Reset password on login page before user authenticates

I've installed the FBA Pack and have my FBA set up as per the instructions provided and all installed fine but I would like to user the reset password feature on my custom login page so that users that forget their passwords can reset it then login using the temporary password provided. I put the page I created with the reset password web part on the same folder as my custom login page (_layouts) but when ever I click the link to reset my password the login page just refreshs and the user is not redirected to my reset password page. Is there a way to use the reset password web part before the user authenticates? Do I need to put my page somewhere other than _layouts? Thanks in advance for any help you can give to solve this.


I've actually done exactly what you describe, and I remember I had problems with the security on the application page, but for the life of me I can't remember what I did to correct it.  My only suggestion is to start with a blank, or "Hello World" application page, and make sure you can acces that correctly from the link, and then proceed to add in the Password Recovery web part.

Another alternative is to create a standard SharePoint page and give it anonymous access and add the web part to it.

Thanks for your reply. I created an application page with some basic content in the _layouts folder following the instructions on this post - and was able to access the page anonymously from a link on my custom login page but as soon as I add the password recovery web part the same behaviour as before happens (clicking the link to application page does nothing but redirect me back to the login page). I noticed in another discussion thread on here (topic: Membership Request Page on May 9th) another user was having the same issues and you mentioned that anonymous access needs to be turned on for the web app then set for Lists and Libraries. Is this the only way to access the password recovery web part anonymously? What if business rules dictate I can't activate any anonymous settings due to the sensitive nature of the content on my SharePoint environment? Thanks again for all your help....looks like a great tool and hope I will be able to use it in my environment.  

I looked some more into how I managed to get it working.  It turns out the problem is because the web parts inherit from Microsoft.SharePoint.WebPartPages.WebPart. I can't get even the simplest of web parts to display on an anonymous application page if they inherit from that (nor can I get any of the Microsoft web parts to display if they inherit from that as well).

Changing the web part to inherit from System.Web.UI.WebControls.WebParts.WebPart solves the problem.  I'll make the change in the next release. In the meantime the only way will be to use a standard SharePoint page and turn on anonymous access.  You can limit the anonymous access to that page only by putting it in it's own library and then only giving that library anonymous access. (Or you can grab the source and change the web part to inherit from System.Web.UI.WebControls.WebParts.WebPart)

Issue here:



Also, for other people trying to get anonymous application pages working, here's what I had to do:

Inherit from UnsecuredLayoutsPageBase

Override AllowAnonymousAccess and AllowNullWeb to return true

Set the master page to "~/_layouts/simple.master"

--- ASPX ---

<%@ Assembly Name="$SharePoint.Project.AssemblyFullName$" %>
<%@ Import Namespace="Microsoft.SharePoint.ApplicationPages" %>
<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="Utilities" Namespace="Microsoft.SharePoint.Utilities" Assembly="Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<%@ Import Namespace="Microsoft.SharePoint" %>
<%@ Assembly Name="Microsoft.Web.CommandUI, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register TagPrefix="FBA" Namespace="Visigo.Sharepoint.FormsBasedAuthentication"
    Assembly="Visigo.Sharepoint.FormsBasedAuthentication, Version=, Culture=neutral, PublicKeyToken=9dba9f460226d31d" %>
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="ApplicationPage1.aspx.cs" Inherits="SharePointProject1.Layouts.SharePointProject1.ApplicationPage1" MasterPageFile="~/_layouts/simple.master" %>

<asp:Content ID="PageHead" ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server">


<asp:Content ID="Main" ContentPlaceHolderID="PlaceHolderMain" runat="server">
<FBA:PasswordRecoveryWebPart runat="server"  />

<asp:Content ID="PageTitle" ContentPlaceHolderID="PlaceHolderPageTitle" runat="server">
Application Page

<asp:Content ID="PageTitleInTitleArea" ContentPlaceHolderID="PlaceHolderPageTitleInTitleArea" runat="server" >
My Application Page

using System;
using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;

namespace SharePointProject1.Layouts.SharePointProject1
    public partial class ApplicationPage1 : UnsecuredLayoutsPageBase
        protected void Page_Load(object sender, EventArgs e)

        //override the allow anonymous property to true
        protected override bool AllowAnonymousAccess
                return true;
        protected override bool AllowNullWeb
                return true;

The web parts have been updated to work with anonymous application pages in release 1.0.3.

I will reveal my ignorance here, and hope that, with your help, I can eliminate this lack of knowledge...

I've added the various web-parts you provide in a library of pages in my SP 2010 site. I have provided anonymous access to this library, and the pages (mostly) work fine (except that when accessing the Change Password web-part anonymously, only the title of the web part appears, but I'm not asking about that.)

Above, you mention web parts in application pages...

All the rest of our project is implemented in application pages (stored in a subfolder of the _layouts folder with our own .css and .master files in subfolders of that), except for a couple InfoPath forms. The pages I created which currently contain your webparts are (according to my understanding) site pages.

How does one insert a web part into an application page? This is how I really want to implement the web parts.

Also, related, I currently have my custom login page residing in the same subfolder within the _layouts folder as the rest of our .aspx pages, and have changed the path to the custom login page for the associated web app in Central Admin. This login.aspx page can be accessed anonymously without doing what you have described above, but none of the other application pages can be. Is this page made anonymous by SharePoint just because it is specified as the custom login page? And so I WILL have to do what you describe above for other application pages to be accessed anonymously?

I hope I've clearly communicated my situation.

Well, not only did I reveal my ignorance, but also my poor reading ability :-)

I see in your example that you show how to embed a webpart in an application page - using

<%@ Register TagPrefix="FBA" Namespace="Visigo.Sharepoint.FormsBasedAuthentication"
    Assembly="Visigo.Sharepoint.FormsBasedAuthentication, Version=, Culture=neutral, PublicKeyToken=9dba9f460226d31d" %>


<FBA:PasswordRecoveryWebPart runat="server"  />

I'll give that a try and see what I get.

Yeah, if you copy all the code from my previous post it should work as an application page.  The main thing you need to get it to work is inherit from UnsecuredLayoutsPageBase (The login page already does) and set AllowAnonymousAccess and AllowNulllWeb.

As for the Change Password page - it grabs the user ID, so it does need to be logged in to function (which is why you're only seeing the title).

Good luck!

I keep getting a 302 and a challenge to authenticate when trying to use the Password Recovery control in a SharePoint Application Page:  UnsecuredLayoutsPageBase

I can get to to page fine anonymously, it just seems like the postback to itself gets a 302 and then throws it over to the Authenticate.aspx.  This is what Fiddler is telling me.

I've copied exactly what you had above.  It works fine if I authenticate first and then navigate to this page, so I know functionally, all is well.  It's just that anonymous access on postback.

I have AllowAnonymousAccess and AllowNullWeb both set to true in the code behind.

Are you using the code earlier in this post? What version of the FBA Pack are you using? I'm pretty sure I tested this in the latest version 1.2.0, so it should work with that version.  If you can't get it to work with 1.2.0 - try it with version 1.0.3 - it was tested and definitely works with that version.

I downloaded and installed from this site about 3 weeks ago, so I'm sure I'm using your latest (1.2).  Yes, I'm using the code from your previous post.

1.2 was only released about 3 weeks ago (Nov 21) - so i'd probably download and redeploy 1.2 over what you have. I believe I introduced a bug in 1.1, which caused it to not work anonymously (and you'd get the problems you described).

Okay, I'll try that.  Do I need to undeploy/redeploy or will the deploy script included do the proper upgrades, etc?

Just run the deploy script for the new version and it will undeploy the existing version and deploy the new version.

I redeployed everything and same issue.  :(

Try 1.0.3 - that definitely works with the code above - if not, i'd say there's something else going on in your environment.  Also, have you tried the 1.2.0 web parts on a standard anonymous access page? I know I tested that in 1.2.0.

I tried 1.0.3.  Same issue.  it must be on my side.  I'll keep trying to figure it out.  Thanks for your help.

So I'm trying it now within an anonymous sharepoint page and I'm getting this error in the logs.  I can send emails fine using the other FBA Pack web parts and this is a valid email address.

#160009: The e-mail address '' is unknown. c4eff796-afed-4994-83c5-9a7f998609f7

One more detail, I'm running SharePoint 2010 Foundation with SP1 for all of this, if that is relevant.

SP1 should be fine. If this is the password recovery web part, then the error in the logs is because it can't find a user with that email address in the FBA database.  Check the user management page and make sure that the user exists.