Security Question/Answer reset

sharepoint2010
codeplex

#1

First - THANK YOU for the awesome code.  Much smoother than the CKS.  Once I figured out that email and a self-signed SSL don't work well (I ended up using SELFSSL.EXE to create a cert that could be imported into the SharePoint store) all is running smooth.

Question: I configured a security question/answer in the MembershipProvider, and it's working well, but there's no place for the end-user to be able to reset their Q/A once logged in!  Am I missing something?

Also, the Password Reset web part has lots of options, are they documented anywhere?  None of them seem to allow for the Q/A reset either :(


#2

Unfortunately there's no way of changing the security question/answer with the FBA Pack once they've been created.  The FBA Pack uses the ASP.Net Membership Controls - and surprisingly they do not provide that functionality.  Feel free to add this as a feature request in the Issue Tracker (but it will probably be pretty low on the priority list).

As for the options, apart from the standard web part options available for all SharePoint web parts, all of the options are for customizing the appearance of the control - essentially setting the text the control displays as well as the button styles. It's really just a web interface to the asp.net control, which is documented here:

http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.passwordrecovery.aspx

You can also specify the html template to use for the control, if you REALLY want to customize the layout.  I've got some documentation on doing that here:

http://sharepoint2010fba.codeplex.com/wikipage?title=Customizing%20the%20Web%20Part%20Layout


#3

Yes, first of all many Thanks Chris for this awesome work !! it makes lives easier for us!!

I have the same query, members should change their Security question (and pwd, for this we can use the change pwd control and direct the users to that page), however for the security question change, we dont have a choice.I looked at your code and saw the Asp.Net Memberships controls you have used, I was thinking to use the a copy of the control but modify it to the effect that it shows just the Security questions, but we cannot as many of the other fields are required, as you also mentioned in your post.

unfortuntaley - the only option is to create another webpart, with just the Question and Answers boxes. If anyone has found a solution or written something to that effect please share.

FastFrgz - were you able to find a solution?
We need to have this as the user can only recover their pwd if they know security question/answer.
Sachin

 


#4

If you want to add it as new fields to the change password web part, you should be able to by adding the fields to the template and then adding the logic to the code. If you just want a separate web part for changing the question and answer, then probably a brand new custom web part would be best. As far as I know there are no web parts available, so unfortunately I don't think there's any way around coding something. If you need this coded up, i'd be glad to help. Check out the purchases page on the Visigo web site, and feel free to call to discuss what you'd like:

http://www.visigo.com/purchase.html


#5

I forgot to mention, your other option is simply turning off the question/answer feature on the membership provider.  But I assume if you're going through this, you feel like you need the extra security.


#6

Thanks Chris.Yes I guess I will need to add a new webpart (Or as you suggested, add it to the Change pwd page, is a good idea too!), both of this would require custom code, so i was thinking not to mess with existing, but add another webpart.

Turning the question/answer feature was something that I did not think about, glad that you pointed it out.However, i feel it should be there, how else would the users who forgot their pwd will be able to get back to the system without human intervention(Like sending emails to an admin?)

Thoughts?

I have over 650 users, so was thinking to allow them to set the questions later on after we create the users.


#7

If you turn off the question answer, then the recover password web part only asks for their email/username.  The password will be reset and emailed using the email address associated to the user.

As for setting the questions later on, I believe if question/answer is turned on, then a question and answer is required by the membership provider when creating the user. So I don't think that's an option. You'd have to at least provide a default question and answer, such as "Type Password"/"Password".


#8

For Part 1 - Yes, thats an option, since the pwd is sent to the user's email address no one else can get it, so security question can be turned off.

For Part 2 - The idea of setting it later on was this - We keep the Security question ON and create the users in the backend through SQL scripts etc with dummy question and answer and pwd fields and then ask users to change it later on after they have logged in.(Current client might not allow each user to come and create their own accounts as there are multiple Sharepoint user group scenarios and they have to be pre-configured in bulk, rather than piecemeal.) Yes, you have provided for an option to review requests, but someone will have to do the task of reviewing each request and then adding to appropriate groups, the user database is huge for this .

But I do see some point if users can request their own account(If they agree!!) it will do away with all this trouble.Else I will have to go for a webpart..:-)

You have raised some good points to consider, final implementation will depend on what they agree for in the end.

Thanks again,
Sachin


#9

Hey Chris - I was testing the Membership request webpart as per yesterdays discussion, but it is not creating any users nor they go in the review list.The page just refreshes or sometimes just sits there.Everything else in the FBA pack is working just fine, but this webpart.

Please answer when you can,I havent modified anything as yet, just testing as it came.

Also, there is no pwd field here - how does the pwd gets created

Thanks,
Sachin


#10

Usually if it refreshes and doesn't do anything it's because one of the validations is failing - invalid captcha, missing username, email addres.... However there should be an indication on the screen of what failed (although the default notification for many of the fields is a red *, which could potentially be easy to miss).  If that's not it, i'd check the SharePoint log file to see if anything was written there (although you will usually see "Unknown Error Occured" if something gets written to the log).

As for the no password field, by default the user is emailed their password.  That could be one reason the web part is failing, if the SharePoint email settings aren't configured correctly. There is an "Auto Generate Password" option on the web part that you can turn off if you'd like the user to enter their own password. You will still need to have the email server configured as an email still gets sent.


#11

Wow! thanks.

I guess this is the case, my email settings are not configured properly.
So, you are saying that even if user enters their own password, it will fail to create user cause the email will not go out?Bottomline, unless email is configured this will not work?

Also, - when I configure the webpart and uncheck "Auto generate password" it keeps checking it back? Can't uncheck it.

Thanks.


#12

Correct, email is required.

The reason auto generate password is checked is because you have review membership requests turned on. The user essentially gets generated when the membership request is approved, and for security reasons I didn't want to store the password until that point. So right now if you want the user to enter a password you'll have to turn off the Review Membership Request functionality. Otherwise, you'll have to stick with the password being auto generated for them and they would have to change their password after logging in for the first time.


#13

Spot on Thank you! I was able to uncheck it after turning Off membership review.

Question: as you have rightly mentioned users would have to change their pwd after logging for the first time, does FBA Pack takes care of it on its own and forces users to change pwd? or do we have to code it? I was thinking that we had to take care of it, but if its is taken care by the FBA pack, nothing like it :-)


#14

I'm afraid that's not included with the FBA pack. It would have to be custom code.  I've customized another client's login page to check if the password has been changed and redirect to the change password page if it has not.


#15

Ok. Thank you Chris, appreciate all your help! Might have to take the same route.So this is what i am thinking finally.

1-users create themselves through membership
2-Security question turned on
3-Will have to decide about password
 a) if user gives pwd, no need for customizing login page
 b)if we use automatic pwd generation, then ask them to change
 


#16

Hey ccoulson - I am back again..:-)

I want to turn Off the security/question answer On both the new user screen and membership request page , can I do it from the pack or will I have to make changes to source?

I guess for the Membership request we can make changes to the webpart, I am not sure what to do abt the New User page

-Thanks


#17

The display of the security question/answer is controlled by the settings on your membership provider. So to turn the fields off you just have to edit your your membership provider entry in your web.config.


#18

Thanks I will try that and let you know how it goes!!


#19

Thanks you sir, it worked like a charm! setting requiresQuestionAndAnswer="False"   did the trick...!

  

 


#20

Hello ccoulson, so I am back :-), have a question.

The forgot pwd webpart is not able to send mail and shows an error: "There was an error sending the email, please check with your administrator"
I know from our last discussion that email should be configured properly on the server, and it is ! I am getting regular sharepoint alerts as a test.

Also, I added a user today, using user management, that did not send a mail as well. can you guide as to what could be the issue.

Thanks,
S
achin