I was tasked with redesigning an ASP.NET website’s UI at the company I work for. The project was built with Microsoft Visual Studio 2010 and used Forms Authentication to verify users. A drawback that became
apparent after I finished my redesign was that an “Administrator” of the site had to have Visual Studio in order to manage users and roles. Consequently, it was decided to see whether or not it was feasible to take the existing Microsoft Web Site
Administration Tool (WSAT) and host it on a domain so that it was accessible from the web. After a good amount of Googleing, I found that it was not a wise idea to try and make the existing WSAT tool visible to the web. Instead I decided to try and see if
I could write my own web enabled WSAT from which an Administrator could manage users and roles.
I found my endeavor to be incredibly easy as long as you have some knowledge of ASP.NET, Forms Authentication, and programming. Here are the basic steps that I took to set up the project.
I am also assuming you already have a website that has been enabled to use Forms Authentication.
Please note that when I coded, I did so on my local machine and added security to this site when I moved to the production machine. I also had a copy of the membership database on my local computer. You can easily
do this by performing a backup of the SQL database on the production machine and performing a restore on your local machine. One thing that was a little strange was that I found that while I could get information from the database that held the users I could
not get a log in page to work. However, when I moved to the production machine and implemented the security the site’s log in worked fine. I believe this has something to do with the aspnet_Applications table and the Application Id associated with the
application name. This project relies heavily on the ASP.NET Membership class. Google has a lot of information that helped me put the project together. Also, I published my website using IIS 7.0.
If you need to know how to set up a database that is enabled for forms authentication there are several sites on the web that can be very helpful. The one I used is
http://blog.dmbcllc.com/2009/09/14/setting-up-you-forms-based-authentication-database/ . It basically says that you should first create the database with 5 meg allocated to the log file and 5 meg allocated to the database. Next, bring up a command prompt
and navigate to c:\windows\Microsoft.Net\Framework\v2.0.50727 and run aspnet_regsql.exe. As far as the last folder in the path, I found that there was an aspnet_regsql.exe in the folder of the latest version. In my case that was v4.0.30319.
I created a new ASP.NET Web Application in Visual Studio 2010. The first thing that I did was alter the web.config file to reflect the config file on the site. In the new web.config, I included the xml tags for
the machine key and the following tags in the picture below:
<forms name=".ASPXAUTH" loginUrl="~/Account/Login.aspx" timeout="2880" path="/" protection="All" domain="idcast.com"/>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey validationKey="" decryptionKey="" validation=""/>
<add connectionStringName="LocalSQLServer" applicationName="Your AppName Here" enablePasswordRetrieval="true" passwordFormat="Encrypted" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"/>
<add connectionStringName="LocalSQLServer" applicationName="Your AppName Here" name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider"/>
<add connectionStringName="LocalSQLServer" applicationName="Your AppName Here" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider"/>
Configuring the web.config this way enabled me to hook into the database that was used to verify users at login. A quick way to see if you have configured your web.config correctly
is to add some code to the Page_Load of the Default.aspx page. In my case, I used Membership.GetAllUsers();. You should be returned an array of strings that has the number of users registered for your site.
I then created three aspx pages to enable an admin user to manage roles and users using the Membership class. All these pages use ModalPopupExtender to display pop up notifications.
The first page, ManageUsers.aspx, shows a listing of all users for the site using a DataGrid control and was made the default page of this web application.
This control is designed to take an existing table and display it on the screen. Since I used the Membership class and got users back as objects I found a simple class that takes the user objects and converts the information to a table format. This class is
called GetAllUsers.cs. If you take a look at the file you will notice that all the fields you can gleam from a MembershipUserCollection are there. Most of them are commented out because they did not need to be displayed. ManageUsers also allows you to delete
users and alter which roles they are assigned to.
RoleEditor.aspx is a page that enables the admin to create and delete roles and also add or remove users from those roles.
CreateUser.aspx is a page that creates a new user and allows you to set which roles they will be assigned to.
As far as security, when I moved to the production machine I placed the project in a sub folder of the existing website. This is the folder that holds CreateUser, RoleEditor,
and ManageUsers pages. I added a new role using the Visual Studio WSAT tool which would only be associated with users that can be considered administrators. I then added a web.config to the folder I added. The web.config looked like this:
<deny users="*, ?"/>
This portion tells the application to allow only users that are of the role “superUser” and to redirect any users that are not logged on to the log in page.
If anything, I hope this project gives you a starting point to create your own web enabled admin tool. I've also attached some screen shots of the three pages.