Mono support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.
Back to all discussion topics

Mono Support the default Admin user can be locked out 

Viewed 7200 time(s), 5 post(s). 10 month(s) agoby geobirbilis
geobirbilis
1

geobirbilis 10 month(s) ago

I tried to log in at a MonoX installation as admin and I entered wrong pwd several times and now it tells me the account is locked!

1) I'd expect the admin account to not be lockable like that (this can be exploited)
2) How can I edit the db or visit some MonoX intallation webpage accessible only from the console (locally) to unlock the admin? Or is there other easier way?
3) If password is totally forgotten, is there a way to make blank (or change) the pwd from the db?
This content has not been rated yet. 
155 Reputation 23 Total posts
denis
2

denis 10 month(s) ago

Hi George,
Our usual strategy is to change the name of the admin acount, which makes it more difficult to exploit this feature. You can reset the locking status by switching the value of the IsLockedOut field in the aspnet_Membership table for that particular user. There are several properties in the membership provider that control this behavior, and you can change them in the web.config file - the most important one would be "maxInvalidPasswordAttempts"
Rated 4.00, 1 vote(s). 
6785 Reputation 874 Total posts
geobirbilis
3

geobirbilis 10 month(s) ago

Suppose the admin password for the portal has been forgotten, how can it be reset from the DB or other tool?
This content has not been rated yet. 
155 Reputation 23 Total posts
geobirbilis
4

geobirbilis 10 month(s) ago

btw, how come the user password is unhashed (plain text) in the dbo.aspnet_Membership table? (the respective username is in dbo.aspnet_Users)
Is it some ASP.net setting?
This content has not been rated yet. 
155 Reputation 23 Total posts
khorvat
5

khorvat 10 month(s) ago

Hi,

you should use the password recovery screen available e.g. here, yes passwords are by default unhashed and you can change that setting in the web.config by changing the passwordFormat in Membership and Role provider settings.

e.g.
<membership defaultProvider="AspNetSqlMembershipProvider" hashAlgorithmType="SHA1" >
      <providers>
         <remove name="AspNetSqlMembershipProvider"/>              
             <add connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="MonoX" requiresUniqueEmail="false" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="AspNetSqlMembershipProvider" type="MonoSoftware.MonoX.MonoXMembershipProvider, MonoX" />
        <!-- <add name="ActiveDirectoryMembershipProvider" type="MonoSoftware.MonoX.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" applicationName="MonoX"
         connectionUsername="username@yourdomain"
         connectionPassword="pwd" /> -->
  </providers>
</membership>

Regards
This content has not been rated yet. 
11526 Reputation 1639 Total posts
MonoX Nightly Builds MonoX Gallery MonoX Roadmap Mono Software at GitHub