Assembly: System.Web (in system.web.dll)
Property ValueThe time window, in minutes, during which consecutive failed attempts to provide a valid password or a valid password answer are tracked. The default is 10 minutes. If the interval between each failed attempt is greater than the PasswordAttemptWindow property setting, the ActiveDirectoryMembershipProvider instance treats each failed attempt as if it were the first failed attempt.
An attempt to access the PasswordAttemptWindow property was made before the ActiveDirectoryMembershipProvider instance was initialized.
The PasswordAttemptWindow property works in conjunction with the MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When users are attempting to log in, change their password, or reset their password, only a certain number of consecutive attempts are allowed within a specified time window. The length of the time window is specified by the PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts. If the number of consecutive failed attempts a user makes to reset his or her password equals the value stored in the MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified for the PasswordAttemptWindow property, then the user account s locked out for the number of minutes contained in the PasswordAnswerAttemptLockoutDuration property. If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, the current invalid attempt is counted as the first attempt. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to zero. If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to zero.
We recommend that the PasswordAnswerAttemptLockoutDuration property be set to the same value as the account lockout duration that is specified for the maximum number of failed logon attempts in the Active Directory configuration. This will present consistent auto-lockout behavior for users whether they were locked out due to failed logon attempts or to bad password answers.
The PasswordAnswerAttemptLockoutDuration property is set in your application's configuration file using the passwordAttemptWindow attribute of the membership Element (ASP.NET Settings Schema) element. If the property is not set in the application's configuration file, the PasswordAnswerAttemptLockoutDuration property is set to the default value of 10 minutes.
The following code example shows a Web.config entry that configures an ActiveDirectoryMembershipProvider instance to lock out users who make three failed attempts to enter the password answer in a 10-minute time window. If the user is locked out, no further attempts to answer the password question may be made for 15 minutes.
<configuration> <connectionStrings> <add name="ADService" connectionString="LDAP://ldapServer/" /> </connectionStrings> <system.web> <membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.3600, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" maxInvalidPasswordAttempts="3" passwordAttemptWindow="10" passwordAnswerAttemptLockoutDuration="15" /> </providers> </membership> </system.web> </configuration>