The method is called by the System.Web.Security.ActiveDirectoryMembershipUser class to update the password question and answer for a user in the Active Directory membership store.

Requiring a password question and answer provides an additional layer of security when resetting a user's password. When creating a user name, a user can supply a question and answer that can later be used to reset a forgotten password. The ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer(string, string, string, string) method updates the password question and answer for a membership user to new values.

In order to use the ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer(string, string, string, string) method, you must set these additional attributes in your application's configuration file:

• requiresQuestionAndAnswer must be true.

• attributeMapPasswordQuestion and attributeMapPasswordAnswer must be mapped to attributes in the Active Directory schema.

If the above criteria are not met, a System.Configuration.Provider.ProviderException is thrown at initialization.

The System.Web.Security.ActiveDirectoryMembershipProvider instance connects to the Active Directory data store with the credentials provided in the username and password parameters to validate the user name/password combination. The actual update of the question and answer is performed with the configured connection credentials of the provider.

If an incorrect password is supplied to the ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer(string, string, string, string) method, the directory server will increment the counters that track invalid password attempts. This can result in the user being locked and unable to log on until either the lock status is cleared by a call to the ActiveDirectoryMembershipProvider.UnlockUser(string) method or the locked duration specified in the directory passes.

If the update to the question and answer succeeds and the ActiveDirectoryMembershipProvider.EnablePasswordReset property is true, the user's bad password answer tracking counters are reset.

The password answer is encrypted using the MembershipProvider.EncryptPassword(Byte[]) method before it is stored in the Active Directory data store. The encryption key and algorithm are specified by the machineKey configuration element. The decryption attribute on the machineKey element must be specified, the System.Web.Security.ActiveDirectoryMembershipProvider class does not support auto-generated encryption keys.

The maximum length for the password question is 256 characters. The maximum length for the password answer is 128 characters.

Leading and trailing spaces are trimmed from all parameter values except for password.

The provider finds the user instance to update by performing a subtree search for the user name starting at the search point specified in the connection string. See the System.Web.Security.ActiveDirectoryMembershipProvider class topic for more information about connection strings.

Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 2.0.0.0
Since: .NET 2.0