ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration Property


Get the length of time for which a user account is locked out after the user makes too many bad password-answer attempts.

 property int PasswordAnswerAttemptLockoutDuration { int get(); };
public int PasswordAnswerAttemptLockoutDuration { get; }
member this.PasswordAnswerAttemptLockoutDuration : int
Public ReadOnly Property PasswordAnswerAttemptLockoutDuration As Integer

Property Value

The time, in minutes, that a user is locked out after providing too many incorrect password answers.



The following code example shows a Web.config entry that configures an ActiveDirectoryMembershipProvider instance to lock out users who make three failed attempts to enter the password answer in a 10-minute time window. If the user is locked out, no further attempts to answer the password question may be made for 15 minutes.

    <add name="ADService" connectionString="LDAP://ldapServer/" />  
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">  
        <add name="AspNetActiveDirectoryMembershipProvider"   
          System.Web, Version=2.0.3600, Culture=neutral,   
          passwordAnswerAttemptLockoutDuration="15" />  


When the EnablePasswordReset property is true, the user must answer the password question to reset his or her password. If the user fails to supply the correct answer a consecutive number of times equal to the MaxInvalidPasswordAttempts property value within the observation time period specified by the PasswordAttemptWindow property, the user is locked out of further attempts for the number of minutes contained in the PasswordAnswerAttemptLockoutDuration property.


This property does not set the duration a user is locked out after failing to enter a valid password. The Active Directory server handles failed logon attempts and is not affected by the value of this property. We recommend that the PasswordAnswerAttemptLockoutDuration property be set to the same value as the account lockout duration specified for too many failed logon attempts in the Active Directory configuration. This will present consistent auto-lockout behavior for users regardless of whether they were locked out due to failed logon attempts or to bad password answers.

The PasswordAnswerAttemptLockoutDuration property is set in your application's configuration file using the passwordAnswerAttemptLockoutDuration attribute of the membership Element (ASP.NET Settings Schema) element. If the property is not set in the application's configuration file, the PasswordAnswerAttemptLockoutDuration property is set to the default value of 30 minutes.

Applies to

See also