The ActiveDirectoryMembershipProvider.PasswordAttemptWindow property works in conjunction with the ActiveDirectoryMembershipProvider.MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When users are attempting to log in, change their password, or reset their password, only a certain number of consecutive attempts are allowed within a specified time window. The length of the time window is specified by the ActiveDirectoryMembershipProvider.PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts. If the number of consecutive failed attempts a user makes to reset his or her password equals the value stored in the ActiveDirectoryMembershipProvider.MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified for the ActiveDirectoryMembershipProvider.PasswordAttemptWindow property, then the user account s locked out for the number of minutes contained in the ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration property. If the interval between the current failed attempt and the last failed attempt is greater than the ActiveDirectoryMembershipProvider.PasswordAttemptWindow property setting, the current invalid attempt is counted as the first attempt. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to zero. If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to zero.

We recommend that the ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration property be set to the same value as the account lockout duration that is specified for the maximum number of failed logon attempts in the Active Directory configuration. This will present consistent auto-lockout behavior for users whether they were locked out due to failed logon attempts or to bad password answers.

The ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration property is set in your application's configuration file using the passwordAttemptWindow attribute of the membership element. If the property is not set in the application's configuration file, the ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration property is set to the default value of 10 minutes.