I'm looking at locking out users after incorrect password attempts (maxInvalidPasswordAttempts & passwordAttemptWindow from Membership) I believe that the UmbracoMembershipProvider and the UsersMembershipProvider do not provide this facility. I have tried adding those values to them with no effect.
I have looked over this forum for information about this and noted several forum posts, but I am now more confused than when I started.
Is, from what I have read is it correct, I will need to install the default ASP.NET Membership provider and use that, negating the ability to use the members section of the Umbraco Admin? Also meaning I would have to create standard custom screens to create/update users, reset users etc...?
You say about changing the UmbracoSettings.config, which I have open now, but I cannot see any attribute that would be required for this to work?
I have logged in and created a member, but now when I click on their ID in the members list I get "No user with name 'dg-2102' exists". Is this part of the problem of a setting missing from the UmbracoSettings.config?
With your help I have solved it. I installed the ASP.NET membership (aspnet_regsql) into the same database that my Umbraco installation is running from. I changed the default provider for Umbraco to a new one pointing at the the new membership installation.
I changed the defaultBackOfficeProvider back to the Umbraco setting:
<providers>
<users>
<!-- if you wish to use your own membershipprovider for authenticating to the umbraco back office -->
<!-- specify it here (remember to add it to the web.config as well) -->
<DefaultBackofficeProvider>UsersMembershipProvider</DefaultBackofficeProvider>
<!--<DefaultBackofficeProvider>AlabamaCustomMembershipProvider</DefaultBackofficeProvider>-->
</users>
</providers>
I then deleted the version number from the web.config file (umbracoConfigurationStatus) and ran through the installation prcedure again (/default/install.aspx).
This is now working with the maxInvalidPasswordAttempts and a lockout. If anyone is interested I also have created a custom section with various membership functions (unlock user etc...) for the application.
Thanks again, much deserved karma coming your way.
For your information, I think it was possible to do this using the default UmbracoMembershipProvider, by adding some extra properties to your MemberType and linking them to the umbraco membership provider settings in the web.config file.
In your case, I think you just need to add a property "umbracoLockPropertyTypeAlias" to your MemberType.
I used this to solve a similar problem, and if it works for you, it is much more easy than writing extra code and changing providers in your web.config. Plus, in this case, the Umbraco member management section keeps working like a charm and the extra properties appear on your member details (you can lock-unlock users from there) :-)
@Michael: Great answer as well... and sticks with umbraco standards..
@Darryl: Michaels answer is awesome.. I was under the impression you wanted to use a seperate provider, but it now appears you only wanted to expose some additional properties.. I recommend Michaels solution.
It does look awesome. The site is now working as per the provider I had previously installed. I will definately look at Michael's solution in the future.
Membership & Umbraco
Hi guys,
I'm looking at locking out users after incorrect password attempts (maxInvalidPasswordAttempts & passwordAttemptWindow from Membership) I believe that the UmbracoMembershipProvider and the UsersMembershipProvider do not provide this facility. I have tried adding those values to them with no effect.
I have looked over this forum for information about this and noted several forum posts, but I am now more confused than when I started.
Is, from what I have read is it correct, I will need to install the default ASP.NET Membership provider and use that, negating the ability to use the members section of the Umbraco Admin? Also meaning I would have to create standard custom screens to create/update users, reset users etc...?
A bit of guidance would be much appreciated.
Thanks.
You can build your own membership provider and have it handled within the cms using umbracos ui (no custom form).
You need to point to your custom provider in the web.config and umbracoSettings.config.
Hi Daniel,
Thanks for your response. I have installed the ASP.NET membership database and changed the web.config:
<membership defaultProvider="AlabamaCustomMembershipProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Another Type" passwordFormat="Hashed" /> <add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" /> <add name="AlabamaCustomMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="AlabamaConnString" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="3" passwordAttemptWindow="5"/> </providers> </membership>You say about changing the UmbracoSettings.config, which I have open now, but I cannot see any attribute that would be required for this to work?
I have logged in and created a member, but now when I click on their ID in the members list I get "No user with name 'dg-2102' exists". Is this part of the problem of a setting missing from the UmbracoSettings.config?
Thanks again.
Search in the umbracoSettings.config for DefaultBackofficeProvider
The reason you don't see the user is because of this setting not be set to your provider.
Let me know if all works out.
Hi Daniel,
I found that property, but when I updated it to reflect the new provider I could not log-in using my Umbraco admin password!
Thanks.
Darryl.. my bad.. I go the UserProvider and MemberProvider mixed up... Change the setting back in the umbracoSettings.config.
Add the roleprovider in the web.config, like below:
<roleManager enabled="true" defaultProvider="AlabamaCustomRoleProvider"> <providers> <clear /> <add name="UmbracoRoleProvider" type="umbraco.providers.members.UmbracoRoleProvider" /> <add name="AlabamaCustomRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionString="AlabamaConnString"/> </providers> </roleManager>Hi Daniel,
After making these changes, do I need to run through set-up again? as once I do this I cannot login using the admin password.
Cheers.
You will be able to login the backoffice. just change the DefaultBackofficeProvider back to UsersMembershipProvider
Hi Daniel,
Thanks for your help with this.
With your help I have solved it. I installed the ASP.NET membership (aspnet_regsql) into the same database that my Umbraco installation is running from. I changed the default provider for Umbraco to a new one pointing at the the new membership installation.
I changed the roleManager to:
<siteMap defaultProvider="UmbracoSiteMapProvider" enabled="true"> <providers> <clear /> <add name="UmbracoSiteMapProvider" type="umbraco.presentation.nodeFactory.UmbracoSiteMapProvider" defaultDescriptionAlias="description" securityTrimmingEnabled="true" /> </providers> </siteMap>I changed the defaultBackOfficeProvider back to the Umbraco setting:
<providers> <users> <!-- if you wish to use your own membershipprovider for authenticating to the umbraco back office --> <!-- specify it here (remember to add it to the web.config as well) --> <DefaultBackofficeProvider>UsersMembershipProvider</DefaultBackofficeProvider> <!--<DefaultBackofficeProvider>AlabamaCustomMembershipProvider</DefaultBackofficeProvider>--> </users> </providers>I then deleted the version number from the web.config file (umbracoConfigurationStatus) and ran through the installation prcedure again (/default/install.aspx).
This is now working with the maxInvalidPasswordAttempts and a lockout. If anyone is interested I also have created a custom section with various membership functions (unlock user etc...) for the application.
Thanks again, much deserved karma coming your way.
Hi Darryl,
For your information, I think it was possible to do this using the default UmbracoMembershipProvider, by adding some extra properties to your MemberType and linking them to the umbraco membership provider settings in the web.config file.
See this wiki post for more information: our.umbraco.org/.../umbracomembershipprovider-properties
In your case, I think you just need to add a property "umbracoLockPropertyTypeAlias" to your MemberType.
I used this to solve a similar problem, and if it works for you, it is much more easy than writing extra code and changing providers in your web.config. Plus, in this case, the Umbraco member management section keeps working like a charm and the extra properties appear on your member details (you can lock-unlock users from there) :-)
Cheers,
Michael.
@Michael: Great answer as well... and sticks with umbraco standards..
@Darryl: Michaels answer is awesome.. I was under the impression you wanted to use a seperate provider, but it now appears you only wanted to expose some additional properties.. I recommend Michaels solution.
It does look awesome. The site is now working as per the provider I had previously installed. I will definately look at Michael's solution in the future.
Is this possible to do the same for backoffice , lockign the user if they attempt 3 wrong passwords
is working on a reply...