The ASP.NET Web Site Administration Tool

The ASP.NET Web Site Administration Tool

Now that you have an understanding of the security, membership, and role management features in ASP.NET, it is time to look at how you enable and configure these on your server. The first step is to create the ASP.NET application database, whose schema you saw back in Figure. ASP.NET includes a utility to generate the database, which you must run before you start to configure membership and roles in your application.

The <roleManager> Section of web.config


      <add name="AspNetSqlRoleProvider"
           type="System.Web.Security.SqlRoleProvider ..."
           applicationName="/" />
      <add name="AspNetWindowsTokenRoleProvider"
           type="System.Web.Security.WindowsTokenRoleProvider, ..."
           applicationName="/" />

      <!-- following added to use SQL Server 2005 database ->
      <add name="Sql2005RoleProvider"
           type="System.Web.Security.SqlRoleProvider, ..."
           applicationName="/" />

      <!-- following uses remote SQL Server attached database ->
      <add name="Sql2005RemoteRoleProvider"
           type="System.Web.Security.SqlRoleProvider, ..."
           applicationName="/" />


Creating the ASP.NET Application Database

To create the database, which you only need to do once on your server for each database server system you want to access, you use the aspnet_regsql.exe utility. This utility is located in the folder [%WINDIR%]\Microsoft .NET\Framework\[version]\ of your machine. For example, if you installed Windows XP or Windows Server 2003 in the default location, the path for version 2.0 of ASP.NET is this:


This utility performs a range of functions, including creating and configuring the ASP.NET application database, preparing a database to support cache dependencies (see Chapter 6), and creating the database and tables for SQL Server-based session state storage.

The aspnet_regsql.exe utility supports a multitude of command-line parameter options (run it with the /? parameter to see a list), but you can simply run it with no parameters to start it in graphical Wizard mode. This mode allows you to specify all the required information, and it then creates the application database with all the features you will require to support membership, roles, profiles, personalization, and event tracking.

The first page just describes the features of the utility. When you click Next, the second page allows you to configure a new or existing database, or to remove the application features from a database (see Figure).

4. Selecting the database configuration option

Click Next, and the third page allows you to specify the database server where the ASP.NET application database will reside, the logon method and details for connecting to the database, and the name of the database (see Figure). The string .\SQLExpress specifies the local SQL Server Express Edition database installed with Visual Studio 2005. However, you can specify any other database server (local or remote) here. Leaving the Database drop-down list set to <default> means that the Wizard will use the default name "aspnetdb."

5. Specifying the database server location, authentication, and name

Click Next, and the fourth page shows a summary of the details you entered (see Figure). When you click Next again, the Wizard creates and configures the database. Once complete, the final page displays a message indicating the result of the process.

6. Confirming your settings

You will find the database in the default database folder of your SQL Server installation. If you only have one instance of SQL Server 2005/SQL Server Express installed, the default path is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\. If you have more than one, the subfolders are named MSSQL.1, MSSQ.2, and so on.

As you create ASP.NET applications and enable the membership and role management features, the ASP.NET Web Site Administration Tool places a copy of this database in the App_Data subfolder of your application automatically.

Using a Pre-Attached Database

If you prefer to use a database pre-attached to your SQL Server, you can-simply run SQL Server Management Studio and attach the database. Right-click the Databases entry in Object Explorer, and then select Attach. Click Add, browse to the aspnetdb.mdf file (or the file you want to attach if you used a different name), select it, and click OK. Then, in the Attach Databases dialog, click OK to complete the process.

You can attach the database in the App_Data subfolder if you wish, though it is better to place a copy of the database in a central location, using a unique name, so that you can attach databases for multiple applications. Of course, you will have to modify the connection strings as shown earlier in this chapter to connect to the database.

Troubleshooting ASP.NET Application Database Issues

There are some issues that you may come across when running the aspnet_regsql.exe utility, or when you first run the ASP.NET Web Site Administration Tool. To avoid potential problems, you can do the following:

  • Make sure you log on to the server as local Administrator, or that you use a local (machine) account that has full administrative permissions.

  • Make sure that the account you are using, and the account that the Visual Studio built-in Web Server uses, have READ and MODIFY permission for the App_Data folder. You can try enabling these permissions for the Users group, which contains all the machine accounts, while setting up your application for the first time if you encounter problems.

  • Make sure that the aspnetdb.mdf database is not in use by any other application.

  • If you are using a remote server or a pre-attached database, grant access to this database for the "ASPNET" and "NETWORK SERVICE" accounts. Create a SQL Server login for each one, grant them login access to the database, and add this login to the aspnet_Membership_FullAccess database role.

Creating and Managing Users and Roles

With the ASP.NET application database configured, you can now create your Web application, create a new Web site, or open an existing Web site in Visual Studio 2005 or Visual Web Developer Express Edition. Once you are ready to add membership and roles support, select ASP.NET Configuration from the Website menu to start the ASP.NET Web Site Administration Tool (see Figure).

7. Starting the ASP.NETWeb Site Administration Tool

In the ASP.NET Web Site Administration Tool, you must first select the providers you will use, and you can test that your application can connect to them. You then run the Security Wizard to create roles and users, and configure access control for each one. Alternatively, you can manage the roles and users separately using the other options in the Security page. Once you have configured the roles and users, you can add each user to the appropriate role(s). Finally, you can set up other application options you require, including the facility to send e-mail messages to users when they create an account, or change their password.

The following sections cover these topics:

  • Selecting the Providers

  • Running the Security Wizard

  • Managing Users, Roles, and Access Controls

  • Adding Users to Roles

  • Setting the SMTP E-mail Options

Selecting the Providers

Figure shows the opening page of the Web Site Administration Tool. The Application Configuration option allows you to set and change values stored in the <appSettings> section of the web.config file, such as application-specific configuration values, constant values, and other specific information your application requires. You also use this page to take the application offline and online, turn on and off debugging and tracing, and specify the settings for your e-mail server.

8. Selecting the Provider Configuration page

However, what is of interest here is the security and provider settings. If this is the first time you have run the Web Site Administration Tool, the Security page contains just a message that you must specify the providers to use. Therefore, the first stop (see Figure) is the Provider Configuration page.

The Provider Configuration page first asks you whether you want to use a single provider for all your membership and roles information, or separate providers (see Figure). This means that you can store membership information and roles information in separate databases if you wish. For example, you could store the roles information on a separate shared remote server and access it from more than one application while maintaining user information in a separate database for each application.

9. Specifying single or multiple providers

The next page shows a list of all the installed providers for membership and role management. In Figure, you can see that we have set up providers for SQL Server 2005 as well as the default SQL Server Express Edition providers. By selecting the second option in the previous page, we can select a different provider for the membership and role management functions in this page.

10. Selecting an installed provider

Click the Test link after selecting the providers (there will only be one shown if you have not installed or configured other providers) to make sure that ASP.NET can connect to the provider database. Repeat this for both of the providers if you are specifying a different provider for the membership and role management functions. The result, as shown in Figure, should be a successful connection. If you get an error message, check the topics in the section Troubleshooting ASP.NET Application Database Issues, which appears earlier in this section of the chapter.

11. Verifying the provider database connection

Running the Security Wizard

Now that you have selected and tested the provider(s) you are using, you can begin creating and configuring the users and roles for your application. The easiest way to get started is to use the Security Wizard. On the Security page of the Web Site Administration Tool, you will find a link to start this Wizard. The first page, shown in Figure, describes the features of the Wizard. Usefully, it contains a sidebar that shows the seven numbered steps you will work through and indicates the current step in bold text.

12. The Security Wizard Welcome screen

Click Next to get to the Select Access Method page. You specify here the type of authentication you will use. From the internet configures your application to use Forms authentication. From a local area network configures it to use Windows Authentication. The steps that follow are much the same, except that you cannot define and manage roles when using Windows authentication. In this walkthrough, we are using Forms authentication (see Figure).

13. Selecting the access method

The next page in the Wizard, shown in Figure, indicates whether you selected different providers for membership and roles (advanced provider settings), or a single provider for both.

14. The provider settings screen

Clicking Next takes you to the Define Roles page. If you are using Forms authentication, you will see a checkbox that allows you to enable roles for this Web site (see Figure).

15. Enabling roles for the Web site

The next page provides the controls to create new roles. Simply enter the name of the role and click Add Role (see Figure).

16. Adding a new role

As you create roles, the page shows them together with a Delete link that you can use to delete a role if you make a mistake or change your mind (see Figure). You should make your role names meaningful, so that you can easily tell what they mean later on. The name of each role must be unique irrespective of letter case (in other words, the all-lower-case equivalent of the role name must be unique), even though they are stored in the database with a GUID to identify them.

17. Viewing new and existing roles

Once you are finished creating roles, click Next to go to the Add New Users page shown in Figure. You can sign up here for a new account. By default, you must specify a unique user name, a password that contains at least one non-alphanumeric character, an e-mail address, and a security question and answer.

18. Signing up for a new user account

The rules applied when creating accounts depend on the settings in your web.config file. If you look back at the <membership> element shown in Listing 11.7, you will see that the attributes for the <add> element allow you to:

  • Turn on and off the security question and answer feature using the requiresQuestionAndAnswer="true|false" attribute.

  • Specify whether the e-mail address for each user must be unique, or whether the same user can create multiple accounts with the same e-mail address, using the requiresUniqueEmail="true|false" attribute.

  • Specify the minimum length of a password using the minRequired PasswordLength="n" attribute.

  • Specify the minimum number of non-alphanumeric characters in the password (the minRequiredNonalphanumericCharacters="n" attribute) or a regular expression that the password must validate against (the passwordStrengthRegularExpression="expression" attribute).

  • Turn password retrieval and password reset on and off (e.g., generate a new random password) using the enablePassword Retrieval="true|false" and enablePasswordReset ="true|false" attributes.

The Wizard checks the values you enter to ensure they meet the rules specified in the membership provider configuration. If everything's acceptable, the Wizard displays a message (see Figure) and you can click Continue to create another account, or Next to continue to the next stage of the Wizard.

19. The account created screen

The next step is to set the access controls for the users and roles you created. The Add New Roles page allows you to select a folder within your site and apply rules for users and roles that apply to this folder. Any subfolders within the selected folder inherit these rules. The table at the bottom of the Wizard page shown in Figure lists all the rules for the selected folderyou can see that the SecureArea folder inherits the Allow [all] rule from the root folder of the site.

20. Allowing access for specific roles

However, you can apply rules to the subfolders that override those inherited. At runtime, ASP.NET applies the rules specific to each folder in the order they are listed in the table, though you can easily change the order when you come to manage the access rules using the Web Site Administration Tool later on. Figure shows how you can grant access to the SecureArea folder for the "managers" role.

You can also set access control rules for specific users. These override the rules for the role of which the user is a member. Figure shows how you can grant a specific user access to a folder, irrespective of whether they belong to a role or not. If you have not enabled roles in your application, you must allocate all access rules directly to users in this way.

21. Allowing access for specific users

To prevent users from accessing the selected folder, you select the Deny option in the Permission section (see Figure). The Rule applies to section allows you to select a role, a specific user, All Users, or Anonymous Users. The All Users option places a rule in the <authorization> section of web.config that uses the "*" character, which allows only the roles and users for which you specifically create Allow access rules to view pages in this folder. The Anonymous Users option uses the "?" character, which allows any user that has been authenticated to access the folder. If you just want to ensure that users log on before accessing a folder, and you are not concerned about which user it is, you just have to create a Deny rule that specifies Anonymous Users.

22. Denying all users access to a folder

Figure shows the result of creating a rule that denies all users access to the SecureArea folder. Notice how the table listing the access control rules differentiates users and roles with slightly different icons.

Once you have finished adding access rules, click Next to complete the Wizard. The final page provides confirmation that you have successfully completed the tasks, and you can click Finish to go back to the Web Site Administration Tool.

Managing Users, Roles, and Access Controls

So far, you have created the roles and users that you need for your Web site. You can see the number of each in the Security page of the Web Site Administration Tool (see Figure). In this example, we created two users, named "alex" and "dave," and two roles named "managers" and "visitors."

23. The security configuration page

While you can always run the Security Wizard again to enable roles, and to modify users and roles, the Security page provides links to the individual tasks that make the process of managing users and roles much easier. The Manage users link displays a list of the users you have definedyou can select them using the first letter of their user name, search (with wildcards) to find specific users by name or e-mail address, or click the All link to show all users, as seen in Figure. For each one, you can edit the user details, delete the user, or manage the roles of which they are members (you will see how to allocate users to roles in the next section of this chapter).

24. Viewing and managing users

The Create or Manage Roles link in the Security page provides a list of the existing roles configured for the application and allows you to manage or delete this role (see Figure). You can also add a new role in this page. The Manage link provides another route for allocating users to roles, as you will see in the next section of this chapter.

25. Viewing and managing roles

Finally, the Manage Access Rules link in the Security page takes you to a page where you can select a folder and see all the access rules applied to that folder. For each one, you can delete this rule or change the order in which rules are applied. The order is important, and you should ensure that the rules allowing users and roles come before those that deny all other users (see Figure). To reorder the rules, click on the user or role icon to select that row, and then use the Move Up and Move Down buttons.

26. Viewing and managing access control settings

To understand what the Security Wizard has done, look at the contents of the web.config files that it generates and modifies as you work through the Wizard and the other pages of the Web Site Administration Tool. In Listing 11.10, you can see all that is required is a <roleManager> element that enables roles for the application, and an <authentication> element with the mode set to "Forms." ASP.NET uses the setting in parent web.config files and the machine.config file, and other settings that it generates at runtime.

The config.web File in the Root of the Application

  <roleManager enabled="true"/>
  <authentication mode="Forms"/>
  <compilation debug="true"/>

Listing 11.11 shows the web.config file created in the SecureArea subfolder. It contains just an <authentication> element that specifies the access rules created by the Security Wizard. It allows access for members of the "managers" role and the user named "alex," and denies access to all others.

The config.web File in the SecureArea Subfolder

    <allow roles="managers"/>
    <allow users="alex"/>
    <deny users="*"

Adding Users to Roles

What you have not done so far is allocate the users to their respective roles. The Security Wizard you used earlier does not provide this feature. Instead, you use the Web Site Administration Tool. In the main Security page, click Create or Manage Roles as shown in Figure.

27. Creating and managing roles

In the list of roles that appears, click Manage for the role you want to add users to (see Figure). You also follow this route to remove users from a role.

28. Selecting a role to manage

Now the page shows the selected role name (see Figure) followed by a section where you can list some or all of the users already defined for this application.

29. Finding the users to add to a role

Once you find the user(s) you want to add to this role, you simply tick the User Is In Role checkbox as shown in Figure. Then you can repeat the search for users and add them to or remove them from this role until you have selected all those users you require. To continue, click the Back button to return to the main Security page.

30. Placing users in a role

Setting the SMTP E-mail Options

The membership system can send e-mail messages to users when they create an account or request a password. By default, it uses the local Windows Server SMTP Service. However, in the Application Configuration page of the Web Site Administration Tool, you can specify details of another mail server that will route the messages. You will generally have to provide authentication details if you use a remote mail server (see Figure).

31. Specifying mail server details

Viewing the ASP.NET Database Contents

Visual Studio 2005 and Visual Web Developer (VWD) Express Edition allow you to view and modify the contents of a database. To see what the membership and roles data looks like, click Server Explorer (Visual Studio) or Database Explorer (VWD) on the View menu, oreven easierdouble-click the ASPNETDB.MDF file that appears in the App_Data folder in the Solution Explorer window.

In the Server Explorer or Database Explorer window, open the Tables entry and you will see all the tables in your ASP.NET application database. Select a table, right-click, and select Show Table Data to see the contents. In Figure, you can see the rows in the aspnet_Users and aspnet_Roles tables containing the two users and two roles created in the previous sections of this chapter. Open the aspnet_Membership table to see full details of each user, including their e-mail address, encrypted password, security question and encrypted answer, and last login date and time.

32. Viewing the contents of the application database

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows