Configuring the Commerce Membership Provider

  • Article

When you configure the Commerce Membership Provider, you must specify configuration elements on both the presentation tier and application tier components.

  • Configuring the Commerce Membership Provider on the Presentation Tier

  • Configuring the Commerce Membership Provider on the Application Tier

Configuring the Commerce Membership Provider on the Presentation Tier

For the presentation tier configuration of the Commerce Membership Provider, you must specify the following in the Web.config file of your Web application under the <membership> section of <system.web>:

  • name:The identity of the membership provider

  • type: The class that implements the membership provider

  • channelName: The name of the channel served by the Commerce Membership Provider

  • operationService Name: The name of the operation service, as specified in the operation services section of configuration, to which the Commerce Membership Provider sends authentication requests

Since the Commerce Membership Provider is a client of the Commerce Foundation, all other Commerce Membership Provider configuration elements, including password format (hashed, encrypted, or clear), are specified on the application tier. For more information, see Configuring the Commerce Membership Provider on the Application Tier.

Note

Since the application tier controls password security, the presentation tier sends user passwords to the application tier in plain text. Therefore, in a three tier deployment, transport security is highly recommended. For more information, see Considerations for Securing Commerce Communication Channels Using SSL and Securing Communication Channels.

Below is a sample ASP.NET membership configuration for the presentation tier:

<membership defaultProvider="CommerceMembershipProvider">
      <providers>
        <clear/>
        <add name="CommerceMembershipProvider"
             type="Microsoft.Commerce.Common.MembershipProvider.CommerceMembershipProvider, Microsoft.Commerce.Common, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
             channelName="TestChannel"
             operationServiceName="IOperationService"
      </providers>
    </membership>

Configuring the Commerce Membership Provider on the Application Tier

For the application tier configuration of the Commerce Membership Provider, you must specify the membership settings for each channel under the <DefaultChannel> and <Channel> elements in ChannelConfiguration.config. There can only be one membership configuration section per channel.

You can configure the following Commerce Membership Provider settings on the application tier:

Properties

Description

Data type

Default value

Required or optional

membershipUserModelName

Specifies the name of the commerce entity used to represent membership users (shoppers) as defined in MetadataDefinitions.xml

String

UserProfile

Required

logonPropertyName

Specifies the property used as the user login

String

Email

Required

requiresApproval

Specifies whether a new user account requires approval before the user can log on to the site

Boolean

false

Required

requiresQuestionAndAnswer

Specifies whether a new user must provide a question and answer when registering for the first time in the event he/she needs to retrieve or reset a forgotten password

Boolean

true

Required

enablePasswordReset

Specifies whether the password reset feature is supported

Boolean

false

Required

enableLastActivityDate

Specifies whether the last activity date of a profile is updated when the user logs in or accesses the site

Hh567723.alert_note(en-us,CS.95).gifNote:
Using this feature to track whether or not a user is online may adversely affect performance.

Boolean

true

Required

passwordAttemptWindow

Specifies the number of minutes in which a user must reach the maximum number of invalid password attempts to trigger an account lockout

Integer

10

Required

passwordLockoutPeriod

Specifies the number of minutes a user is locked out of his/her account after exceeding the maximum number of invalid log in attempts

Integer

10

Required

maxInvalidPasswordAttempts

Specifies the number of invalid attempts that must occur within the period specified in the PasswordAttemptWindow property to trigger an account lockout

Integer

5

Required

passwordFormat

Specifies the System.Web.Security.MembershipPasswordFormat value that defines the means for comparing submitted passwords and stored passwords

Hh567723.alert_note(en-us,CS.95).gifNote:
The value for this property must match the encryption type specified for the Password property in the Commerce Server Core Systems Profile system.For example, if the encryption type specified for the Password property is One Way Hash, use Hashed for this passwordFormat property.

MembershipPasswordFormat

https://go.microsoft.com/fwlink/?LinkId=209150

MembershipFormat.Hashed

Required

passwordAnswerFormat

Specifies the System.Web.Security.MembershipPasswordFormat value that defines the means for comparing submitted answer to the password question and stored password answer

Hh567723.alert_note(en-us,CS.95).gifNote:
The value for this property must match the encryption type specified for the Password property in the Commerce Server Core Systems Profile system.For example, if the encryption type specified for the Password property is One Way Hash, use Hashed for this passwordFormat property.

MembershipPasswordFormat

https://go.microsoft.com/fwlink/?LinkId=209150

MembershipFormat.Hashed

Required

minRequiredPasswordLength

Specifies the minimum number of characters that must be present in a computer generated password

Hh567723.alert_note(en-us,CS.95).gifNote:
Only for use when enablePasswordReset is set to true.

Integer

5

Optional

minRequiredNonalphanumericCharacters

Specifies the minimum number of special characters that must be present in a computer generated password

Hh567723.alert_note(en-us,CS.95).gifNote:
Only for use when enablePasswordReset is set to true.

Integer

0

Optional

Note

Since the application tier controls passwords security, the presentation tier sends user passwords to the application tier in plain text. Therefore, in a three tier deployment, transport security is highly recommended. For more information, see Considerations for Securing Commerce Communication Channels Using SSL and Securing Communication Channels.

The sample configuration below shows the Commerce Membership Provider configuration for the application tier.

<membership
        membershipUserModelName="UserProfile"
        logonPropertyName="Email"
        requiresApproval="true"
        requiresQuestionAndAnswer="true"
        enablePasswordReset="true"
        enableLastActivityDate="true"
        passwordAttemptWindow="5"
        passwordLockoutPeriod="5"
        maxInvalidPasswordAttempts="5"
        passwordFormat="Hashed"
        passwordAnswerFormat="Hashed"
        minRequiredPasswordLength="6"
        minRequiredNonalphanumericCharacters="1" />

The commerce entity named in the membershipUserModelName property of your configuration must be defined in MetadataDefinitions.xml. For more information, see Defining Membership User Settings in Metadata.

For more information about ASP.NET membership, see Managing Users by Using Membership https://go.microsoft.com/fwlink/?LinkId=209149.

See Also

Other Resources

Using the Commerce Membership Provider

Defining MembershipSettings in Metadata

Defining Membership User Settings in Metadata