ASP.NET - Using the same encryption method used by ActiveDirectoryMembershipProvider to encrypt secret password answer and store it in AD

rakkimk — Sat, 12 Apr 2008 00:26:29 GMT

Okay, this is an interesting stuff. MembershipProvider automatically encrypts most of the sensitive information such as password, secret-question-password. What if you want to use the same encryption method yourself to encrypt data?

Before continuing reading, You need to understand and keep in mind that your <machinekey> section is the one which would be used for the encryption / decryption by the MembershipProvider. If you change it after encryption, your decryption may fail. So, please be careful while modifying anything on <machinekey> section in your web.config.

I've just created a class inheriting from MembershipProvider. I've implemented all the methods of it (just a dummy implementation - VS would be more than happy to do that for you - if you find difficulty in this, write to me; I'll help you). I've also created another new method called EncryptMe which takes a string and returns me a string which is in fact the encrypted string. This method just gets the string in bytes with RNGCryptoServiceProvider and just call the function EncryptPassword of the MembershipProvider class to do the encryption.

In fact, the EncryptPassword method is a protected method of the MembershipProvider class, and by using it, we have just achieved the same encryption which is used by the MembershipProvider class (which our ActiveDirectoryMembershipProvider also uses to encrypt your secret-password-answer). Since it is protected, you can't access it anywhere outside, but inside a derived class.

Source of my EncryptMe Function

    public string EncryptMe(string s)
    {
        byte[] bytes = System.Text.Encoding.Unicode.GetBytes(s);
        byte[] data = new byte[0x10];
        new System.Security.Cryptography.RNGCryptoServiceProvider().GetBytes(data);
        byte[] dst = new byte[data.Length + bytes.Length];
        Buffer.BlockCopy(data, 0, dst, 0, data.Length);
        Buffer.BlockCopy(bytes, 0, dst, data.Length, bytes.Length);
        byte[] b = EncryptPassword(dst);
        return Convert.ToBase64String(b);
    }

Now, you can just store the encrypted string to the active directory property which you've mapped to the Secret-question-password. Check this knowledge base article which explains how to modify an attribute of an user in active directory. It just talks about the properties needed by the FTP user isolation, just modify the code to use your own attribute.

Again, please make sure you do not alter your <machinekey> section which has all the information needed to encrypt and decrypt data.

Hope this helps!

ASP.NET - Enabling PasswordReset functionality when using ActiveDirectoryMembershipProvider

rakkimk — Fri, 11 Apr 2008 22:59:00 GMT

If you want to use ActiveDirectoryMembershipProvider on your website to manage users specially the password reset functionality, you will also need to create few attributes in the active directory schema for the "USER" object. You can check this MSDN article to know more about this, but again, it doesn't list how to create the needed attributes, but it tells you what are all the attributes needed if you are considering "Password Reset" functionality.

Firstly, ActiveDirectoryMembershipProvider does not support retrieving the password, but you can reset the password by providing secret-question, and secret-answer. You may also need to create few more attributes in the active directory schema associated with this. Below are those attributes:

Password Question - Unicode String
Password Answer - Unicode String
Failed Answer count - Integer
Last time at which the user supplied an invalid answer - Large Integer/Interval
Account locked out time - Large Integer/Interval

These are the 5 new attributes which you need to add in the active directory schema for the "USER" object. I will explain how to add new attributes and associate them to an existing object.

You need to first install the schema snap-in by registering schmmgmt.dll (regsvr32 schmmgmt.dll)
Now, open an MMC, and add "Active Directory Schema" snap-in
Expand the Active Directory Schema, and right click on Attribute, and select "Create Attribute"
Enter the common name, LDAP name, other fields for the attribute you are creating. For example, "PasswordQuestion" - this would be having its type as Unicode String. See the above list of attributes and its types appropriately. If Integer, enter minimum/maximum values too.
For the OID, you need to check this MSDN article.

Now follow the above steps to create all the 5 attributes which are needed. After creating these attributes, we need to attach them to the "USER" object.

In the same MMC, Expand "CLASSES" and select user object.
Right click on user and select properties
Go to its attributes tab, and click Add
Select the attributes that you've created one by one and click on OK

That's it. Now, your user object would have all those attributes, and you can store values using any method you like. If you create an user using CreateUser wizard control, it would populate and store the values of the secret-question, answer automatically. ActiveDirectoryMembershipProvider would take care of storing, retrieving values of these attributes itself, you no need to program anything for them.

But, there would be some situation the users have been already created, but you need to attach these attributes to them. Follow the above methods to add attributes to the user object. And, now open the particular user's properties in ADSIEDIT.msc, and add values to them.

After following all the above steps, follow the other steps mentioned in this article to configure your web.config sections to map the attributes you've created in AD.

NOTE: Password-answer is the only one attribute out of these 5 which would be stored in an encrypted format. <machinekey> section would be used for the encryption of this, if you create an user using the CreateUser wizard. But, if you have already created the user in the AD, and you want to just store the secret-question and password, you may want to check my next blog where I'll explain how to use the same encryption method used by the MembershipProvider to store the secret-password in the active directory for the user.

rakkimk : MembershipProvider

ASP.NET - Using the same encryption method used by ActiveDirectoryMembershipProvider to encrypt secret password answer and store it in AD

ASP.NET - Enabling PasswordReset functionality when using ActiveDirectoryMembershipProvider