Configuring the Commerce Membership Provider
When you configure the Commerce Membership Provider, you must specify configuration elements on both the presentation tier and application tier components.
Configuring the Commerce Membership Provider on the Presentation Tier
Configuring the Commerce Membership Provider on the Application Tier
Configuring the Commerce Membership Provider on the Presentation Tier
For the presentation tier configuration of the Commerce Membership Provider, you must specify the following in the Web.config file of your Web application under the <membership> section of <system.web>:
name:The identity of the membership provider
type: The class that implements the membership provider
channelName: The name of the channel served by the Commerce Membership Provider
operationService Name: The name of the operation service, as specified in the operation services section of configuration, to which the Commerce Membership Provider sends authentication requests
Since the Commerce Membership Provider is a client of the Commerce Foundation, all other Commerce Membership Provider configuration elements, including password format (hashed, encrypted, or clear), are specified on the application tier. For more information, see Configuring the Commerce Membership Provider on the Application Tier.
Note
Since the application tier controls password security, the presentation tier sends user passwords to the application tier in plain text. Therefore, in a three tier deployment, transport security is highly recommended. For more information, see Considerations for Securing Commerce Communication Channels Using SSL and Securing Communication Channels.
Below is a sample ASP.NET membership configuration for the presentation tier:
<membership defaultProvider="CommerceMembershipProvider">
<providers>
<clear/>
<add name="CommerceMembershipProvider"
type="Microsoft.Commerce.Common.MembershipProvider.CommerceMembershipProvider, Microsoft.Commerce.Common, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
channelName="TestChannel"
operationServiceName="IOperationService"
</providers>
</membership>
Configuring the Commerce Membership Provider on the Application Tier
For the application tier configuration of the Commerce Membership Provider, you must specify the membership settings for each channel under the <DefaultChannel> and <Channel> elements in ChannelConfiguration.config. There can only be one membership configuration section per channel.
You can configure the following Commerce Membership Provider settings on the application tier:
Properties |
Description |
Data type |
Default value |
Required or optional |
---|---|---|---|---|
membershipUserModelName |
Specifies the name of the commerce entity used to represent membership users (shoppers) as defined in MetadataDefinitions.xml |
String |
UserProfile |
Required |
logonPropertyName |
Specifies the property used as the user login |
String |
Required |
|
requiresApproval |
Specifies whether a new user account requires approval before the user can log on to the site |
Boolean |
false |
Required |
requiresQuestionAndAnswer |
Specifies whether a new user must provide a question and answer when registering for the first time in the event he/she needs to retrieve or reset a forgotten password |
Boolean |
true |
Required |
enablePasswordReset |
Specifies whether the password reset feature is supported |
Boolean |
false |
Required |
enableLastActivityDate |
Specifies whether the last activity date of a profile is updated when the user logs in or accesses the site
Note:
Using this feature to track whether or not a user is online may adversely affect performance.
|
Boolean |
true |
Required |
passwordAttemptWindow |
Specifies the number of minutes in which a user must reach the maximum number of invalid password attempts to trigger an account lockout |
Integer |
10 |
Required |
passwordLockoutPeriod |
Specifies the number of minutes a user is locked out of his/her account after exceeding the maximum number of invalid log in attempts |
Integer |
10 |
Required |
maxInvalidPasswordAttempts |
Specifies the number of invalid attempts that must occur within the period specified in the PasswordAttemptWindow property to trigger an account lockout |
Integer |
5 |
Required |
passwordFormat |
Specifies the System.Web.Security.MembershipPasswordFormat value that defines the means for comparing submitted passwords and stored passwords
Note:
The value for this property must match the encryption type specified for the Password property in the Commerce Server Core Systems Profile system.For example, if the encryption type specified for the Password property is One Way Hash, use Hashed for this passwordFormat property.
|
MembershipPasswordFormat |
MembershipFormat.Hashed |
Required |
passwordAnswerFormat |
Specifies the System.Web.Security.MembershipPasswordFormat value that defines the means for comparing submitted answer to the password question and stored password answer
Note:
The value for this property must match the encryption type specified for the Password property in the Commerce Server Core Systems Profile system.For example, if the encryption type specified for the Password property is One Way Hash, use Hashed for this passwordFormat property.
|
MembershipPasswordFormat |
MembershipFormat.Hashed |
Required |
minRequiredPasswordLength |
Specifies the minimum number of characters that must be present in a computer generated password
Note:
Only for use when enablePasswordReset is set to true.
|
Integer |
5 |
Optional |
minRequiredNonalphanumericCharacters |
Specifies the minimum number of special characters that must be present in a computer generated password
Note:
Only for use when enablePasswordReset is set to true.
|
Integer |
0 |
Optional |
Note
Since the application tier controls passwords security, the presentation tier sends user passwords to the application tier in plain text. Therefore, in a three tier deployment, transport security is highly recommended. For more information, see Considerations for Securing Commerce Communication Channels Using SSL and Securing Communication Channels.
The sample configuration below shows the Commerce Membership Provider configuration for the application tier.
<membership
membershipUserModelName="UserProfile"
logonPropertyName="Email"
requiresApproval="true"
requiresQuestionAndAnswer="true"
enablePasswordReset="true"
enableLastActivityDate="true"
passwordAttemptWindow="5"
passwordLockoutPeriod="5"
maxInvalidPasswordAttempts="5"
passwordFormat="Hashed"
passwordAnswerFormat="Hashed"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="1" />
The commerce entity named in the membershipUserModelName property of your configuration must be defined in MetadataDefinitions.xml. For more information, see Defining Membership User Settings in Metadata.
For more information about ASP.NET membership, see Managing Users by Using Membership https://go.microsoft.com/fwlink/?LinkId=209149.
See Also
Other Resources
Using the Commerce Membership Provider