Security Question/Answer reset

Dec 5, 2011 at 5:54 PM

First - THANK YOU for the awesome code.  Much smoother than the CKS.  Once I figured out that email and a self-signed SSL don't work well (I ended up using SELFSSL.EXE to create a cert that could be imported into the SharePoint store) all is running smooth.

Question: I configured a security question/answer in the MembershipProvider, and it's working well, but there's no place for the end-user to be able to reset their Q/A once logged in!  Am I missing something?

Also, the Password Reset web part has lots of options, are they documented anywhere?  None of them seem to allow for the Q/A reset either :(

Coordinator
Dec 6, 2011 at 2:08 AM

Unfortunately there's no way of changing the security question/answer with the FBA Pack once they've been created.  The FBA Pack uses the ASP.Net Membership Controls - and surprisingly they do not provide that functionality.  Feel free to add this as a feature request in the Issue Tracker (but it will probably be pretty low on the priority list).

As for the options, apart from the standard web part options available for all SharePoint web parts, all of the options are for customizing the appearance of the control - essentially setting the text the control displays as well as the button styles. It's really just a web interface to the asp.net control, which is documented here:

http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.passwordrecovery.aspx

You can also specify the html template to use for the control, if you REALLY want to customize the layout.  I've got some documentation on doing that here:

http://sharepoint2010fba.codeplex.com/wikipage?title=Customizing%20the%20Web%20Part%20Layout

Jan 5, 2012 at 6:06 PM

Yes, first of all many Thanks Chris for this awesome work !! it makes lives easier for us!!

I have the same query, members should change their Security question (and pwd, for this we can use the change pwd control and direct the users to that page), however for the security question change, we dont have a choice.I looked at your code and saw the Asp.Net Memberships controls you have used, I was thinking to use the a copy of the control but modify it to the effect that it shows just the Security questions, but we cannot as many of the other fields are required, as you also mentioned in your post.

unfortuntaley - the only option is to create another webpart, with just the Question and Answers boxes. If anyone has found a solution or written something to that effect please share.

FastFrgz - were you able to find a solution?
We need to have this as the user can only recover their pwd if they know security question/answer.
Sachin

 

Coordinator
Jan 5, 2012 at 9:01 PM

If you want to add it as new fields to the change password web part, you should be able to by adding the fields to the template and then adding the logic to the code. If you just want a separate web part for changing the question and answer, then probably a brand new custom web part would be best. As far as I know there are no web parts available, so unfortunately I don't think there's any way around coding something. If you need this coded up, i'd be glad to help. Check out the purchases page on the Visigo web site, and feel free to call to discuss what you'd like:

http://www.visigo.com/purchase.html

Coordinator
Jan 5, 2012 at 9:05 PM

I forgot to mention, your other option is simply turning off the question/answer feature on the membership provider.  But I assume if you're going through this, you feel like you need the extra security.

Jan 5, 2012 at 9:58 PM

Thanks Chris.Yes I guess I will need to add a new webpart (Or as you suggested, add it to the Change pwd page, is a good idea too!), both of this would require custom code, so i was thinking not to mess with existing, but add another webpart.

Turning the question/answer feature was something that I did not think about, glad that you pointed it out.However, i feel it should be there, how else would the users who forgot their pwd will be able to get back to the system without human intervention(Like sending emails to an admin?)

Thoughts?

I have over 650 users, so was thinking to allow them to set the questions later on after we create the users.

Coordinator
Jan 5, 2012 at 10:03 PM

If you turn off the question answer, then the recover password web part only asks for their email/username.  The password will be reset and emailed using the email address associated to the user.

As for setting the questions later on, I believe if question/answer is turned on, then a question and answer is required by the membership provider when creating the user. So I don't think that's an option. You'd have to at least provide a default question and answer, such as "Type Password"/"Password".

Jan 5, 2012 at 11:02 PM

For Part 1 - Yes, thats an option, since the pwd is sent to the user's email address no one else can get it, so security question can be turned off.

For Part 2 - The idea of setting it later on was this - We keep the Security question ON and create the users in the backend through SQL scripts etc with dummy question and answer and pwd fields and then ask users to change it later on after they have logged in.(Current client might not allow each user to come and create their own accounts as there are multiple Sharepoint user group scenarios and they have to be pre-configured in bulk, rather than piecemeal.) Yes, you have provided for an option to review requests, but someone will have to do the task of reviewing each request and then adding to appropriate groups, the user database is huge for this .

But I do see some point if users can request their own account(If they agree!!) it will do away with all this trouble.Else I will have to go for a webpart..:-)

You have raised some good points to consider, final implementation will depend on what they agree for in the end.

Thanks again,
Sachin

Jan 6, 2012 at 3:43 PM

Hey Chris - I was testing the Membership request webpart as per yesterdays discussion, but it is not creating any users nor they go in the review list.The page just refreshes or sometimes just sits there.Everything else in the FBA pack is working just fine, but this webpart.

Please answer when you can,I havent modified anything as yet, just testing as it came.

Also, there is no pwd field here - how does the pwd gets created

Thanks,
Sachin

Coordinator
Jan 6, 2012 at 4:50 PM

Usually if it refreshes and doesn't do anything it's because one of the validations is failing - invalid captcha, missing username, email addres.... However there should be an indication on the screen of what failed (although the default notification for many of the fields is a red *, which could potentially be easy to miss).  If that's not it, i'd check the SharePoint log file to see if anything was written there (although you will usually see "Unknown Error Occured" if something gets written to the log).

As for the no password field, by default the user is emailed their password.  That could be one reason the web part is failing, if the SharePoint email settings aren't configured correctly. There is an "Auto Generate Password" option on the web part that you can turn off if you'd like the user to enter their own password. You will still need to have the email server configured as an email still gets sent.

Jan 6, 2012 at 5:12 PM

Wow! thanks.

I guess this is the case, my email settings are not configured properly.
So, you are saying that even if user enters their own password, it will fail to create user cause the email will not go out?Bottomline, unless email is configured this will not work?

Also, - when I configure the webpart and uncheck "Auto generate password" it keeps checking it back? Can't uncheck it.

Thanks.

Coordinator
Jan 6, 2012 at 5:25 PM

Correct, email is required.

The reason auto generate password is checked is because you have review membership requests turned on. The user essentially gets generated when the membership request is approved, and for security reasons I didn't want to store the password until that point. So right now if you want the user to enter a password you'll have to turn off the Review Membership Request functionality. Otherwise, you'll have to stick with the password being auto generated for them and they would have to change their password after logging in for the first time.

Jan 6, 2012 at 5:44 PM

Spot on Thank you! I was able to uncheck it after turning Off membership review.

Question: as you have rightly mentioned users would have to change their pwd after logging for the first time, does FBA Pack takes care of it on its own and forces users to change pwd? or do we have to code it? I was thinking that we had to take care of it, but if its is taken care by the FBA pack, nothing like it :-)

Coordinator
Jan 6, 2012 at 5:53 PM

I'm afraid that's not included with the FBA pack. It would have to be custom code.  I've customized another client's login page to check if the password has been changed and redirect to the change password page if it has not.

Jan 6, 2012 at 6:33 PM
Edited Jan 6, 2012 at 6:47 PM

Ok. Thank you Chris, appreciate all your help! Might have to take the same route.So this is what i am thinking finally.

1-users create themselves through membership
2-Security question turned on
3-Will have to decide about password
 a) if user gives pwd, no need for customizing login page
 b)if we use automatic pwd generation, then ask them to change
 

Feb 10, 2012 at 7:46 PM
Edited Feb 10, 2012 at 7:50 PM

Hey ccoulson - I am back again..:-)

I want to turn Off the security/question answer On both the new user screen and membership request page , can I do it from the pack or will I have to make changes to source?

I guess for the Membership request we can make changes to the webpart, I am not sure what to do abt the New User page

-Thanks

Coordinator
Feb 10, 2012 at 8:34 PM

The display of the security question/answer is controlled by the settings on your membership provider. So to turn the fields off you just have to edit your your membership provider entry in your web.config.

Feb 10, 2012 at 9:22 PM

Thanks I will try that and let you know how it goes!!

Feb 13, 2012 at 9:40 PM

Thanks you sir, it worked like a charm! setting requiresQuestionAndAnswer="False"   did the trick...!

  

 

Mar 8, 2012 at 7:17 PM

Hello ccoulson, so I am back :-), have a question.

The forgot pwd webpart is not able to send mail and shows an error: "There was an error sending the email, please check with your administrator"
I know from our last discussion that email should be configured properly on the server, and it is ! I am getting regular sharepoint alerts as a test.

Also, I added a user today, using user management, that did not send a mail as well. can you guide as to what could be the issue.

Thanks,
S
achin

Coordinator
Mar 8, 2012 at 8:28 PM

One common issue is that the mail server isn't set up for relaying from your sharepoint server. So emails to local email addresses will work fine, but emails to external domains will give you an error. 

If that's not the issue:

Does the email for the request membership web part work?

Check the log file - what does it show for the actual error?

Mar 8, 2012 at 9:52 PM

Ok so I tried few things again without doing any changes:

-Forgot pwd webpart  -  it sents a mail for both internal and external email ID's, so this is good news, dont know why it did not sent first time!!
-Creating a user from User Management screen, it creates the user, but only sents email for external email ID, did not sent email to internal ID
-Membership Request WebPart : No user are created, no mails go out, I guess I am giving the right image captcha, still no go.Infact I have never been able to create a user from the Membership Request webpart, Since I have not set it to manage request there is no item in the list as well.

The server is set to relay as "Only the list below" and the current server is listed their(127.0.0.1) .Allow computers which successfully autheticate to relay regardless of the list above, is also checked.

Thanks for your time!

Coordinator
Mar 8, 2012 at 11:28 PM

When the emails don't get sent, do you get a message on the web part (Error sending email, or unexpected/unknown error)? If so, check the SharePoint logs to find the actual error message being logged.

If there's no errors, and the user simply isn't receiving the emails, turn on the logging on your smtp server and see what's happening.

Coordinator
Mar 8, 2012 at 11:31 PM

One other thing - is any of this happening on SSL pages? If so, there will probably be issues accessing the email templates unless the root certificate is configured as trusted in SharePoint (Central Admin).

Mar 12, 2012 at 8:34 PM

Hey ccoulson - sorry for the late reply, could not get time to try out these things.

We do have ssl pages, Extended site, and we will use FBA there, however as of now I was trying out these on the http site.
I am not getting any errors either on the webpart or in the logs.I enabled the SMTP logging(C:\Windows\system32\LogFiles\SMTPSVC1) but it does not seem to log anything.One forum suggested this for SMTP logging, but not sure if i need to do that( I can't). 
http://social.technet.microsoft.com/Forums/nl/exchange2010/thread/d120d49d-1a6f-460b-9942-6323aecf0e23

ULS logs do not show anything as well. I will further troubleshoot:-( please let know if any suggestions..
Question: For membership request webpart, I am using the webpart from the gallery and have not created a separate page for it as of now, will that cause any issue?I dont believe so..your thoughts!

Coordinator
Mar 12, 2012 at 10:41 PM

I'm surprised there's nothing in the ULS logs.

For the SMTP log, you would have to turn on SMTP logging - I don't believe it usually is turned on by default. I think you need to follow the instructions you linked to if you're using the Exchange smtp server. If you're just using the standard windows smtp server (You configure via the IIS 6 interface), you can just open the properties for it and turn on logging.  If it's not logging anything, it could be that smtp server isn't being contacted - maybe due to misconfiguration in sharepoint. You can login to the smtp server via telnet and manually send a message - instructions are here: http://support.microsoft.com/kb/323350. That should definitely be logged if logging is turned on.

Mar 13, 2012 at 7:02 PM

Thanks for the info.Yes I did enable SMTP server logging via IIS 6 manager interface, but still no logs, however there are some very interesting developments :-)

-I put the membership request webpart on a page and it works, creates the user and also sends e-mail! As mentioned, earlier I was just running the webpart from gallery.
The changepassword and forgot pwd webparts are working as expected and mails also go out, so all sudenly looks good.I will have to do some more testing and will get back  in case anything.Thanks again!

Mar 13, 2012 at 7:08 PM

Just something crazy happened! After retrieving forgot pwd from the forgot password page, its says "Your password has been sent to you" and it does, but the problem is if you refresh the page, it keeps resetting the pwd and sending mails :-)

Coordinator
Mar 13, 2012 at 7:24 PM

Thanks - i've created an work item for this:

http://sharepoint2010fba.codeplex.com/workitem/794

Mar 14, 2012 at 6:52 PM

Thanks, just a question:

I am modiyfing the webparts to have image buttons, I could see that there is an option to set image for a button and I changed it on a page I created, however how do i do that for a page under the layouts folder, like _layouts/fba/ChangePassword as the SiteActions->ChangePwd goes to this page ( When I edit the page in notepad, I see a reference to the webpart)
* While I was writing this I guess I figured, if I can copy the same properties it will work, just that it has to be hard coded.

Also, can I remove the cancel button using webpart properties or any other way? ( I tried by removing the text and image for it, but the button still showed although very tiny). I am not sure if we need cancel button.

Let me know your thoughts.

Mar 14, 2012 at 7:03 PM

ah! just to add the Cancel button has an issue too, if user clicks on cancel, it throws required field validation error, unless we put some chars there, it does not cancels or redirects...so I was thinking not to have cancel at all...but I guess that would require code modification

Coordinator
Mar 15, 2012 at 1:35 AM

I've added a bug to the issue list for the Cancel button.

http://sharepoint2010fba.codeplex.com/workitem/796

Additionally, you can completely customize the layouts of the web parts using templates. See here:

http://sharepoint2010fba.codeplex.com/wikipage?title=Customizing%20the%20Web%20Part%20Layout

Mar 15, 2012 at 6:36 PM

Thanks ccoulson! Will see how this goes

Mar 15, 2012 at 8:13 PM

ccoulson - first of all a big thank you, if you would not have pointed towards changing the webpart layout by modying the control files, I would have been changing and redeploying the webparts :-).

Question: As mentioned before the SiteActions->ChangePassword.aspx goes to _layouts/fba/ChangePassword.aspx but this page is not reflecting the template change and I dont see a direct way to modufy this page as it is in layouts.I am planning to Copy the properties of this webpart from one page and then add those properties on the changepassword.aspx page for the <FBA:ChangePasswordWebPart........ what do you propose?

Thanks.

Mar 15, 2012 at 8:24 PM
Edited Mar 15, 2012 at 8:27 PM

Also I dont see how to set the "Change Password" Image button here as the properties from my other page do not show that even though I have set a button there and it works fine ( example on this page : /Pages/ChangePassword.aspx  I have set all the properties but when I open in designer to copy the properties, the Image link is not there, surprised, surprised!)

Mar 15, 2012 at 8:51 PM

Ok good news I was able to copy the properties from another page and was able to paste that and modified the _layouts/fba/ChangePassword.aspx, viola!

Mar 20, 2012 at 8:54 PM

Hey ccoulson - so I am back again... and have qqestion.

The forgot pwd page sents an email on FBA site when I am logged in as a user, however I have made that page to be accessed anonymously as users will 
ONLY use this page if they cannot log in, as they would have forgotten their pwd.

I am able to access the page without loging in, however the forgot pwd functionality does not work and shows this error when an email is provided and submit is clicked."There was an error sending the email, please check with your administrator" .As mentioned this works fine when I am logged in, however in the real word scenario users will only use this page when they cannot log into the site, ie; anonymously.

Please let me know if you have a suggestion!

Thanks,
Sachin

Coordinator
Mar 21, 2012 at 12:24 AM

I'm guessing this is an issue with the templates being available anonymously.  Try accessing the email templates directly as an anonymous user.  It should work as long as anonymous access is turned on in the web application settings.

Mar 21, 2012 at 5:46 PM

ccoulson - I thought to copy the xslt email template to a place ( May be an anyonymous Library) and then link it to that, however the email templates are not set by property.

I am not sure if I understand.Are you suggesting to make the web application accessed anyonymously? The web has NT as well as FBA authentication and I have enabled anonymous access, just to make the forgot pwd page accessed anonymously, I created a library and provided anonymous acceess to that lib ONLY.How can the users access the email template under layout anonymously.If I make the whole web application as anonymous, wont it defeat the purpose.

May be I am missing something, please throw some light.

Thanks,
Sachin

Coordinator
Mar 21, 2012 at 6:32 PM

As long as you have anonymous access turned on for the web application, you should be able to access the templates anonymously from the layouts folder they are installed to. You shouldn't have to turn on anonymous access for the whole site collection or do anything else. That's the default method of accessing the email templates, and i've used it in every implementation i've done.

If you want to put them in an anonymous library, that should work as well (though I haven't tried it).  The web site url is added to their location setting in the FBA Site Configuration page, so just enter the path from the root of the site.

Mar 21, 2012 at 7:13 PM


Thanks for the quick reply, I need to get this done today :-).

You are right and I tested it exactly as you proposed,  tried to access the email template and it opened the xslt in browser without having to log in.
Even if I access the HTTP site without logging in (AD) it sends the email, but if I access it as HTTPs site it fails. The email ID's are same in both the cases.

There is nothing in the logs, do you have some more ideas as to what could be failing?

Thanks,
Sachin

Mar 21, 2012 at 7:17 PM

Cause really where we need this to work is for FBA users, who cannot log in..

Coordinator
Mar 21, 2012 at 8:00 PM

I'm surprised there's nothing in the logs. You mentioned you're accessing via https.  For that to work, SharePoint needs trust setup for the root certificate of the certificate you are using. Central Admin -> Security -> Manage Trust

Mar 21, 2012 at 8:03 PM

Ok ccoulson, I think I might have stumbled upon something here...

In the event viewer log it says" An operation failed because the following certificate has validation errors:\n\"    While I am not sure it is related with this issue but I see an entry as soon as I try to send an email from HTTPs site. And yes, my site SSL certificate is not a valid one as of now, it is self created.Could that be the issue and willl resolve it self as sson as a proper Cerrtificate is in place? I guess so, what do you think?

One thing confuses me is in the error log the user name under which this error comes up is NT AUTHORITY\IUSR, is this how the anonymous works?

Thanks,
Sachin

 

Mar 21, 2012 at 8:07 PM

I read your post after posting mine, what you suggest sounds good! Let me try that and add my certificate as trusted under CA and will see how it goes, be back shortly..

Mar 21, 2012 at 8:30 PM

Ok so this is interesting...

I have a self Signed certificate that I created in IIS, and then attached this certificate to the HTTPs site from within IIS .
Question : Is this correct way of doing?

In order to add the same certificate under CA-Manage Trust, i have to import it right? When I import it on desktop, it asks for pwd which I give.
Now when give this certificate path in CA-Manager trust , it throws an error that certificates with pwd is not supported.
Am i doing something wrong here?

Thanks,
Sachin

Coordinator
Mar 21, 2012 at 8:34 PM

That is the correct way of doing things.

The certificates I generate I do not password protect, so I haven't gotten this error. Try generating a certificate without a password.  Also, you do not add the same certificate to Manage Trust. You add the ROOT certificate (essentially the certificate for the certificate generator) - you can view and export this from the certificate properties - I think the section is called certificate path.

Mar 21, 2012 at 8:59 PM

Yes I had created the certificate without pwd, but while importing the certificate it prompts for pwd.

I see what you mean and tried something else.Instead of importing  the certificate I went to Detailsand there was an option to Copy to file, which downloaded a certificate like thing without asking for pwd and I think this is the ROOT cert, which talks abt issueing authority and certificate has etc (there is no option under Certificate Path to import).

Then I succesfully added this to CA-Manager Trust and this looks like the ROOT certificate, but still when I go to forgot pwd page, same error and the event view says the same thing, certificate is invalid, did an IIS reset, no go...

Coordinator
Mar 21, 2012 at 9:05 PM

Yes, you do use the Copy To File under Details. But right beside the details tab there should be a "Certification Path" tab, with your certificate, and then one or more on top of it.  The top one is the root certificate. Click View Certificate on that one, and then click the Details tab and Copy to File.

Mar 21, 2012 at 9:14 PM

Hmnnn..I see that now.... In one of the certificates ( Forefront identity manger) it is there, but in my certificate the Certification Path tab does not have a treeview like top node, just only one entry and selecting it does not enable View Certificate...Why it would not be there?

When I created the certificate, I just created normally , like "Create a Self Signed Certificate" and if I create a new one now, it is also the same no Root node under the Certification Path

Coordinator
Mar 21, 2012 at 9:27 PM

Unfortunately I think that the certificates I created were created using Windows certificate services, so there was a root certificate.  I assume there is a way to get it working with the IIS self signed certificate, but i'm not sure.

Mar 21, 2012 at 9:36 PM

Sure,  Thanks for all the help! 

I will dig into it more, but I guess once we have a proper certificate from issuing authroity, as we will get,  I think this issue will be resolved on its own as it just the improper certificate causing this.

Thanks again,
Sachin

 

Coordinator
Mar 21, 2012 at 9:37 PM

Yeah, it should work just like http, once you have the proper certificates setup.