ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources

84 Comments

• Yet another excellent post. Lot's of valuable info to go through.
  

• Scott, your continued and dedicated presence at the ASP.NET Forums has made a huge positive impact there. Thanks!! And thank you for your frequent and highly informative blog posts as well. They are really helping a lot of people come up to speed on ASP.NET 2.0.
  

• I am speech-less,
  
  You are the man.
  
  
  

• Hi Scott, you have an excellent blog. It is very useful for me.I hop you continue with this work..
  
  
  
  The best wishes for you from Peru :D
  
  
  
  Sorry for my poor english.
  

• Thanks for your fabulous contributions!
  

• Someone on some other site said they think Microsoft has an entire department named "Scott Gu". I concur!
  

• If possible kindly post such detailed blogs on Profiles also. A detailed blog on " TableProfileProvider " is most welcomed.
  

• Our application doesn't fall neatly into the Membership/Roles model because Roles and the Rights assigned to them are user configurable. We looked into extending the Membership model all the way to Membership/Roles/Rights, but we couldn't find enough information. Any pointers.
  
  
  
  For example, instead of User.IsInRole("Managers"), we want User.CanDo("EditUsers"), where "EditUsers" can be defined on any one of the Roles that the User is assigned to.
  
  
  
  Thanks!
  

• Sweet, Thanks!
  
  

• Hi Scott,
  
  Fantastic set of resources, thank you very much!
  
  I’ve already written a couple of custom Membership and Role providers to provide facades for older databases in newer web apps, and found the process pretty painless and sensible. What I'm looking for is guidance on what's sort of the inverse of this process - how best to write new database-driven apps that sit as "team players" in the provider-model world... I haven’t read through all of these resources yet, so there might be a pointer to my questions somewhere in there, but here's what's been going through my head recently:
  
  
  
  Suppose I want my customers to be able to build web apps with my "Product X". Maybe Product X is even an instance of a Provider itself; let us call it CustomComplexBusinessLogicProvider or something. I want my customers to be able to use whatever Membership, Role or any other providers they like, so the product can be as flexible in deployment as possible. Some customers might want to use their existing Active Directory so they don't have to manage multiple user sets, others might want a standalone web app that could just use the SqlMembershipProvider.
  
  
  
  In an old fashioned monolithic app I’d have a "Users" table in my database, and lots of other tables would have foreign keys for users - any complex app is going to have lots of relationships between users of the system and other entities. But in the provider world, my users and roles live in systems that are unknown to me. I can no longer perform joins across my users and roles tables with the rest of my domain-specific tables.
  
  
  
  Do I have a "stub" Users table in my database to act as a bridge, to provide foreign keys to other tables? Does MembershipUser.ProviderUserKey offer a means of establishing identity across providers? This property is typed object - it might be a GUID in one provider and an int in another. I guess a stub table could be like
  
  CREATE TABLE Users ( Id INT IDENTITY(1,1) PRIMARY KEY, ProviderKey CHAR(30) )
  
  Or perhaps the MembershipUser.UserName property would be better as the bridge.
  
  
  
  The temptation would creep in to store more and more redundant user details in this table, so that you could produce queries directly in SQL that included user details that are actually stored in the MembershipProvider (SELECT Users.Username, Users.Email, Jobs.Description, [...] FROM Jobs INNER JOIN Users [...] WHERE Jobs.userID=[...]) You'd then need to have a strategy for keeping your Users table in sync with the MembershipProvider.
  
  
  
  So, I was wondering whether there are any best practices guidelines out there that answer these sorts of questions - or whether they are even the right questions anyway... In short, what do you watch out for when writing your own CustomComplexBusinessLogicProvider in such a way that your customers can use it with their own choice of other providers?
  
  
  
  Tom
  

• Excellent resources, what I want exactly.Thank you very much.
  

• I was wondering if any additional Login Controls existed. I am trying to construct an admin tool similar to the one that comes with VS. I am able to use the existing CreateUser tool, but now need a Modify User and Remove User function. Anywhere I could get pre-build versions of these?
  
  Thanks
  

• Excellent work. Very nice info in one article!
  

• Thanks for a great post, theres a lot of goodies in those links!
  
  
  
  PS Does anyone know if there is a way to programmatically control the "Remember me next time" expiry time for the ASP.NET login control? It seems to forget a login after a few minutes, yet cookies are allowed. Thanks!
  

• Scott u r simply out-class :)
  
  Keep up the good work buddy ;)
  

• Hi NZ web guy,
  
  
  
  Can you send me an email with more details on the issue you are having? I can then add more people to the thread and we can figure out what is happening.
  
  
  
  Thx!
  
  
  
  - Scott (scottgu@microsoft.com)
  

• THANKS, THANKS, THANKS!!!!
  

• hi scott, you're the best ASP.NET blogger. keep it up. Congratualtions from Philippines!
  
  

• Hi I can see that this is a useful addition but it doesnt seem to cover a lot of the things which I need. The sql provider controls access to a web app, adding roles allows me to say a member of role A can access one set of web pages but not others e.g. admin, user type A, user type B. I need to be able to configure access rights to potentially hundreds of 'web parts' (we're actually using components similar to web parts) in a web application and also the database will be behind a firewall (for internet users, domain users will access iis within firewall) which also seems to be an issue? Would I be best to hand code web page based security instead?
  

• Hi Phil,
  
  Webparts have roles attributes that you can use to declaratively control permissions on them. I'd recommend looking at that as one way to lock down capabilities using the built-in role infrastructure.
  
  Note that you can also build your own providers for membership/roles -- so you can optionally encapsulate any capabilities you want into them.
  
  Hope this helps,
  
  Scott
  

• Hi Mesfin,
  
  Are you building your own custom provider? Or are you trying to use the built-in one with ASP.NET?
  
  Note that the "type" attribute specifies the class name of the provider you want to use.
  
  Hope this helps,
  
  Scott
  

• Scott, for an internal applications environment such as Intranets, etc.  can I still take advantage of Forms Authentification and the membership and role providers using AD authentification?  I mean, can I drag on for example a login control and hook it up to AD instead of that DB .NET manages in order to take advantage and force the users to log in via their AD credentials?
  

• Hi Dave,
  
  Typically with Intranets you often configure an ASP.NET app to use “Windows Authentication” instead of Forms Authentication – which will automatically login browsers using the built-in Windows authentication protocols when connecting to a site. This avoids them having to enter their credentials at all.
  
  However, if you’d prefer to have them login explicitly (using the built-in login controls) you can configure ASP.NET to use the ADMembershipProvider. This will allow you to use Forms Auth and have the Login controls and Membership APIs go against the AD store for credential validation. You can read more about this here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp
  
  Note that one common option (for both Windows and Forms auth with AD) is to use AD for the username/password credential management, but have the roles and profile information stored in an app-specific database. This is fully supported – just configure Roles and Profiles to go against SQL providers, and have the membership provider go against AD.
  
  Hope this helps,
  
  Scott
  

• Configuring Role permissions: Am I right in thinking that asp.net 2.0 membership and roles does not support role/permissions and that AzMan (referred to above) is limited to windows authentication? I require a solution whereby permissions for a particular role can be configured using forms authentication. The application then queries whether a user's role assignment has a particular permission, not whether it is a member of a role. Can I still use these new tools to achieve this?
  

• Hi Robert,
  
  The SQLRoleProvider doesn't support sub-permissions -- instead it provides a straight user/role mapping.
  
  I believe it is possible to use AZMan with non-windows users, although I'm not 100% sure. This article covers using the AZMan API to perform sub-permission checks programmatically: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp
  
  Hope this helps,
  
  Scott
  

• Scott, We are building an application that needs the "CanDo" style of permission checking as you describe. That is, the appliaction needs to perform logic at the point of inquiry so that this CanDo check is just-in-time determining what the user can do. I guess the best bet for this is just to roll a custom interface for this, perhaps as simple as : enum Actions{  someAction,  anotherAction } And then on the user class have CanDo(Actions action) { ...... }
  

• Hi Josh,
  
  Yep -- you could do something like this. If your application runs on the Intranet and uses Windows authentication, you can use AzMan to store and manage all of these "CanDo" permissions for you.
  
  This article describes how to-do this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp
  
  Hope this helps,
  
  Scott
  

• Hi Scott, I think this blog of yours on the new features of ASP.NET 2.0 is great - lots of useful links and information. Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles. If this is not possible have you got any bright ideas how I could restrict access to stored procedures to anonymous web users. Many thanks, Mark
  

• Hi Mark,
  
  Unfortunately there isn't a super easy way to-do this (specifically map the ASP.NET role to a SQL Server role). One way I could see you doing this might be to have multiple SQL accounts that you use to connect from ASP.NET to the database with. You could then choose which connectionstring to use on a request based on what role the user is in ASP.NET.
  
  Alternatively, you'd probably want to just to the authorization check within your middle-tier layer using the ASP.NET role.
  
  Hope this helps,
  
  Scott
  

• >>Note that one common option (for both Windows and Forms auth with AD) is to use AD for the username/password credential management, but have the roles and profile information stored in an app-specific database.
  
  
  
  perfect, thanks!
  

• Hi,
  
  I am having problems getting the Remember Me button working on my login form. I have searched all over the web and the only solution i could find was setting the forms timeout in the web.config. Unfortunately this did not solve the problem. Any ideas?
  
  Thanks,
  Darren
  

• Hello and thanks for the content. This is comprehensive and useful. Just a quick question: Is there a way i can 'impersonate' any user in the Active Directory, just like how a help desk admin would want to do when someone calls up to troubleshoot? Am not sure if the MSDN link provided here helps in this context. Pls note that in this situation, the helpdesk person cannot ask the user for his password, but should be able to authenticate as the user and perform the necessary operations.
  Kindly let me know.
  

• Hi Darren,
  
  The default cookie timeout policy for authentication changed with ASP.NET 2.0 -- and might be what you are running into with the "Remember Me" functionality. Here is an article I wrote about this and how to change the value: http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx
  
  Hope this helps,
  
  Scott
  

• Hi Ganesh,
  
  This article talks about how to use the impersonation features in Windows with ASP.NET 2.0: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000023.asp
  
  Hope this helps,
  
  Scott
  

• Thanks Scott. I had been to this URL before and let me try to explain my problem better. The URL seems to talk about running the ASP.NET process in the context of a particular user. Pls correct me if am wrong here.
  My requirement is a touch different; where, am not really worried abt the context in which the process runs; but am more concerned abt the 'context' of the logged ON user, particularly when i have performed a forms authentication, typically when an administrator is troubleshooting a user's problem in a website, on his behalf. What we finally figured out was: There is a way to 'reset' the forms authentication cookie to that of another user and that too without the need for the password, like this:
  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket();
  
  string encryptedTicket = FormsAuthentication.Encrypt(ticket);
  
  HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
  
  Response.Cookies.Add(authCookie);
  
  I hope this makes sense. Either we dont understand this URL right or we found a strange way to get the job done :-) comments please !!
  
  thanks,
  ganesh
  

• ASP.NET 2.0 Security (Guidlines) Guidelines
  

• Hi Gabriel,
  
  From the thread you pointed me at, it looks like you now have the issue resolved. Let me know if you still have problems with it.
  
  Thanks,
  
  Scott
  

• Hi,
  
  Thanks fo rthe great post.
  
  I have a situation wherein I need to authenticate the user based on three parameters such as username, password, companyname instead of just username and password. In my database there are several company names and the user name is unique only across the company and not across the application.
  
  There are several such instances wherein I need to create more parameters in the method definition than that are available in the membership provider class. Since the class is abstract I have to implement the methods with the same signature and this is not going to fulfill my requirements.
  
  How can I achieve this?
  
  Thanks in advance
  
  Sitaram
  

• I didn't see any links in your post to any resources on adding Mixed Authentication (Forms and Windows) to an ASP.NET 2.0 application. Is there support in ASP.NET 2.0 for doing this? Do you know of any articles on how to do this?
  

• Hi Chris,
  
  Unfortunately there isn't a built-in mixed mode authentication switch in ASP.NET 2.0.
  
  A user left this comment on my blog, though, on a way you could implement it: http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx#457103
  
  Hope this helps,
  
  Scott
  

• Scott,
  
  Can these frameworks be used to "limit" the data that is seen by a user? As an example, allow a division office user to see all policies but only allow an insured to see their own policy?
  
  Thanks.
  

• Hi Steve,
  
  Yep -- you could ceretainly use the roles and security features in ASP.NET to limit the views people have on data. This tutorial discusses how to use Role-Based capabilities: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx
  
  Hope this helps,
  
  Scott
  

• Scott,
  
  I'm looking for a solution to the question Ganesh posted earlier: How do you use the ASP.NET 2 Membership API to programatically log in as a selected user -without- knowing their password?
  
  Like Ganesh, I have a "help desk" application that needs to enable the support team to login as a user to "shadow" them, allowing them to see the application as the user sees it. Is there a way to do this?
  
  Thanks~
  

• Hi Todd,
  
  To programmatically log in a user, just write the below code:
  
  FormsAuthentication.SetAuthCookie("someusername", false)
  
  This will issue an authentication ticket for the username "someusername" or whatever you provide. You don't actually need to provide the user password for this to work. The browser will then be logged in as that user for the lifetime of the browser session.
  
  Hope this helps,
  
  Scott
  

• Hi Scott (and readers),
  
  Im looking for a way to programmatically lock a user account.
  
  I can see the UnlockUser() to make it active again - but how can I lock it in the first place in code? If for example a user is going on holiday etc and a company wishes to temporarily disable that account. It's a common request in the apps I build (which i used to handle with an active/inactive field in classic asp).
  
  Is the solution target the IsApproved field (which I already have coded to be solely for accounts that are awaiting approval)?
  
  Thanks for any tips.
  
  Sam
  

• Hi Sam,
  
  I just checked with the team and got back an answer from them. What you want to-do is actually set the "IsApproved" property on the MembershipUser to true or false. When it is false, then the user exists but can't login. This is similar to your active/inactive logic
  
  Once you set this property on the MembershipUser object, you'll also want to call Membership.UpdateUser() and pass in this object to update the database.
  
  Hope this helps,
  
  Scott
  

• Scott,
  
  I have a project that is web based with security. I want to use that same security database ( and application Name) for a Windows form project.
  I have seen one article that uses a web service. Is there a better way
  

• Hi Mark,
  
  Unfortunately the best way to handle this is still to expose web-services. In the next release of the the framework (next year) we are planning to-do this for you automatically - but until then you'll need to build your own.
  
  Sorry,
  
  Scott
  

• Hi Mark,
  
  The ProfileCommon class is automatically generated by ASP.NET at compile-time - which is why you aren't seeing that depending on how you are using it.
  
  What you could do, however, is use this tool: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127 which will automatically generate a Profile wrapper for you based on your web.config file that you could use.
  
  Hope this helps,
  
  Scott
  

• This is great! will always be comming here.
  Keep up the good work
  

• Hi, How can I set security for a page like in web.config but in a programmatically way.
  
  Tnks
  

• Hi Gerardo,
  
  Here is a cool tip/trick you can use to programmatically authorize users: http://weblogs.asp.net/scottgu/archive/2006/10/04/Tip_2F00_Trick_3A00_-Adding-Authorization-Rules-to-Business-and-Data-Layers-using-PrincipalPermissionAttributes.aspx
  
  Hope this helps,
  
  Scott
  

• Does anyone know how can i install SQLMembershipProvider without using Membership Database ASPNETDB??
  I've already have a sql2005 database with users account's and login, password, etc.
  I just want to use custom membership in my own database without using sql pre-defined one.
  Thanks
  

• Hi Joao,
  
  I'd recommend looking at this post: http://weblogs.asp.net/scottgu/archive/2006/10/13/Tip_2F00_Trick_3A00_-Source_2F00_Documentation-for-Simple-ASP.NET-2.0-SQL-Providers-Published.aspx
  
  It demonstrates some simple Membership providers that work against SQL. You could adapt these to go against your own schema within the database.
  
  Hope this helps,
  
  Scott
  

• Hello,
  I'm developing a webportal for our intranet at work. I've setup integrated windows authentication which is working fine. I also have roles enabled and have applied the correct role privileges to the relevant webpages. My question now is how can I tie domain users to the roles? Ideally I'd like to setup an admin page that shows a list of users from the domain and then I can add them to different roles, such as 'admin' 'user' etc which will then provide them access to the relevant webpages.
  
  Much Thanks,
  Daniel
  

• Hi Daniel,
  
  I actually have a good tutorial that shows how to-do this here: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx
  
  Hope this helps!
  
  Scott
  

• Hi Richard,
  
  Good question! Can you send me an email directly on it? I can then loop in a few folks from my team who might have an answer.
  
  Thanks,
  
  Scott
  

• What is the standard for checking authorization? Set it up in web.config or through code?
  

• Hi John,
  
  Often people do authorization via web.config files, and then do additional checks via code.
  
  Hope this helps,
  
  Scott
  

• Hi Scott,
  
  I just wanted to let you know that I have implemented a Membership/Role provider for use with NHibernate. You may want to take a look at it and consider including it in your list of custom providers with source code.
  
  Cheers,
  
  Leo
  

• hi scott
  fantastic....
  absolutley fantastic job.
  Thank u very much for that....
  
  
  
  I need some help :)
  In one of my application I need to uses forms authentication. For this i have to use both AD and DB in the sense I have to Validate if the user exsists in AD and if not found i have to go on search in the DB.
  I have and all ready done this in vs 1.1 but i could not figure out how do we do this in vs 2.0 using Login controls.
  
  Help me on this :)
  

• This is a great tutorial/walk-through. I am learning much.
  
  The only shortcoming is it assumes one CAN use the website administration tool as it seems a key thing to have. I cannot because I'm using a hosting service and I develop remotely from the server.
  
  So how do I manage my users and roles without that tool? The walkthrough needs a remote developer section for this, IMO.
  

• I am in a bind regarding anonymous user Profiles. All the articles I've come across regarding migrating an anonymous user profile properties to registered user properties make use of the ProfileCommon class and Profile.GetProfile method in the Profile_MigrateAnonymous event handler in Global.asax.cs file. However that does not work when your web site is of the Web application type instead of the 2005 in built website type. How would you migrate an anonymous user's properties to a registered user's when the compiler gives you an error "ProfileCommon cannot be found. Are you missing a using reference?"??
  Thanks
  

• Hi Scott,
  
  None of my comments where published on the blog. What is it that I'm doing wrong?
  
  Thanks,
  Dako
  

• Hi Wil,
  
  Sorry for the delay in getting back to you. Here is a pointer to a set of web admin pages you can integrate into your site to enable remote administration: http://weblogs.asp.net/scottgu/archive/2006/07/18/Remote-Membership_2F00_Roles-Management-of-ASP.NET-2.0-Applications.aspx
  
  Hope this helps,
  
  Scott
  

• Hi Dako,
  
  Sorry for the delay in getting back to you - was traveling this past week and so have been away from my blog for a few days. I just published your questions and am in the process of responding to them here: http://weblogs.asp.net/scottgu/archive/2005/10/18/427754.aspx
  
  Thanks,
  
  Scott
  

• Hi Palak,
  
  With a Web Application Project you need to create the profile object explictly. This add-in will help you with it: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127
  
  Thanks,
  
  Scott
  

• Hi Scott,
  I totaly new to AzMan and i am sorry if this problem raised in earlier in your Blog. I hv been followed the articale "How To: Use Authorization Manager (AzMan) with ASP.NET 2.0" which publish @ MSDN (You also rec'd it). I am runnig vertual PC and loging as local user for the VPC. And for "Role Assignment" i assigned the Logged user as per example.
  my problem is when ever i access secure page it promting the popup for user name and password.
  do u have any idea why is it?
  

• Hi Parasa,
  
  Unfortunately I'm not too familiar with AzMan myself. :-(
  
  Sorry!
  
  Scott
  

• Hi, I have finally gotten a custom Principal to be set in the HttpContext.Current.User, however, I am using the LoginControl and I want to handle the "LoggedIn" event and based on the User's Role redirect them to the appropriate Page based on this.
  
  However, the FormsAuthentication is NOT setting the Ticket in the AuthCookie before this event fires. This is causing the code that sets my custom Principal to not execute. So, when it hits the "LoggedIn" event, the Current.User.Identity is just a "GenericIdentity" unauthenticated and with no information.
  
  Why is FormsAuthentication NOT populating the Ticket before calling "LoggedIn"? I have decompiled the LoginControl and everything "looks" like it should be working correctly.
  
  Help!
  

• Hi tmccurdy,
  
  The authentication principal won't get set until the next request to the web-server. But you can use the "UserName" property on the Usercontrol within the LoggedIn event to identify the user.
  
  You can the use the Role APIs and pass the user name to retrieve their role information.
  
  Hope this helps,
  
  Scott
  

• Hi ScottGu,
  
  I want create Access Database(mdb file) for Role and Membership like Sql Database which Created by default using aspnet_regsql
  
  Please help me for create Acess Databse for to store Role and Membership.
  
  Regards
  
  Mukesh Vadodariya
  
  

• Hi Mukesh,
  
  You can download the Access providers here: http://msdn.microsoft.com/vstudio/eula.aspx?id=96713a8e-b8d4-4d6e-bb8f-027e6c8e15d8
  
  This will enable Role and Membership for Access.
  
  Hope this helps,
  
  Scott
  

• Hello Scott / tmccurdy,
  
  I am using a .net 2.0 login control and am trying to set a custom principal object on the current thread after executing custom code that authenticates users. The msdn article listed above for forms authetication (MSDN: Explained: Forms Authentication in ASP.NET 2.0) mentions that to do the above, we need to handle the PostAuthenticate event which gets fired after the cookie is set. Any help in how to accomplish this will be greatly appreciated.
  
  Thanks!
  

• Hello Scott / tmccurdy,
  
  I am using a .net 2.0 login control and am trying to set a custom principal object on the current thread after executing custom code that authenticates users. The msdn article listed above for forms authetication (MSDN: Explained: Forms Authentication in ASP.NET 2.0) mentions that to do the above, we need to handle the PostAuthenticate event which gets fired after the cookie is set. Any help in how to accomplish this will be greatly appreciated.
  
  Thanks!
  

• Hi Scott,
  
  We have an existing ASP.NET 1.1 application. The client requires that application provide additional functionalities. The existing functionality has to be enhanced and different new functionality is to be added.
  Please advise :
  1. Should the new functionality be added in ASP.NET 2.0 ? If so, should we migrate existing code to 2.0 ?
  
  2. If application is moved to 2.0, should user management (UM) functionality of 2.0 be used (Currently the application has its own user schema, role based authorization, etc). What will be the disadvantage of not using 2.0 user management functionality/classes ?
  
  3. If application is moved to 2.0, should Datagrid paging be replaced with Gridview paging (with or without ASP.NET AJAX) ?
  
  4. What does .net 3/3.5 offer to ASP.NET applications ? (I understand that workflow and WS can be used in ASP.NET applications) What else (eg new ASP.NET controls) for ASP.NET ?
  
  Thank You.
  

• Hi Scott,
  
  This question may have an obvious answer...
  
  Is the Website Administration Tool intended to be used as a solution for website administrators to manage the website that was created for them?
  
  I have not read anything yet recommending this as common practice.
  
  Thoughts?
  

• Hi,
  
  I am looking for a code sample for the following scenario: multiple .net 2.0 web applications on the same domain and one login application. I understand that I can use the same provider in all of my applications, but how can I have one login page for all of them without combining the application under one folder? How does the redirection from/to the login page work?
  
  Thanks!
  

• Hi Julia,
  
  I haven't implemented a single-sign on solution myself before, but I found a few articles that might be useful for you:
  
  http://msdn.microsoft.com/en-us/library/ms972971.aspx
  
  http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx
  
  http://codebetter.com/blogs/sahil.malik/archive/2006/04/27/143591.aspx
  
  Hope this helps,
  
  Scott
  

• What if your users are in more than one container (Not just in Users container) on the same domain? Should you setup like you were using multiple domains?
  
  
  
  
  
  
  Thanks,
  Steve
  

• How do you handle multiple containers or OUs? What if you have accounts in the Users container and then accounts in other OUs, how do you handle that? What would the connection string look like? If it can't be handled are you forced to create all OUs in the same tree (recursive check)?
  
  
  
  
  Thanks,
  Steve
  

• In my site, I want to use e-mail address for user ID ... And also preserve the E-mail address in the E-mail field and pass it to membership orovider so that user can request new password.
  
  I'm using the standard CreateUser Wizard ... Is there an event or property that I can modify ... so that when I
  
  -- hide the userID label and text box ... (make it invisible) ...
  
  I can wire something up to make the e-mail address the text property of UserID ( so that it will pass the must enter edit requirement ) .. and also allow me to validate the e-mail address with regular expression
  
  etc, etc, etc ...
  
  Let me know if I need to explain more ...
  
  Steve
  

• Hi Steve,
  
  Unfortunately I'm not 100% sure on the multiple OU question. Can you email me (scottgu@microsoft.com) and I can loop someone in who might know.
  
  Thanks,
  
  Scott
  

• Hi Steve,
  
  There are a few events you might be able to sync to help with this.
  
  There is an OnActiveStepChanged event that fires each time the step changes and would allow you to handle this.
  
  The easiest approach, though, might be to just use the generic control, though, and define your own textboxes for each of the gathering stages within that. You could then manually write this code to create the user and log them in:
  
  Membership.CreateUser(txtUserName.Text, txtPassword.Text)
  
  FormsAuthentication.SetAuthCookie(txtUserName.Text, false)
  
  Hope this helps,
  
  Scott