How do I configure account lockout using membership feature in ASP.Net 2.0?

From Guidance Share
Jump to navigationJump to search

J.D. Meier, Prashant Bansode, Alex Mackman


If you are using the SqlMembershipProvideror ActiveDirectoryMembershipProvider, you use the maxInvalidPasswordAttempts and passwordAttemptWindows attributes on the provider configuration. By default, these values are 5 and 10, respectively. This means you get 5 invalid attempts within 10 minutes before you are locked out. If you are using the ActiveDirectoryMembershipProvider, your domain or local security policy controls the password lockout. Note that if an account is locked out by the provider, it is not locked out within Active Directory, so you could still log on to Windows with the account. However, the ActiveDirectoryMembershipProvider treats the account as locked out, so the user cannot logon through an application that uses the provider until the lockout duration elapses. Accounts locked out by the provider are re-enabled after a time interval defined by the attributeMapFailedPasswordAnswerLockoutTime attribute. The default is 30 minutes. Alternatively, you can write code that calls the UnlockUser method on the MembershipUser object.

Here is how you configure account lockout settings

<membership defaultProvider=NewProvider>
     <add name=NewProvider maxInvalidPasswordAttempts=3 and passwordAttemptWindows=10 …/>

More Information

For more information on configuring account lockout, see “How To: Use Membership in ASP.NET 2.0” at