Question and Answer Password Security Option: Active Directory Membership Provider

  • Article

Both the Active Directory and the SQL Server Membership Providers support the “Enable Password Reset” and “Requires Answers and Questions” Security options.  This is not very difficult to enable but it does require few steps to get this working.  

 

There are four main steps that are required:

  • Enable Password Question and Password Reset
  • Mapping Password Question and Answer Attributes
  • Modify the Schema
  • Configure non-autogenerated machine key

Enable Password Question and Password Reset:

When these attributes are set to true in the web config file as seen below, the user is required to provide an answer to a Password Question when the password is first created.  When the user resets their password, they will also be required to provider the answer they supplied to the Password Question when the password was first created.  

<membership defaultProvider="ADAMProvider">

  <providers>

    <add

      connectionStringName="ADCnString"

      connectionUsername="CN=ADAdmin,OU=Users,O=ADAuth"

      connectionPassword=Pass@word1

      connectionProtection="None"

      requiresQuestionAndAnswer="true"

      enablePasswordReset="true" ...

Mapping Password Question and Answer Attributes:

Both the Password Question and the Answer will be saved in the SQL Server, Active Directory, or the Active Directory Application Mode (ADAM) depending upon the provider you are using. However, if you are using the Active Directory Provider you will be required to modify the schema of either the Active Directory or ADAM to store the Password Question and Password Answer.  Then in the web config file you will need map the Password Question and Answer’s attributes to the modified schema as shown below:

<membership defaultProvider="ADAMProvider">

   <providers>

      <add

         connectionStringName="ADCnString"

         connectionUsername="CN=ADAdmin,OU=Users,O=ADAuth"

         connectionPassword=Pass@word1

         connectionProtection="None"

         requiresQuestionAndAnswer="true"

         enablePasswordReset="true"

         attributeMapPasswordQuestion="PwdQuestion"

         attributeMapPasswordAnswer="PwdAnswer" ...

 

Example Schema Modification:

Creating the PwdQuestion and PwdAnswer attribute as defined above is not difficult in the ADAM ADSI Edit tool under the Schema configuration, but initially it takes a while to figure out what values required by the attribute schema wizard.  Below is an example of the values that you can use in your Active Directory or ADAM directory.

cn:  PwdQuestion

OMSyntax: 64 (for Unicode string)

lDAPDisplayName: PwdQuestion

isSingleValued: TRUE

AttributeSyntax: 2.5.5.12 (Active Directory syntax type of Unicode)

AttributeID: 1.2.840.113556.1.6.1.1.6221 (Unique Object Identifiers (OIDs))

 

cn:  PwdAnswer

OMSyntax: 64 (for Unicode string)

lDAPDisplayName: PwdAnswer

isSingleValued: TRUE

AttributeSyntax: 2.5.5.12

AttributeID: 1.2.840.113556.1.6.1.1.6222

For definition on the Attributes value the following URL provide a good reference:

OMSyntax:

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/choosing_a_syntax.asp

 

AttributeSyntax:

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/mapping_active_directory_syntax_to_adsi_syntax.asp

 

AttibuteID:

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/object_identifiers.asp

Configure non-autogenerated Machine Key:

Once you configure everything as above you will, however, receive the following error: “You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key”.

 

The reason behind this is answer is stored in encrypted form within the directory. Otherwise, if the provider stored it in clear text anyone with read rights to the attribute would effectively be able to steal a person's password. The encryption uses the encryption key stored in <machineKey />. Since autogenerated machine keys are non-portable across machines, the provider requires you to explicitly specify the decryption key.

Therefore, you will need to configure the Machine Key to explicitly specify the decryption key. The new explicitly machine key can be modified in the machine config file or if you want the key to only apply to the your ASP.Net 2.0 application specify the value in the application web config file as show below:

Sample Key:

<system.web>

<machineKey

validationKey="21F0F891A36D12A278DB4FD8699C164EDBDA1FF9713A546C133CBE26DB026C5A5A10C884EF312DE5123959C8D96638423F8A6A3AE77F39E2B7A2596749B8C275"

decryptionKey="D868653A8B663BD752B01277E0465C0788D5BB9A5A9A405E"

validation="SHA1"/> ... 

More information on the Machine Key in ASP.NET 2.0 can be found at the following URL:

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp

Or visit this nifty site to have a machine key generated for you:

https://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx

 

You are now ready to use the Password Question and Password Reset Security options with ADAM.

 

In an upcoming blog I will discuss how to enable other advance password features such as Password Lockout based upon a number of invalid password attempts.