Evjen c12.tex V2 - 01/28/2008 2:25pm Page 597
Chapter 12: Introduction to the Provider Model
<add name="AspNetSql2005MembershipProvider"
type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSql2005Server"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
</system.web>
</configuration>
Figure 12-8
597
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 598
Chapter 12: Introduction to the Provider Model
With these changes in place, the SQL Server 2005 instance is now one of the providers available for
use with your applications. The name of this provider instance is
AspNetSql2005MembershipProvider
.
You can see that this instance also uses the connection string of

LocalSql2005Server
, which was defined
in Listing 12-1.
Pay attention to some important attribute declarations from Listing 12-2. The first is that the provider
used by the membership system is defined via the
defaultProvider
attribute found in the main
<
membership
> node. Using this attribute, you can specify whether the provider is one of the built-in
providers or whether it is a custom provider that you have built yourself or received from a third party.
With the code from Listing 12-2 in place, the membership provider now works with Microsoft SQL Server
2005 (as shown in this example) instead of the Microsoft SQL Server Express Edition files.
Next, you look at the providers that come built into the ASP.NET 3.5 install — starting with the member-
ship system providers
Membership Providers
The membership system enables you to easily manage users in your ASP.NET applications. As with most
of the systems provided in ASP.NET, it features a series of server controls that interact with a defined
provider to either retrieve or record information to and from the data store defined by the provider.
Because a provider exists between the server controls and the data stores where the data is retrieved
and recorded, it is fairly trivial to have the controls work from an entirely different backend. You just
change the underlying provider of the overall system (in this case, the membership system). This can be
accomplished by a simple configuration change in the ASP.NET application. It really makes no difference
to the server controls.
As previously stated, ASP.NET 3.5 provides two membership providers out of the box.
❑
System.Web.Security.SqlMembershipProvider
: Provides you with the capability to use the
membership system to connect to Microsoft’s SQL Server 2000/2005 as well as with Microsoft
SQL Server Express Edition.

❑
System.Web.Security.ActiveDirectoryMembershipProvider
: Provides you with the capabil-
ity to use the membership system to connect to Microsoft’s Active Directory.
Both of these membership provider classes inherit from the
MembershipProvider
base class, as illustrated
in Figure 12-9.
Next, you review each of these providers.
System.Web.Security.SqlMembershipProvider
The default provider is the
SqlMembershipProvider
instance. You find this default declaration for every
ASP.NET application that resides on the application server in the
machine.config
file. This file is found
in
C:
\
WINDOWS
\
Microsoft.NET
\
Framework
\
v2.0.50727
\
CONFIG
. Listing 12-3 shows the definition of this
provider, which is located in the

machine.config
file.
Listing 12-3: A SqlMembershipProvider instance declaration
<configuration>
<system.web>
598
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 599
Chapter 12: Introduction to the Provider Model
<membership>
<providers>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="true" applicationName="/"
requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
</system.web>
</configuration>
Figure 12-9
599
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 600
Chapter 12: Introduction to the Provider Model
From this listing, you can see that a single instance of the

SqlMembershipProvider
object is defined
in the
machine.config
file. This single instance is named
AspNetSqlMembershipProvider
.Thisisalso
where you find the default behavior settings for your membership system. By default, this provider
is also configured to work with a SQL Server Express Edition instance rather than a full-blown ver-
sion of SQL Server such as SQL Server 2000, 2005, or 2008. You can see this by looking at the defined
connectionStringName
property in the provider declaration from Listing 12-3. In this case, it is set to
LocalSqlServer
.
LocalSqlServer
is also defined in the
machine.config
file as shown in Listing 12-4.
Listing 12-4: The LocalSqlServer defined instance
<configuration>
<connectionStrings>
<clear />
<add name="LocalSqlServer"
connectionString="Data Source=.
\
SQLEXPRESS;Integrated Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>

You can see this connection string information is set for a local SQL Server Express Edition file (an
.mdf
file). Of course, you are not required to work with only these file types for the
SqlMembershipProvider
capabilities. Instead, you can also set it up to work with either Microsoft’s SQL Server 7.0, 2000, 2005, or
2008 (as was previously shown).
System.Web.Security.ActiveDirectoryMembershipProvider
It is also possible for the membership system provided from ASP.NET 3.5 to connect this system to a
Microsoft Active Directory instance or even Active Directory Application Mode (ADAM), which is a
stand-alone directory product. Because the default membership provider is defined in the
machine.
config
files at the
SqlMembershipProvider
, you must override these settings in your application’s
web.config
file.
Before creating a defined instance of the
ActiveDirectoryMembershipProvider
in your
web.config
file,
you have to define the connection string to the Active Directory store. This is illustrated in Listing 12-5.
Listing 12-5: Defining the connection string to the Active Directory store
<configuration>
<connectionStrings>
<add name="ADConnectionString"
connectionString=
"LDAP://domain.myAdServer.com/CN=Users,DC=domain,DC=testing,DC=com" />
</connectionStrings>

</configuration>
With the connection in place, you can create an instance of the
ActiveDirecotryMembershipProvider
in
your
web.config
file that associates itself to this connection string. This is illustrated in Listing 12-6.
600
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 601
Chapter 12: Introduction to the Provider Model
Listing 12-6: Defining the ActiveDirectoryMembershipProvider instance
<configuration>
<connectionStrings>
<add name="ADConnectionString"
connectionString=
"LDAP://domain.myAdServer.com/CN=Users,DC=domain,DC=testing,DC=com" />
</connectionStrings>
<system.web>
<membership
defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUserName="UserWithAppropriateRights"
connectionPassword="PasswordForUser"
connectionProtection="Secure"
enablePasswordReset="true"

enableSearchMethods="true"
requiresQuestionAndAnswer="true"
applicationName="/"
description="Default AD connection"
requiresUniqueEmail="false"
clientSearchTimeout="30"
serverSearchTimeout="30"
attributeMapPasswordQuestion="department"
attributeMapPasswordAnswer="division"
attributeMapFailedPasswordAnswerCount="singleIntAttribute"
attributeMapFailedPasswordAnswerTime="singleLargeIntAttribute"
attributeMapFailedPassswordAnswerLockoutTime="singleLargeIntAttribute"
maxInvalidPasswordAttemps = "5"
passwordAttemptWindow = "10"
passwordAnswerAttemptLockoutDuration = "30"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordStrengthRegularExpression="
@
\
"(?=.{6,})(?=(.*
\
d){1,})(?=(.*
\
W){1,})" />
/>
</providers>
</membership>
</system.web>
</configuration>

601
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 602
Chapter 12: Introduction to the Provider Model
Although not all these attributes are required, this list provides you with the available attributes of the
ActiveDirectoryMembershipProvider
. In fact, you can easily declare the instance in its simplest form,
as shown here:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString" />
</providers>
</membership>
Again, with either the
SqlMembershipProvider
or the
ActiveDirectoryMembershipProvider
in place,
the membership system server controls (such as the Login server control) as well as the membership API,
once configured, will record and retrieve their information via the provider you have established. That is
the power of the provider model that the ASP.NET team has established. You continue to see this power
as you learn about the rest of the providers detailed in this chapter.
Role Providers
After a user is logged into the system (possibly using the ASP.NET membership system), the ASP.NET
role management system enables you to work with the role of that user to authorize him for a particular
access to the overall application. The role management system in ASP.NET 3.5, as with the other systems,
has a set of providers to store and retrieve role information in an easy manner. This, of course, doesn’t

mean that you are bound to one of the three available providers in the role management system. Instead,
you can extend one of the established providers or even create your own custom provider.
By default, ASP.NET 3.5 offers three providers for the role management system. These providers are
defined in the following list:
❑
System.Web.Security.SqlRoleProvider
: Provides you with the capability to use the ASP.NET
role management system to connect to Microsoft’s SQL Server 2000/2005/2008 as well as to
Microsoft SQL Server Express Edition.
❑
System.Web.Security.WindowsTokenRoleProvider
: Provides you with the capability to con-
nect the ASP.NET role management system to the built-in Windows security group system.
❑
System.Web.Security.AuthorizationStoreRoleProvider
: Provides you with the capability to
connect the ASP.NET role management system to either an XML file, Active Directory, or in an
Active Directory Application Mode (ADAM) store.
These three classes for role management inherit from the
RoleProvider
base class. This is illustrated in
Figure 12-10.
System.Web.Security.SqlRoleProvider
The role management system in ASP.NET uses SQL Server Express Edition files by default (just as the
membership system does). The connection to the SQL Server Express file uses
SqlRoleProvider
,butyou
can just as easily configure your SQL Server 7.0, 2000, 2005, or 2008 server to work with the role
602
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 603

Chapter 12: Introduction to the Provider Model
Figure 12-10
management system through
SqlRoleProvider
. The procedure for setting up your full-blown SQL
Server is described in the beginning of this chapter.
Looking at the
SqlRoleProvider
instance in the
machine.config.comments
file, you will notice the
syntax as defined in Listing 12-7. The
machine.config.comments
file provides documentation on the
machine.config
as well as showing you the details of the default settings that are baked into the ASP
.NET Framework.
Listing 12-7: A SqlRoleProvider instance declaration
<configuration>
<system.web>
<roleManager enabled="false" cacheRolesInCookie="false"
cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/"
cookieRequireSSL="false" cookieSlidingExpiration="true"
cookieProtection="All" defaultProvider="AspNetSqlRoleProvider"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<add name="AspNetSqlRoleProvider"
connectionStringName="LocalSqlServer" applicationName="/"
type="System.Web.Security.SqlRoleProvider,
System.Web, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
</configuration>
603
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 604
Chapter 12: Introduction to the Provider Model
As stated, this is part of the default <
roleManager>
declaration that is baked into the overall ASP.NET
Framework (note again that you can change any of these defaults by making a new declaration in your
web.config
file). As you can see, role management is disabled by default through the
enabled
attribute
found in the
<
roleManager>
node (it is set to
false
by default). Also, pay attention to the
default-
Provider
attribute in the <
roleManager>
element. In this case, it is set to
AspNetSqlRoleProvider
.This
provider is defined in the same code example. To connect to the Microsoft SQL Server 2005 instance that

was defined earlier (in the membership system examples), you can use the syntax shown in Listing 12-8.
Listing 12-8: Connecting the role management system to SQL Server 2005
<configuration>
<connectionStrings>
<add name="LocalSql2005Server"
connectionString="Data Source=127.0.0.1;Integrated Security=SSPI" />
</connectionStrings>
<system.web>
<roleManager enabled="true" cacheRolesInCookie="true"
cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/"
cookieRequireSSL="false" cookieSlidingExpiration="true"
cookieProtection="All" defaultProvider="AspNetSqlRoleProvider"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear />
<add connectionStringName="LocalSql2005Server" applicationName="/"
name="AspNetSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
</configuration>
With this in place, you can now connect to SQL Server 2005. Next is a review of the second provider
available to the role management system.
System.Web.Security.WindowsTokenRoleProvider
The Windows operating system has a role system built into it. This Windows security group system is
an ideal system to use when you are working with intranet-based applications where you might have
all users already in defined roles. This, of course, works best if you have anonymous authentication

turned off for your ASP.NET application, and you have configured your application to use Windows
Authentication.
Windows Authentication for ASP.NET applications is discussed in Chapter 21.
Some limitations exist when using
WindowsTokenRoleProvider
. This is a read-only provider because
ASP.NET is not allowed to modify the settings applied in the Windows security group system. This
means that not all the methods provided via the
RoleProvider
abstract class are usable when working
604
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 605
Chapter 12: Introduction to the Provider Model
with this provider. From the
WindowsTokenRoleProvider
class, the only methods you have at your
disposal are
IsUserInRole
and
GetUsersInRole
.
To configure your
WindowsTokenRoleProvider
instance, you use the syntax defined in Listing 12-9.
Listing 12-9: A W indowsTokenRoleProvider instance
<configuration>
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider"
enabled="true"

cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
</system.web>
</configuration>
Remember that you have to declare the default provider using the
defaultProvider
attribute in the
<
roleManager>
element to change the assigned provider from the
SqlRoleProvider
association.
System.Web.Security.AuthorizationStoreRoleProvider
The final role provider you have available to you from a default install of ASP.NET is
Authoriza-
tionStoreRoleProvider
. This role provider class allows you to store roles inside of an Authorization
Manager policy store. These types of stores are also referred to as AzMan stores. As with
WindowsTo-
kenRoleProvider
,
AuthorizationStoreRoleProvider
is a bit limited because it is unable to support any
AzMan business rules.
To use

AuthorizationStoreRoleProvider
, you must first make a connection in your
web.config
file to
the XML data store used by AzMan. This is illustrated in Listing 12-10.
Listing 12-10: Making a connection to the AzMan policy store
<configuration>
<connectionStrings>
<add name="LocalPolicyStore"
connectionString="msxml://~
\
App_Data
\
datafilename.xml" />
</connectionStrings>
</configuration>
Note that when working with these XML-based policy files, it is best to store them in the App_Data
folder. Files stored in the App_Data folder cannot be pulled up in the browser.
After the connection string is in place, the next step is to configure your
AuthorizationStoreRole-
Provider
instance. This takes the syntax defined in Listing 12-11.
605
Evjen c12.tex V2 - 01/28/2008 2:25pm Page 606
Chapter 12: Introduction to the Provider Model
Listing 12-11: Defining the AuthorizationStoreRoleProvider instance
<configuration>
<connectionStrings>
<add name="MyLocalPolicyStore"
connectionString="msxml://~

\
App_Data
\
datafilename.xml" />
</connectionStrings>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<roleManager defaultProvider="AuthorizationStoreRoleProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="All" >
<providers>
<clear />
<add
name="AuthorizationStoreRoleProvider"
type="System.Web.Security.AuthorizationStoreRoleProvider"
connectionStringName="MyLocalPolicyStore"
applicationName="SampleApplication"
cacheRefreshInterval="60"
scopeName="" />
</providers>
</roleManager>
</system.web>
</configuration>

Next, this chapter reviews the single personalization provider available in ASP.NET 3.5.
The Personalization Provider
As with the membership system found in ASP.NET, the personalization system (also referred to as the
profile system) is another system that is based on the provider model. This system makes associations
between the end user viewing the application and any data points stored centrally that are specific to that
user. As stated, these personalization properties are stored and maintained on a per-user basis. ASP.NET
provides a single provider for data storage. This provider is detailed here:
❑
System.Web.Profile.SqlProfileProvider
: Provides you with the capability to use the ASP
.NET personalization system to connect to Microsoft’s SQL Server 2000/2005/2008 as well as to
the new Microsoft SQL Server Express Edition.
606