Geeky Bob

Behavior/Symptoms

When you create a database editor using the FrontPage 2003 ASP.NET Database Interface Wizard (DIW), you are prompted to create a user account for editing the database. After running the wizard, there is no interface for changing the user or password, and there is no provision for adding more than one user account as an editor.

Cause

This behavior is by design. The user account specified when created the DIW pages is hard-coded into the "web.config" files used by the database editor.

Workaround

To resolve this issue, you can modify the necessary "web.config" files to modify or add users.

When creating the database editor, FrontPage 2003 creates two "web.config" files, one will be in the root of the site, and the other will be in the folder containing the database editor. Currently, ASP.NET Security supports the MD5 and SHA-1 hash algorithms when configuring any user accounts in your "web.config" files for use with forms-based authentication. FrontPage 2003 creates user account information using the SHA-1 hash algorithm, but this article will explain how to customize that.

To modify or add users, use the following steps:

1. Open the web site where you have used FrontPage 2003's Database Interface Wizard (DIW) to create an ASP.NET Database Editor.
2. Open the "web.config" file in the root folder of your web site.
3. Locate the section that resembles the following:

   <authentication mode="Forms">
     <forms loginUrl="login.aspx">
       <credentials passwordFormat="SHA1">
          <user name="msbob" password="21BD12DC183F740EE76F27B78EB39C8AD972A757"/>
       </credentials>
     </forms>
   </authentication>

4. As previously mentioned, ASP.NET Security supports clear text and the MD5 and SHA-1 hash algorithms when configuring user accounts. To change the security method to clear text, change the passwordFormat to "clear". For example:

   <credentials passwordFormat="Clear">

   NOTE - You could just as easily configure "MD5" for the passwordFormat.
5. If you are configuring the passwordFormat as "SHA1" or "MD5", you can use the following sample code to create the password hashes:

   <html>
   <head>
   <title>MD5/SHA-1 Hash Generator</title>
   </head>
   <body>
   <h2>MD5/SHA-1 Hash Generator</h2>
   <%
   Dim strPassword As String = Request.Form("txtPassword")
   
   If Len(strPassword)>0 Then
   Dim objFormAuth As New System.Web.Security.FormsAuthentication()
   
   Dim strHashSHA1 As String = 
   objFormAuth.HashPasswordForStoringInConfigFile(strPassword, "SHA1")
   Dim strHashMD5 As String = 
   objFormAuth.HashPasswordForStoringInConfigFile(strPassword, "MD5")
   
   Response.Write("<p>Clear: " & strPassword & "</p>")
   Response.Write("<p>SHA-1: " & strHashSHA1 & "</p>")
   Response.Write("<p>MD5: " & strHashMD5 & "</p>")
   End If
   %>
   <form method="post">
   <input type="text" name="txtPassword">
   <input type="submit" value="Create Hashes">
   </form>
   </body>
   </html>

6. Modify or remove the existing user account, which may resemble the following:

   <user name="msbob" password="21BD12DC183F740EE76F27B78EB39C8AD972A757"/>

7. Add any aditional users as desired.
8. The resulting credentials section of the "web.config" in the root of the web site may now resemble something like the following:

   <credentials passwordFormat="Clear">
     <user name="user1" password="Password1"/>
     <user name="user2" password="Password2"/>
     <user name="user3" password="Password3"/>
   </credentials>

9. Save and close the "web.config" for the root folder of your web site.
10. Open the "web.config" file in the "editor" folder of the ASP.NET database editor that you created in your web site. (For example, if you created a database editor for one of the tables in the built-in sample "Northwind" database, the default folder path from the root of your web site might resemble one of the following paths:
    • /Sample_interface/Categories/editor
    • /Sample_interface/Employees/editor
    • /Sample_interface/Products/editor
11. Locate the section that resembles the following:

    <authorization>
      <allow users="msbob"/>
      <deny users="*"/>
    </authorization>

12. Remove or add any users as desired, separating individual users with a comma for the delimiter.
13. The resulting authorization section of the "web.config" in the "editor" folder for your database editor may now resemble something like the following:

    <authorization>
      <allow users="user1,user2,user3"/>
      <deny users="*"/>
    </authorization>

14. Save and close the "web.config" in the "editor" folder for your database editor.

When you browse your database editor, you should now be able to enter the credentials for any user accounts that you created.

Additional Information

For additional information on ASP.NET Security and forms-based authentication, please see the following Microsoft Knowledge Base articles:

• 306590 - INFO: ASP.NET Security Overview
  http://support.microsoft.com/?id=306590
• 308157 - How To Implement Forms-Based Authentication in Your ASP.NET Application
  http://support.microsoft.com/?id=308157
• 301240 - How To Implement Forms-Based Authentication in Your ASP.NET Application
  http://support.microsoft.com/?id=301240