ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer Method

Definition

Updates the password question and answer for a user in the Active Directory store.

public:
 override bool ChangePasswordQuestionAndAnswer(System::String ^ username, System::String ^ password, System::String ^ newPasswordQuestion, System::String ^ newPasswordAnswer);
public override bool ChangePasswordQuestionAndAnswer (string username, string password, string newPasswordQuestion, string newPasswordAnswer);
override this.ChangePasswordQuestionAndAnswer : string * string * string * string -> bool
Public Overrides Function ChangePasswordQuestionAndAnswer (username As String, password As String, newPasswordQuestion As String, newPasswordAnswer As String) As Boolean

Parameters

username
String

The user to change the password question and answer for.

password
String

The password for the specified user.

newPasswordQuestion
String

The new password question for the specified user.

newPasswordAnswer
String

The new password answer for the specified user.

Returns

true if the update was successful; otherwise, false. A value of false is also returned if the password is incorrect, the user is locked out, or the user does not exist in the Active Directory data store.

Exceptions

The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema.

username is empty, or exceeds the maximum length for the user name (usually 256 characters).

-or-

username contains commas.

-or-

The user name is mapped to the userPrincipalName attribute and the username parameter contains backslashes.

-or-

password is a zero-length string.

-or-

password exceeds the maximum password length (usually 128 characters).

-or-

newPasswordQuestion is empty and the RequiresQuestionAndAnswer property value is true.

-or-

newPasswordQuestion exceeds 256 characters.

-or-

newPasswordAnswer exceeds 128 characters after the answer is encrypted.

username is null.

-or-

password is null.

-or-

newPasswordQuestion is null and RequiresQuestionAndAnswer property is true.

-or-

newPasswordAnswer is null and RequiresQuestionAndAnswer property is true.

The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decryptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.

Remarks

The method is called by the ActiveDirectoryMembershipUser class to update the password question and answer for a user in the Active Directory membership store.

Requiring a password question and answer provides an additional layer of security when resetting a user's password. When creating a user name, a user can supply a question and answer that can later be used to reset a forgotten password. The ChangePasswordQuestionAndAnswer method updates the password question and answer for a membership user to new values.

In order to use the ChangePasswordQuestionAndAnswer method, you must set these additional attributes in your application's configuration file:

  • requiresQuestionAndAnswer must be true.

  • attributeMapPasswordQuestion and attributeMapPasswordAnswer must be mapped to attributes in the Active Directory schema.

If the above criteria are not met, a ProviderException is thrown at initialization.

The ActiveDirectoryMembershipProvider instance connects to the Active Directory data store with the credentials provided in the username and password parameters to validate the user name/password combination. The actual update of the question and answer is performed with the configured connection credentials of the provider.

If an incorrect password is supplied to the ChangePasswordQuestionAndAnswer method, the directory server will increment the counters that track invalid password attempts. This can result in the user being locked and unable to log on until either the lock status is cleared by a call to the UnlockUser method or the locked duration specified in the directory passes.

If the update to the question and answer succeeds and the EnablePasswordReset property is true, the user's bad password answer tracking counters are reset.

The password answer is encrypted using the EncryptPassword method before it is stored in the Active Directory data store. The encryption key and algorithm are specified by the machineKey Element (ASP.NET Settings Schema) configuration element. The decryption attribute on the machineKey Element (ASP.NET Settings Schema) element must be specified, the ActiveDirectoryMembershipProvider class does not support auto-generated encryption keys.

The maximum length for the password question is 256 characters. The maximum length for the password answer is 128 characters.

Leading and trailing spaces are trimmed from all parameter values except for password.

The provider finds the user instance to update by performing a subtree search for the user name starting at the search point specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

Applies to

See also