A new ASP.NET MVC project includes preconfigured Membership, Profile and RoleManager providers right out of the box. Try it yourself – create a ASP.NET MVC application, crack open the web.config file and have a look.
First, you’ll find the ApplicationServices database connection:
- <connectionStrings>
- <add name="ApplicationServices"
- connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
- providerName="System.Data.SqlClient"/>
- </connectionStrings>
Notice the connection string is referencing the aspnetdb.mdf database hosted by SQL Express and it’s using integrated security so it’ll just work for you without having to call out a specific database login or anything.
Scroll down the file a bit and you’ll find each of the three noted sections:
- <membership>
- <providers>
- <clear/>
- <add name="AspNetSqlMembershipProvider"
- type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- connectionStringName="ApplicationServices"
- enablePasswordRetrieval="false"
- enablePasswordReset="true"
- requiresQuestionAndAnswer="false"
- requiresUniqueEmail="false"
- passwordFormat="Hashed"
- maxInvalidPasswordAttempts="5"
- minRequiredPasswordLength="6"
- minRequiredNonalphanumericCharacters="0"
- passwordAttemptWindow="10"
- passwordStrengthRegularExpression=""
- applicationName="/"
- />
- </providers>
- </membership>
- <profile>
- <providers>
- <clear/>
- <add name="AspNetSqlProfileProvider"
- type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- connectionStringName="ApplicationServices"
- applicationName="/"
- />
- </providers>
- </profile>
- <roleManager enabled="false">
- <providers>
- <clear />
- <add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- </providers>
- </roleManager>
Really. It’s all there. Still don’t believe me. Run the application, walk through the registration process and finally login and logout. Completely functional – and you didn’t have to do a thing!
What else? Well, you can manage your users via the Configuration Manager which is hiding in Visual Studio behind Projects > ASP.NET Configuration.
The ASP.NET Web Site Administration Tool isn’t MVC-specific (neither is the Membership, Profile or RoleManager stuff) but it’s neat and I hardly ever see anyone using it. Here you can set up and edit users, roles, and set access permissions for your site. You can manage application settings, establish your SMTP settings, configure debugging and tracing, define default error page and even take your application offline. The UI is rather plain-Jane but it works great.
And here’s the best of all. Let’s say you, like most of us, don’t want to run your application on top of the aspnetdb.mdf database. Let’s suppose you want to use your own database and you’d like to add the membership stuff to it. Well, that’s easy enough. Take a look inside your [drive:]\%windir%\Microsoft.Net\Framework\v2.0.50727\ folder. Here you’ll find a bunch of files. If you were to run the InstallCommon.sql, InstallMembership.sql, InstallRoles.sql and InstallProfile.sql files against the database of your choices, you’d be installing the same membership, profile and role artifacts which are found in the aspnet.db to your own database.
Too much trouble? Okay. Run [drive:]\%windir%\Microsoft.Net\Framework\v2.0.50727\aspnet_regsql.exe from the command line instead. This will launch the ASP.NET SQL Server Setup Wizard which walks you through the installation of those same database objects into the new or existing database of your choice. You may not always have the luxury of using this tool on your destination server, but you should use it whenever you can.
Last tip: don’t forget to update the ApplicationServices connectionstring to point to your custom database after the setup is complete.
At the risk of sounding like a smarty, everything I’ve mentioned in this post has been around for quite a while. The thing is that not everyone has had the opportunity to use it. And it makes sense. I know I’ve worked on projects which used custom membership services. Why bother with the out-of-the-box stuff, right? And the .NET framework is so massive, who can know it all. Well, eventually you might have a chance to architect your own solution using any implementation you’d like or you will have the time to play around with another aspect of the framework. When you do, think back to this post.
That’s all well and good, but the problem comes when you want to deploy your site to a production environment. You can’t access the WSAT on remote machines. I deployed a site the other day only to find out this little nugget of information, so now I have to think about implementing my own interface. I want to use the built in user/roles management, but I can’t.
Alex, you’re right. The Web Site Administration Tool doesn’t inherently work remotely although I’ve read claims of folks opening up access and hosting the tool on their production systems.
This open source, WebsiteManager, project might help you out as well – http://websitemanager.codeplex.com/.
I can’t say I’ve ever thought of making the WSAT available on my remote systems. Mostly because I feel the UI is less than desirable, unskinnable, etc, but I understand what you’re saying. Please let me know if the WebsiteManager project helps you out. Thanks for the comment and best of luck.
Thanks Ben.
At the time I was looking at http://wsat.codeplex.com/, but that looks more like an update to the MVC project template. I have gone ahead and used your suggested project with a few tweaks of my own. I’ve updated the security to use a custom Authorization attribute that allows me to switch off the security. I know that sounds risky but I did this just to allow me to add a user and give them admin priveleges to start with.
It all works nicely now and I can add/edit users at my will.
That’s great! I’m really glad everything worked out, Alex. Thanks for following up with us. Now everyone knows this is doable.
[...] written about the ASP.NET Membership Provider and setup before. If you missed the post, this introductory video may be for [...]
Iam pretty new to Membership and Role Management in ASP.Net, hope you will be right person in helping me out.
As per my knowledge, assigning permissions to roles can be done at folder level.
I have to build a custom Website administrator tool which uses the ASPNetDB database(available with .net framework), it should have an option to create roles and edit them in such a way that the users should be able to assign permissions to the roles at page level and also at functionality level within that Page for each role.
Pls mail me at gannyprodigy@gmail.com
It,s now 2 weeks and i can figure out.
Last tip: don’t forget to update the ApplicationServices connectionstring to point to your custom database after the setup is complete.
How do you update the ApplicationServices. using sql server developer r2, i want my membership to use (aspnetdb.mdf database) in adventure works r2 instead of sql express
Is this can not use ProfileProvider with strongly-type in MVC Framework?
thanks really helpful hint
As simple as this post may seem, trying to figure out how to use the default membership provider on a custom database was a pain, simple as using the aspnet_regsql and changing the connectionstring. Thanks for this helpful post!