Develop Reference

MVC3 Intranet Membership

I am building a MVC3 Intranet application using the default MembershipProvider, ProfileProvider, and RoleProvider connected to a SQL Server dB. If I use Forms authentication, the roles provider populates properly. When I switch to Windows authentication, the roles provider no longer populates. This is tested by putting a breakpoint in the code and looking at "Roles.GetRolesForUser()". What I suspect is happening is that the userid that is being passed to the database is 'DOMAIN\USERID' (this is what is in User.Identity.Name), whereas what is in the database is just the userid.
Since everything is default, there is not much code to post.
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
<properties></properties>
</profile>
<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider" cacheRolesInCookie="true">
<providers>
<clear />
<add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
My first thought, is can we just remove the domain before the identity is passed to the membership provider, but User.Identity.Name is get only.
What would be the best route at correcting this, without having to change my entire database to have domain\userid instead of just userid? Can this be done without having to write a custom membership/profile/role provider?

If you just want to use Windows Authentication, then you don't want to be use the SqlRoleProvider, but instead want to use the WindowsTokenRoleProvider, which will return their AD roles. (There is no reason to use a membership provider because when using Windows Authentication you can't get to the site without being authenticated already)
If you want to use Windows Authentication, but use SqlRoles then you probably want to do something like this:
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

The user name or password provided is incorrect. in MVC 3 Internet Application

I have a "Internet Application" - "A default ASP.NET MVC 3 project with an account controller that uses forms authentication." called MyMv3App. I run the site in IIS Express using Ctrl + F5 and then I go to localhost:10382/Account/Register and I create a user "test1". Once the user is created I'm redirected to the Home page. I log off. Then I go to localhost:10382/Account/LogOn and type the username and password for the user "test1" and click on "Log On" button and the user is logged in. Cool, everything OK so far!
Next I add a new C# "Class Library" project and I name it MyCustomMembershipProvider. Then I download the ProviderToolkitSamples.msi from here http://weblogs.asp.net/scottgu/archive/2006/04/13/442772.aspx, run the msi installer, and go to the folder C:\Program Files (x86)\ASP.NET Provider Toolkit SQL Samples where all the files get installed. I then add these files to my C# Class Library project MyCustomMembershipProvider I just created, SQLMembershipProvider.cs, SecUtil.cs, SqlConnectionHelper.cs and SR.cs. (I need all these files or the C# Class Library project MyCustomMembershipProvider won't compile). Then I add a reference to System.configuration, System.Web and System.Web.ApplicationServices to the C# Class Library project MyCustomMembershipProvider. Then I build the project and then I go to MyMvc3App and
I add a reference to the MyCustomMembershipProvider project.
Note: Forgot to mention that I changed the namespace for all four files in the project
MyCustomMembershipProvider to "namespace MyCustomMembershipProvider" and also I renamed the class name to MyCustomMembershipProvider. And also in SQLMembershipProvider.cs line 110 I changed it from name = "SqlMembershipProvider"; to name = "MyCustomMembershipProvider";
Next I change the web.config file membership section from this:
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
to this:
<membership defaultProvider="MyCustomMembershipProvider">
<providers>
<clear/>
<add name="MyCustomMembershipProvider" type="MyCustomMembershipProvider.MyCustomMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
The entire web.config looks like this now:
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=152368
-->
<configuration>
<connectionStrings>
<add name="ApplicationServices"
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
</connectionStrings>
<appSettings>
<add key="webpages:Version" value="1.0.0.0"/>
<add key="ClientValidationEnabled" value="true"/>
<add key="UnobtrusiveJavaScriptEnabled" value="true"/>
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership defaultProvider="MyCustomMembershipProvider">
<providers>
<clear/>
<add name="MyCustomMembershipProvider" type="MyCustomMembershipProvider.MyCustomMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages"/>
</namespaces>
</pages>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
Now I do the exact same thing I did in the first paragraph; I go to localhost:10382/Account/Register and I create a user, this time I call the user
"test2". Once the user is created I'm redirected to the Home page. I log off. Then I go to
localhost:10382/Account/LogOn to log in again and type the username and password for the user "test2" and click on "Log On" button and I get the error message:
Login was unsuccessful. Please correct the errors and try again.
The user name or password provided is incorrect.
Why? What did I miss? I haven't touched anything besides the namespace and that name variable in SQLMembershipProvider.cs in line 110.
I tried to understand why so I googled and found that adding the machineKey element might work. So I went to this site http://www.developmentnow.com/articles/machinekey_generator.aspx and generated a ASP.NET 2.0 machineKey and copy pasted it into web.config's system.web element:
<machineKey
validationKey="A5E72C3BF96D34B9401278890361AA0949EAE806B124573AC3C1A8D77936B4E42BB1374D1DA443706C4E575B7F1234CB48F4CF52444CB4B1F343994752416569"
decryptionKey="47869B2D1F1D3EBC92FCC4C2D7B0EFB707535925E116AEF85F470E138A6C8CB5"
validation="SHA1" decryption="AES"
/>
I once again did the exact same thing as before; I go to localhost:10382/Account/Register and I create a user, I'm calling the user "test3" this time. Once the user is created I'm redirected to the Home page. I log off. Then I go to localhost:10382/Account/LogOn and type the username and password for the user "test3" and click on "Log On" button and BAM! the user is once again logged in!?
Why did I have to manually configure a machineKey with a generated validationKey and decryptionKey in web.config for the MyCustomMembershipProvider to be able to work with the login page? As far as I have seen there is not a single article / page / blog that talks about adding a machineKey element to your web.config for your custom membership provider to be able to work!
UPDATE 1: Adding hashAlgorithmType="SHA1" works as well:
<membership defaultProvider="MyCustomMembershipProvider" hashAlgorithmType="SHA1">
Funny thing though is that MSDN says SHA1 is the default!?
hashAlgorithmType
Optional String attribute.
Specifies the name of the encryption algorithm that is used to hash password values.
The value of this attribute corresponds to the name attribute of a nameEntry element in the cryptoNameMapping configuration section. For information about specifying a custom hash algorithm, see Mapping Algorithm Names to Cryptography Classes.
The default is SHA1.
UPDATE 2:
After reading up on Microsoft latest technologies I decided to share some of the findings I discovered regarding their latest Mebership provider; SimpleMembership. I'm at the stage in my personal project where I've decided to drop the CustomMembershipProvider from the ASP.NET 2.0 days I built and use SimpleMembership provider instead. Why? Well you have all the info you'll ever want to know in the following blogpost by Jon Galloway. I'm also adding some more links to resources worth checking out. According to Microsoft SimpleMembership is the successor to ASP.NET 2.0 Membership.
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
http://mvccentral.net/Story/Details/tools/kahanu/securityguard-nuget-package-for-asp-net-membership
http://blog.longle.net/2012/09/25/seeding-users-and-roles-with-mvc4-simplemembershipprovider-simpleroleprovider-ef5-codefirst-and-custom-user-properties/
http://blog.osbornm.com/archive/2010/07/21/using-simplemembership-with-asp.net-webpages.aspx
http://blogs.msdn.com/b/rickandy/archive/2012/08/15/initializesimplemembership-attribute-and-simplemembership-exceptions.aspx

Using System.Web.Providers with Sql Compact

Following the article shanselman i'm trying to use "System.Web.Providers" so you can use memberships, rules and profiles with Sql Server Compact.
I installed via Nuget, created a Users.sdf database and copied to the App_Data folder.
My Web.config was as follows:
<profile defaultProvider="DefaultProfileProvider">
<providers>
<clear />
<add
name="DefaultProfileProvider"
type="System.Web.Providers.DefaultProfileProvider"
connectionStringName="DefaultConnection"
applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add connectionStringName="DefaultConnection" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<clear />
<add connectionStringName="DefaultConnection" applicationName="/"
name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider" />
</providers>
</roleManager>
<sessionState mode="Custom" customProvider="DefaultSessionProvider">
<providers>
<add
name="DefaultSessionProvider"
type="System.Web.Providers.DefaultSessionStateProvider"
connectionStringName="DefaultConnection"
applicationName="/" />
</providers>
</sessionState>
<connectionStrings>
<add name="Sql_CE" connectionString="Data Source=|DataDirectory|\Users.sdf;"
providerName="System.Data.SqlServerCe.4.0"/>
</connectionStrings>
I can not use "aspnet_regsql" because it generates the tables to a SQL Server based
The following error occurs when trying to access the "Web Site Administration Tool" on page security
There is a problem with your selected
data store. This can be caused by an
invalid server name or credentials, or
by insufficient permission. It can
also be caused by the role manager
feature not being enabled. Click the
button below to be redirected to a
page where you can choose a new data
store.
The following message may help in
diagnosing the problem: The
pre-application start initialization
method Start on type
WebMatrix.WebData.PreApplicationStartCode
threw an exception with the following
error message: This method cannot be
called during the application's
pre-start initialization stage.

First rename your connection string to DefaultConnection and remove the \ in front of Users.sdf like so:
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=|DataDirectory|Users.sdf;"
providerName="System.Data.SqlServerCe.4.0"/>
</connectionStrings>
You say that you
created a Users.sdf database
how? The Providers framework and SqlCe should do this for you. Try deleting the Users.sdf from the App_Data folder and try accessing the "Web Site Administration Tool" again. The provider engine should recreate it for you.

Asp.net Web Site Administration Tool with SqlCeMembership

I am developing an application in MVC 3.
I installed this provider via Nuget .
Basically, it allows to use any part of memberships, rules and profiles with a .sdf (compact) database.
I need the "Web Site Administration Tool" use this provider. But I can not use it.
Already checked the web.config and everything is ok.
When I open the "Web Site Administration Tool" on the Security I click test (any provider) and the error happens.
The following images.
Error when clicking test
"Could not establish a connection to the database.
If you have not yet created the SQL Server database, exit the Web Site Administration tool, use the aspnet_regsql command-line utility to create and configure the database, and then return to this tool to set the provider."
Here part of my web.config
<authentication mode="Forms" />
<membership>
<providers>
<add
connectionStringName="SqlCeServices"
applicationName="/"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed"
writeExceptionsToEventLog="false"
name="SqlCeMembershipProvider"
type="ErikEJ.SqlCeMembershipProvider, ErikEJ.SqlCeMembership" />
</providers>
</membership>
<profile enabled="false">
<providers>
<clear />
<add
name="SqlCeProfileProvider"
type="ErikEJ.SqlCeProfileProvider"
connectionStringName="SqlCeServices"
applicationName="/" />
</providers>
</profile>
<roleManager>
<providers>
<add
connectionStringName="SqlCeServices"
applicationName="/"
writeExceptionsToEventLog="false"
name="SqlCeRoleProvider"
type="ErikEJ.SqlCeRoleProvider, ErikEJ.SqlCeMembership" />
</providers>
</roleManager>
<connectionStrings>
<add name="SqlCeServices" connectionString="data source=|DataDirectory|\SqlCeAspnetdb.sdf" />
</connectionStrings>

I did alittle research and found this forum post:
http://social.msdn.microsoft.com/Forums/is/sqlce/thread/8024acc3-8418-4891-875b-8626ce9ba376.
It seems that ASPNETDB.MDF doesnt support SQL Server Compact due to the reasons specified. Can you not use SQL Server Express?

How do I remove the session cookie in ASP.NET 2010?

I have an ASP.NET 2010 web app that uses the default membership controls. When I log in, the Login control on the Master reveals a Log out control. When I click that, it does redirect me to Default page, but I notice that if I naviagte back to an authenticated page, it lets me in. So I added the following code when the log out link is clicked to ensure the cookie is killed,
FormsAuthentication.SignOut()
Session.Abandon()
But I can still navigate to the authenticated page. It only stops me if I actually close the browser and reopen it.
Here is my web.config....
<authentication mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="~/Account/Login.aspx"
protection="All"
timeout="2880"
slidingExpiration="true"
defaultUrl="~/Authenticated/User/UserHome.aspx"
/>
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
passwordFormat="Hashed"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="ApplicationServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="ApplicationServices" applicationName="/"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>

Try this:
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-1)
FormsAuthentication.SignOut()
Session.Abandon()
// Now, forward to a safe unauthenticated page if SignOut() doesn't already do this.
Response.Redirect("/default.aspx")
This attempts to set the ASP.NET_SessionID cookie to expire immediately. The browser should remove it from its collection. I've not run this up in VS2010, so please take my typing with a grain of salt.
Let me know if this works for you.