ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration Property

 

Get the length of time for which a user account is locked out after the user makes too many bad password-answer attempts.

Namespace:   System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public int PasswordAnswerAttemptLockoutDuration { get; }

Property Value

Type: System.Int32

The time, in minutes, that a user is locked out after providing too many incorrect password answers.

Exception Condition
InvalidOperationException

An attempt to access the PasswordAnswerAttemptLockoutDuration property was made before the ActiveDirectoryMembershipProvider instance was initialized.

When the EnablePasswordReset property is true, the user must answer the password question to reset his or her password. If the user fails to supply the correct answer a consecutive number of times equal to the MaxInvalidPasswordAttempts property value within the observation time period specified by the PasswordAttemptWindow property, the user is locked out of further attempts for the number of minutes contained in the PasswordAnswerAttemptLockoutDuration property.

System_CAPS_noteNote

This property does not set the duration a user is locked out after failing to enter a valid password. The Active Directory server handles failed logon attempts and is not affected by the value of this property. We recommend that the PasswordAnswerAttemptLockoutDuration property be set to the same value as the account lockout duration specified for too many failed logon attempts in the Active Directory configuration. This will present consistent auto-lockout behavior for users regardless of whether they were locked out due to failed logon attempts or to bad password answers.

The PasswordAnswerAttemptLockoutDuration property is set in your application's configuration file using the passwordAnswerAttemptLockoutDuration attribute of the membership Element (ASP.NET Settings Schema) element. If the property is not set in the application's configuration file, the PasswordAnswerAttemptLockoutDuration property is set to the default value of 30 minutes.

The following code example shows a Web.config entry that configures an ActiveDirectoryMembershipProvider instance to lock out users who make three failed attempts to enter the password answer in a 10-minute time window. If the user is locked out, no further attempts to answer the password question may be made for 15 minutes.

<configuration>
  <connectionStrings>
    <add name="ADService" connectionString="LDAP://ldapServer/" />
  </connectionStrings>
  <system.web>
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
      <providers>
        <add name="AspNetActiveDirectoryMembershipProvider" 
          type="System.Web.Security.ActiveDirectoryMembershipProvider, 
          System.Web, Version=2.0.3600, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a"
          maxInvalidPasswordAttempts="3"
          passwordAttemptWindow="10"
          passwordAnswerAttemptLockoutDuration="15" />
      </providers>
    </membership>
  </system.web>
</configuration>

.NET Framework
Available since 2.0
Return to top
Show: