Membership and Roles Implementation

Membership System feature included in ASP.NET which provides secure credential storage for application users. It also provides API which simplifies task of validating user credential with Forms Authentication.

Membership provider abstracts underlying store used to maintain user credential. ASP.NET having two membership providers:

1. Active Directory Membership Provider

2. SQL Membership Provider.

Additionally, we can develop our own membership provider by implementing Membership Provider abstract class.

Apart from Active Directory Membership Provider and SQL Membership Provider, ASP.NET having a simple membership system. This system is Simple Membership where we create the database tables which handle user’s authentication locally with user name and password and externally with third party services like Facebook and Twitter.

ASP.NET Membership and Roles Configuration

For configuring ASP.NET Membership, we first need to define where to store user’s profiles as we are using Simple Membership, users are stored in the UserProfile or webpages_Membership table or the webpages_OAuthMembership table for externally

authenticated users. Roles are stored in the webpages_Roles table.

If users will be stored in Active Directory then we need Active Directory Membership Provider and if users will be stored in SQL Server then we need SQL Membership Provider or Simple Membership. If users will be stored in different system then we need to create a custom membership provider to implement the Membership Provider class.

Additionally, for using either of the membership providers, we need to remove configuration for Simple Membership. It is required as membership providers based on Active Directory or SQL Server are different and the application can use only one.

Active Directory Membership Provider Configuration

For using Active Directory, configuration needs LDAP (Lightweight Directory Access Protocol) connection and a user account with necessary permissions for managing users in the Active Directory. Code in Figure 1 below shows default configuration for Active Directory Membership Provider in Web.config file of application.

Figure 1. Default Configuration for ActiveDirectoryMembershipProvider

LDAP connection string for Active Directory user store in following format:

LDAP://Server/Userdn

Where:

• Server is the IP address or name of the server which is hosting the directory.

• Userdn is distinguished name (DN) of Active Directory user. It consists of /CN = Users which is user store container name followed by partition. It is derived from fully qualified domain name.

SQL Membership Provider Configuration

Before using SQL Membership Provider, we need to configure SQL Server database which will store account of the users. For creating supporting database, tables and stored procedures use following steps:

1. Open Developer Command Prompt of Visual Studio 2012. Based on the operating system, use following instructions:

• For Windows 7, go to Start => All Programs => Microsoft Visual Studio 2012 => Visual Studio Tools => Developer Command Prompt for VS 2012.

• In Windows 8, press Windows Key + F (or press just Windows Key) to open search box. Type Developer Command Prompt and select “Apps.”

2. Run below command:

aspnet_regsql.exe -E -S localhost -A m

Where:

• -E indicates for authenticating using the Windows credential of currently logged in user.

• -S indicates the name of the server where database is installed.

• -A m indicates for adding membership support. It creates the tables and stored procedures required for membership provider.

In Web.config file, we need to add configuration given in Figure 2. Please note that we need a connection string of target database where the tables and stored procedures are created.

Figure 2. SQL Membership Provider Configuration in Web.config file

Properties for configuring SQL Membership are as follows:

• applicationName: It specifies unique identifier of the application.

• enablePasswordRetrieval: It specifies whether passwords can be retrieved by users or not.

• enablePasswordReset: It specifies whether users can reset their password or not.

• requiresQuestionAndAnswer: It specifies whether the provider configured to require user to answer a password question for password reset and retrieval or not.

• requiresUniqueEmail: It specifies whether user email address must be unique or not.

• passwordFormat: It can be either Hashed, Encrypted or Clear. Clear passwords are stored in plain text. It improves performance of password storage and retrieval but it is less secure as passwords are easy to read if data source is compromised. Encrypted passwords are encrypted when stored and can be decrypted at the time of password comparison or password retrieval. It requires additional processing for password storage and retrieval but it is very secure as passwords can’t determine if data source is compromised. Hashed passwords are hashed using one way hash algorithm and randomly generate salt value when stored in database. When password is validated then it is hashed with salt value in database for verification. Hashed passwords can’t be retrieved.

We can add additional properties for strengthen passwords such as MaxInvalidPasswordAttempts, MinRequiredNonAlphanumericCharacters, MinRequiredPasswordLength and PasswordAttemptWindow.