This documentation is archived and is not being maintained.

ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration Property

Get the length of time for which a user account is locked out after the user makes too many bad password-answer attempts.

Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public int PasswordAnswerAttemptLockoutDuration { get; }

Property Value

Type: System.Int32
The time, in minutes, that a user is locked out after providing too many incorrect password answers.


An attempt to access the PasswordAnswerAttemptLockoutDuration property was made before the ActiveDirectoryMembershipProvider instance was initialized.

When the EnablePasswordReset property is true, the user must answer the password question to reset his or her password. If the user fails to supply the correct answer a consecutive number of times equal to the MaxInvalidPasswordAttempts property value within the observation time period specified by the PasswordAttemptWindow property, the user is locked out of further attempts for the number of minutes contained in the PasswordAnswerAttemptLockoutDuration property.


This property does not set the duration a user is locked out after failing to enter a valid password. The Active Directory server handles failed logon attempts and is not affected by the value of this property. We recommend that the PasswordAnswerAttemptLockoutDuration property be set to the same value as the account lockout duration specified for too many failed logon attempts in the Active Directory configuration. This will present consistent auto-lockout behavior for users regardless of whether they were locked out due to failed logon attempts or to bad password answers.

The PasswordAnswerAttemptLockoutDuration property is set in your application's configuration file using the passwordAnswerAttemptLockoutDuration attribute of the membership Element (ASP.NET Settings Schema) element. If the property is not set in the application's configuration file, the PasswordAnswerAttemptLockoutDuration property is set to the default value of 30 minutes.

The following code example shows a Web.config entry that configures an ActiveDirectoryMembershipProvider instance to lock out users who make three failed attempts to enter the password answer in a 10-minute time window. If the user is locked out, no further attempts to answer the password question may be made for 15 minutes.

    <add name="ADService" connectionString="LDAP://ldapServer/" />
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <add name="AspNetActiveDirectoryMembershipProvider" 
          System.Web, Version=2.0.3600, Culture=neutral, 
          passwordAnswerAttemptLockoutDuration="15" />

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.