to use
Forms-based authentication and the ActiveDirectoryMembershipProvider
for
the
membership.
The users are stored in ADAM.
Everything was working properly until I wanted to add the password
reset
functionality.
I extended the user schema to add the attributes necessary, and my
web.config is:
<connectionStrings>
<add name="myADAMConnectionString"

connectionString="LDAP://localhost:61000/OU=Users,OU=Matrix5,O=Extranet"/>
</connectionStrings>
<system.web>
<membership defaultProvider="MyCustomProvider"
userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add
name="MyCustomProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="myADAMConnectionString"
attributeMapUsername="userPrincipalName"
attributeMapEmail="mail"


connectionUsername="CN=MembershipProvider,OU=Users,OU=Matrix5,O=Extranet"
connectionPassword="DataJungle!"
connectionProtection="None"
enableSearchMethods="true"
requiresQuestionAndAnswer="true"
attributeMapPasswordQuestion="blPasswordQuestion"
attributeMapPasswordAnswer="blPasswordAnswer"

attributeMapFailedPasswordAnswerCount="blFailedPasswordAnswerCount"

attributeMapFailedPasswordAnswerTime="blFailedPasswordAnswerTime"


attributeMapFailedPassswordAnswerLockoutTime="blFailedPassswordAnswerLockou
tTime"
maxInvalidPasswordAttemps="5"
passwordAttemptWindow="10"
passwordAnswerAttemptLockoutDuration="30"
requiresUniqueEmail="true"
enablePasswordReset="true"
/>
</providers>
</membership>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="30"
name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true"
defaultUrl="matrix.aspx" cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<trust level="Full"/>
</system.web>

When I log into the application, I get a configuration error:
Description: An error occurred during the processing of a
configuration
file required to service this request. Please review the specific
error
details below and modify your configuration file appropriately.

Parser Error Message: Attribute schema mappings for bad password
answer
tracking must be specified to enable password reset functionality.

Source Error:

Line 58: <add
Line 59: name="MyCustomProvider"
Line 60:
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
Line 61: connectionStringName="myADAMConnectionString"
Line 62: attributeMapUsername="userPrincipalName"

Source File: D:\Charlotte\web.config Line: 60

I don't understand why this doesn't work, as I can verify in
ADAM-adsiedit
that the user I'm logging in as has the attributes blPasswordQuestion
(Unicode String), blPasswordAnswer (Unicode String),
blFailedPasswordAnswerCount (Integer), blFailedPasswordAnswerTime
(Large
Integer/Interval), blFailedPassswordAnswerLockoutTime (Large
Integer/Interval).

Can you please help me figure out what is wrong with my configuration?

Thanks
Charlotte





.

Relevant Pages

  • RE: Password reset configuration with ActiveDirectoryMembershipPro
    ... "Attribute schema mappings for bad password answer tracking must be ... ActiveDirectoryMembershipProvider attributes. ... I think you may also have a check in your configuration file to see whether ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to do non dependence on database vendor?
    ... >> I do see the INI file will be much quicker to preare and modify. ... when you add new ADO.NET-providers to your configuration. ... would you put the initialization part for tables and schema, ... The tables and schema scripts would need to be generic ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Synchronize only attributes you want ADAMSync
    ... schema to be only the user and Organizational-Unit classes (plus ... attributes still sync their values into my ADAM schema, ... Updating the configuration file DirSync cookie with a new value. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Synchronize only attributes you want ADAMSync
    ... schema to be only the user and Organizational-Unit classes (plus ... attributes still sync their values into my ADAM schema, ... Updating the configuration file DirSync cookie with a new value. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Additional DC
    ... DC2 - primary DNS points to DC1, ... Not sure which configuration is better. ... Active Directory Domain are not really different from each other. ...
    (microsoft.public.windows.server.general)