ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Updates the password question and answer for a user in the Active Directory store.
public:
override bool ChangePasswordQuestionAndAnswer(System::String ^ username, System::String ^ password, System::String ^ newPasswordQuestion, System::String ^ newPasswordAnswer);public override bool ChangePasswordQuestionAndAnswer (string username, string password, string newPasswordQuestion, string newPasswordAnswer);override this.ChangePasswordQuestionAndAnswer : string * string * string * string -> boolPublic Overrides Function ChangePasswordQuestionAndAnswer (username As String, password As String, newPasswordQuestion As String, newPasswordAnswer As String) As BooleanParameters
- username
- String
The user to change the password question and answer for.
- password
- String
The password for the specified user.
- newPasswordQuestion
- String
The new password question for the specified user.
- newPasswordAnswer
- String
The new password answer for the specified user.
Returns
true if the update was successful; otherwise, false. A value of false is also returned if the password is incorrect, the user is locked out, or the user does not exist in the Active Directory data store.
Exceptions
The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema.
username is empty, or exceeds the maximum length for the user name (usually 256 characters).
-or-
username contains commas.
-or-
The user name is mapped to the userPrincipalName attribute and the username parameter contains backslashes.
-or-
password is a zero-length string.
-or-
password exceeds the maximum password length (usually 128 characters).
-or-
newPasswordQuestion is empty and the RequiresQuestionAndAnswer property value is true.
-or-
newPasswordQuestion exceeds 256 characters.
-or-
newPasswordAnswer exceeds 128 characters after the answer is encrypted.
username is null.
-or-
password is null.
-or-
newPasswordQuestion is null and RequiresQuestionAndAnswer property is true.
-or-
newPasswordAnswer is null and RequiresQuestionAndAnswer property is true.
The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decryptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.
The ChangePasswordQuestionAndAnswer(String, String, String, String) method is called before the ActiveDirectoryMembershipProvider instance is initialized.
Remarks
The method is called by the ActiveDirectoryMembershipUser class to update the password question and answer for a user in the Active Directory membership store.
Requiring a password question and answer provides an additional layer of security when resetting a user's password. When creating a user name, a user can supply a question and answer that can later be used to reset a forgotten password. The ChangePasswordQuestionAndAnswer method updates the password question and answer for a membership user to new values.
In order to use the ChangePasswordQuestionAndAnswer method, you must set these additional attributes in your application's configuration file:
requiresQuestionAndAnswermust betrue.attributeMapPasswordQuestionandattributeMapPasswordAnswermust be mapped to attributes in the Active Directory schema.
If the above criteria are not met, a ProviderException is thrown at initialization.
The ActiveDirectoryMembershipProvider instance connects to the Active Directory data store with the credentials provided in the username and password parameters to validate the user name/password combination. The actual update of the question and answer is performed with the configured connection credentials of the provider.
If an incorrect password is supplied to the ChangePasswordQuestionAndAnswer method, the directory server will increment the counters that track invalid password attempts. This can result in the user being locked and unable to log on until either the lock status is cleared by a call to the UnlockUser method or the locked duration specified in the directory passes.
If the update to the question and answer succeeds and the EnablePasswordReset property is true, the user's bad password answer tracking counters are reset.
The password answer is encrypted using the EncryptPassword method before it is stored in the Active Directory data store. The encryption key and algorithm are specified by the machineKey Element (ASP.NET Settings Schema) configuration element. The decryption attribute on the machineKey Element (ASP.NET Settings Schema) element must be specified, the ActiveDirectoryMembershipProvider class does not support auto-generated encryption keys.
The maximum length for the password question is 256 characters. The maximum length for the password answer is 128 characters.
Leading and trailing spaces are trimmed from all parameter values except for password.
The provider finds the user instance to update by performing a subtree search for the user name starting at the search point specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.
