Managing Logins and Passwords

This section describes how to restrict login attempts and manage passwords.

Restricting login attempts

Restricting Login Attempts

Ektron has a login security feature that, by default, locks out a user after 5 unsuccessful attempts to log in on one computer. You control login security by changing the ek_loginAttempts element in the web.config file.

WARNING! If you want your Ektron eCommerce feature to comply with PA DSS certification, the ek_loginAttempts value must be between 1 and 6.

  • any number between 1 and 254—The number of unsuccessful login attempts after which the user is locked out
  • 0—Lock out all users
  • -1—Disable feature; unlock all locked users
  • -2—Lock out Ektron users only; membership users can log in

You can control the following capabilities.

Changing the number of unsuccessful login attempts

Changing the Number of Unsuccessful Login Attempts

By default, if a user unsuccessfully tries to log in 5 times, this error appears: The account is locked. Please contact your administrator. Afterwards, even if the user enters the correct password, he is locked out.

NOTE: You can change the error message text in the resource file. See Also: Procedure for Translating Workarea Strings.

To change the number of login attempts prior to lockout, edit the ek_loginAttempts element in the siteroot/web.config file. For example, to allow 3 unsuccessful logins before lockout, change the value to 3. You cannot enter a value greater than 254.

Unlocking a locked account

Unlocking a Locked Account

Once an account is locked out, the Account Locked field is checked on the Edit User screen.

To unlock the account, an administrator user (or a user assigned to the user-admin role) accesses the Edit User screen and unchecks the box. At this point, the user can sign in again.

NOTE: To unlock all users, set the ek_login Attempts element in the siteroot/web.config file to -1. See Also: Disabling the Login Attempts Feature.

Manually locking a user from signing on

Manually Locking a User from Signing On

You can use the Account Locked field (described above) to manually lock a user out of Ektron. To do so, go to the Edit User screen, identify the user, and check the Account Locked field.

That user cannot sign in until either you uncheck the box or change the value of the ek_loginAttempts element in the web.config file to -1.

Disabling the login attempts feature

Disabling the Login Attempts Feature

To disable the Login Attempts feature, set the value of the ek_loginAttempts element in the web.config file to -1. If you do, any user can try to log in as many times as he wants. The error message never appears, and he is not prevented from entering a password.

NOTE: Setting the ek_loginAttempts element in the web.config file to -1 unlocks all locked accounts.

Preventing Ektron users from signing on

Preventing Ektron Users from Signing On

To lock out all Ektron users, set the ek_loginAttempts element in the web.config file to -2. If you do, only membership users can sign in.

NOTE: The builtin user cannot sign in if ek_loginAttempts is set to -2.

Preventing all users from signing on

Preventing All Users from Signing On

To lock out all users (including membership users), set the ek_loginAttempts element in the web.config file to 0. If you do, no one can sign in to Ektron until you change the value.

NOTE: The builtin user cannot sign in if ek_loginAttempts is set to 0.

Changing images used for logging in and out

Changing Images Used for Logging In and Out

You can change the images used for the login and logout buttons. To do so:

  1. Move the new images to the following folder: siteroot\Workarea\images\application.
  2. Open the web.config file in your Web site’s root directory.
  3. Change the images in this section of the file:
    <add key="ek_Image_1" value="btn_close.gif" />
<add key="ek_Image_2" value="btn_login.gif" />
<add key="ek_Image_3" value="btn_login_big.gif" />

    NOTE: You must update the images and web.config whenever you upgrade Ektron.

Resolving a problem with the login screen

Resolving a Problem with the Login Screen

You may find that in certain browsers, the login screen occupies the entire browser window instead of just a small box. Browsers such as Internet Explorer 8 and Firefox have a feature called tabs. When the login window pops up, it appears as a new tab. You can change this behavior by turning off tabs within the browser.

Managing passwords

Managing Passwords

This section contains the following topics relating to managing passwords.

Editing the builtin username and password

Editing the Builtin Username and Password

The builtin user is an emergency user if you cannot log in to Ektron as the administrator. The builtin user is defined in the Ektron setup screen.

To edit the username and password:

  1. From the Workarea, choose Settings > Configuration > Setup. The Application Setup screen appears with the General Tab showing.
  2. Click Edit to modify the settings.
  3. Locate the Built In User field.
  4. Change the username and password.
  5. Click Update.

The builtin user can log in to Ektron whether or not Active Directory or LDAP is enabled. The builtin user's default username and password combination is builtin/builtin. For security reasons, Ektron recommends changing them during installation.

If you log into the Workarea as the builtin user, you can access only the following screens on the Settings tab.

  • Active Directory
  • Asset Server Setup
  • Setup
  • User
  • User Group

WARNING! Use the builtin user only to correct a bad or expired license key. It is not designed for regular Ektron operations. If you try to edit content while signed on as a builtin user, you will generate errors.

If you cannot sign in to Ektron because the builtin user password was changed and you don’t know the new password, use the BuiltinAccountReset.exe utility. This resets your Ektron user password to Builtin \ Builtin. This utility is located in C:\Program Files\Ektron\CMS400versionnumber\Utilities.

Making passwords case-sensitive

Making Passwords Case Sensitive

By default, passwords are case insensitive. So for example, if the password is TOKEN and the user enters token, the signon is successful.

If you want to make passwords case sensitive, change the value of the ek_passwordCaseSensitive element of the siteroot/web.config file from false to true.

If you do, and the password is TOKEN and the user enters token, the signon is unsuccessful. The user would have to enter TOKEN to successfully sign on.

Enforcing a password change every 90 days

Enforcing a Password Change Every 90 Days

Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to change his password at least every 90 days. This feature is only enabled when the ek_ecom_ComplianceMode key in the site’s web.config file is set to true.

Once such a user goes 85 days without changing his password, a dialog box appears at next log-in, asking to change the password. If they do not want to do so at that time, they can click Skip. They are allowed to do this for the next 5 days. Once 90 days have passed, they must change their password before they can log into Ektron.

Enforcing login after time of inactivity

Enforcing Login After Time of Inactivity

Ektron has a password security feature that automatically logs out an administrator or user with the Commerce Admin role after 15 minutes of inactivity. Activity is based on requests made to the server.

This feature is enabled when the site’s web.config file‘s ek_ecom_ComplianceMode key is set to true. In addition, if you are using IIS7, the line in red below needs to appear between the <modules> tags in the web.config file. This line is a part of the default install. You should make sure it has not been removed.

<modules>
  <add name="MyDigestAuthenticationModule"
    type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule,
    Ektron.ASM.EkHttpDavHandler" />
  <add name="ScriptModule"
    type="System.Web.Handlers.ScriptModule, System.Web.Extensions,
    Version=1.0.61025.0, Culture=neutral,
    PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
  <add name="EkUrlAliasModule" type="UrlAliasingModule"
    preCondition="integratedMode" />
</modules>

If you are using IIS 6, the line in red below needs to appear between the <httpModules> tags in the web.config file. This line is a part of the default install. You should make sure it has not been removed.

<httpModules>
  <add name="DigestAuthenticationModule"
    type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule,
    Ektron.ASM.EkHttpDavHandler " />
  <add name="ScriptModule"
    type="System.Web.Handlers.ScriptModule, System.Web.Extensions,
    Version=1.0.61025.0,
    Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  <add name="EkUrlAliasModule" type="UrlAliasingModule" />
</httpModules>
Enforcing a minimum password

Enforcing a Minimum Password

Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to use at least 7 characters in his password. Further, the password must contain at least one alphabetic and one numeric character.

This feature is enabled only when the ek_ecom_ComplianceMode key in the site’s web.config file is set to true.

Enforcing a no-match password

Enforcing a No-match Password

Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to create a password that does not match his last 4 passwords. This feature is enabled only when site’sweb.config file has the ek_ecom_ComplianceMode key is set to true and the ek_ecom_PasswordHistorykey is set to at least 4.

You can set ek_ecom_PasswordHistory to a number higher than 4 if you want a higher level of security. If you set this key to less than 4 and the ek_ecom_ComplianceMode key is set to true, Ektron enforces at least 4.

Creating a custom password strategy

Creating a Custom Password Strategy

The Ektron password validation provider lets developers create custom password validation strategies for Ektron. These providers can enforce custom password rules inside the system, beyond the out-of-box capabilities.

This section explains how to create a custom password validation provider for Ektron.

  1. Create a class library project in Visual Studio.
  2. Import the namespaces you need. Add references to:
    • Ektron.Cms.Commerce
    • Ektron.Cms.Common
    • Ektron.Cms.ObjectFactory
    • Microsoft.Practices.EnterpriseLibrary.Validation.dll
    • System.Configuration
    • Ektron.CMS.User
    • Ektron.CMS.DataRW
  3. Add the following using statements.
    using System;
using System.Collections;
using System.Configuration.Provider;
using Microsoft.Practices.EnterpriseLibrary.Validation;
using Ektron.Cms;
using Ektron.Cms.Common;
using Ektron.Cms.Commerce;
using Ektron.Cms.Commerce.PasswordValidation.Provider;
using System.Collections.Generic;
using System.Text;
using System.Text.RegularExpressions;
  4. Change the namespace to Ektron.Cms.Extensibility.Commerce.Samples, rename your class to CustomPasswordProvider, and inherit from the Ektron.Cms.Commerce.PasswordValidation.Provider.PasswordValidationProvider class and the Ektron.Cms.Commerce.IPasswordValidation interface.
    namespace Ektron.Cms.Extensibility.Commerce.Samples
{
  public class CustomPasswordProvider :
    Ektron.Cms.Commerce.PasswordValidation.Provider.
      PasswordValidationProvider,
    Ektron.Cms.Commerce.IPasswordValidation
  5. Add the following constructor.
    #region constructor, member variables
public CustomPasswordProvider() { }
#endregion
  6. Add GetRegexFor methods required by the PasswordValidationProvider base class. These methods return the regexs that will validate passwords in Ektron for specific user types.
    • GetRegexForMember—Returns one or more regular expressions used for client side validation of membership users, along with corresponding error messages to be used when client-side validation fails.
    • GetRegexForAuthor—Returns one or more regular expressions used for client side validation of Ektronauthors, along with corresponding error messages to be used when client-side validation fails.
    • GetRegexForCommerceAdmin—Returns one or more regular expressions used for client-side validation of eCommerce administrators, along with corresponding error messages to be used when client side validation fails.
    • GetRegexForAdmin—Returns one or more regular expressions used for client-side validation of Ektronadministrators, along with corresponding error messages to be used when client side validation fails.

    NOTE: This example enforces a minimal requirement for authors/members, and adds a length and diversity requirement for administrators.

    #region public methods
public override string GetRegexForAdmin()
{
  return "[/.{7}/, Password must contain at least seven characters]"
   + ",[/[0-9]+/, Password must contain at least one number]"
   + ",[/[a-zA-Z]+/, Password must contain at least one alphabetical character]"
   + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes,
  double-quotes, percent-signs, or pound-signs]";
}
public override string GetRegexForAuthor()
{
  return "[/.{1}/, Password too short]"
   + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, 
  double-quotes, percent-signs, or pound-signs]";
}
public override string GetRegexForCommerceAdmin()
{
  return "[/.{1}/, Password too short]"
   + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, 
  double-quotes, percent-signs, or pound-signs]";
}
public override string GetRegexForMember()
{
  return "[/.{1}/, Password too short]"
   + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, 
  double-quotes, percent-signs, or pound-signs]";
}
#endregion
  7. Implement the ValidateFor methods, which use the regexs to validate passwords. We use the generic function Validate to which we pass parameters.
    public override ValidationResults ValidateForAdmin(string password)
{
  return Validate(password, GetRegexForAdmin());
}
public override ValidationResults ValidateForAuthor(string password)
{
  return Validate(password, GetRegexForAuthor());
}
public override ValidationResults ValidateForCommerceAdmin(string password)
{
  return Validate(password, GetRegexForCommerceAdmin());
}
public override ValidationResults ValidateForMember(string password)
{
  return Validate(password, GetRegexForMember());
}
protected ValidationResults Validate(string password, string regexErrorMessage)
{
  ValidationResults results = new ValidationResults();
  string regex, errorMessage;
  string[] parts;
  string[] raw = regexErrorMessage.TrimStart('[').TrimEnd(']').Split(
  new string[] { "],[" }, StringSplitOptions.None);
  foreach (string combined in raw)
  {
    parts = combined.Split(new string[] { "/," }, StringSplitOptions.None);
    regex = parts[0].Trim('/');
  errorMessage = parts[1].Trim().TrimStart('"').TrimEnd('"');
  if (!Regex.IsMatch(password, regex))
    {
      results.AddResult(new ValidationResult(errorMessage, this, "", "", null));
    }
  }
  return results;
}
  8. Tell the system whether to enforce password expiration on users. There are 2 requirements.
    • PasswordExpirationEnabled—Enabled password expiration globally, which allows the RequiresPasswordExpiration to be called.
    • RequiresPasswordExpiration—Returns whether password expiration is enforced for a user.

    NOTE: The system handles password expiration dates. Setting PasswordExpirationEnabled and RequiresPasswordExpiration tells Ektron to check and enforce those values.

    NOTE: When compliance mode is on, password validation cannot be disabled.

    public override bool PasswordExpirationEnabled()
{
  return RequestInformation.CommerceSettings.ComplianceMode;
}
public override bool RequiresPasswordExpiration(long userId)
{
  return (userId == 1);
}
  9. Build the project, and copy the assembly to the Ektron site's bin directory.
  10. Register the provider, and direct Ektron to use it. The siteroot/web.config file lets you manage password providers within Ektron.
    • Locate the passwordValidationProvider section in the web.config file.
    • Add a reference to the class created earlier in the <providers> key.
    • Change the defaultProvider attribute, as shown below.
    <passwordValidationProvider defaultProvider="CustomPasswordProvider">
<providers>
<add name="CustomPasswordProvider" 
type="Ektron.Cms.Extensibility.Commerce.Samples.CustomPasswordProvider,
  CustomPasswordProvider" />
</providers>
</shipmentProvider>
Placing login buttons

Placing Login Buttons

You can add any number of login buttons to a template. You can insert a login button on each template, or set up a special Web page, called login.aspx, from which users can log into the Ektron site without the public being able to access the page.

The Login server control paints a login button on the template when displayed in a browser. When the Login server control is inserted and the project is built, the control displays the following buttons on a Web page.

—When user is not logged in, this button appears. Clicking the button opens the login window, where a user can enter a username and password. Upon authentication, the user is logged in to the Ektron Web site.

—After a user logs in, this button replaces the login button to let the user log out.

—When logged in, this button appears under the logout button, allowing the user to access the Workarea.

—Lets the user preview the entire Web site as if all checked-in content were published.

—Turns off site preview mode.

—Launches online help for Ektron.

Login server control properties

Login Server Control Properties

The following are Ektron-specific server control properties. You can find information about native .NET properties such as font, height, width and border style in Visual Studio® help.

  • Authenticated (String)

    Indicates if you are logged into the CMS Explorer and can use it to browse to content, collections, and so on. See Also: Browsing Your Ektron Site Using CMS Explorer.

  • AutoAddType (Common.EkEnumeration.AutoAddUserType)

    When using Single Signon, the Login Server Control can add users to Ektron. In this scenario, when a user signs on using Active Directory credentials, that user is created within the Ektron database. Use this property to define the type of user automatically added to Ektron. See Also: Single Sign On

    • AuthorEktron user
    • Member— membership user
  • AutoLogin (Boolean)

    If this property is set to true and Active Directory Integration is enabled, users are automatically logged in using Active Directory authentication. They do not need to enter a username or password. The default is False.

    • True—Use Active Directory authentication when logging in.
    • False—Do not use Active Directory authentication when logging in.

    NOTE: For this property to function properly, you must be using Active Directory authentication with your Ektron site. See Also: Active Directory

  • DoInitFill (Boolean)

    By default, Fill occurs during the Page_Init event. Set to false if you want to postpone the fill-action until later. In this case, Fill is automatically called during the Page Render event. You might do this if you need to set or change a property on the control in code-behind and have it render with your changes shown.

  • Hide (Boolean)

    Hides or displays the output of the control in design time and run time.

    • True—Hide the control output.
    • False—Display the control output.
  • Language (Integer)

    Set a language for the Login server control. This property shows results in design-time (in Visual Studio) and at run-time (in a browser).

  • OnlyAllowMemberLogin (Boolean)

    Lets only membership users log in. This property prevent users from logging as an Ektron user and accessing the Workarea. If an Ektron user tries to log in using this control, this message appears: “Only members are allowed to login here.” The default is False.

    • True—Only membership users can log in
    • FalseEktron and membership users can log in
  • PromptLogout (Boolean)

    When set to False, the logout process omits the Logout window.

    • True—Users must click Logout to log out.
    • False—The Logout window does not appear
  • SuppressHelpButton (Boolean)

    Hides the Help button that appears below the Login button when set to true.

    • True—Do not display the Help button.

    • False (default)—Display Help button.

    If you are editing this server control from a text file and want to suppress the Help button, add the following code to the login tag source:

    <CMS:Login ID="Login1" runat="server" SuppressHelpButton="True" />
  • SuppressWrapperTags (Boolean)

    Suppresses the output of the span/div tags around the control.

    • True—Suppress wrap tags.
    • False (default)—Allow wrap tags.
  • WrapTag (String)

    Lets a developer specify a server control’s tag.

    • Span (default)—designate an inline portion of an HTML document as a span element.
    • Div—apply attributes to a block of code.
    • Custom—Lets you use a custom tag.
Logging in through Facebook

Logging in through Facebook

Facebook Login, an alternative to Ektron's standard login, lets users log in using their Facebook username and password instead of creating an Ektron username and password. Here is an example of Facebook Login control.

This control lets Membership and Ektron users log into an Ektron Web site. If users have an Ektron user profile, they can be prompted to link the Facebook username and password with that profile.

Facebook Login allows log in only—it provides no other Facebook features, such as viewing profiles or sending messages.

NOTE: The Facebook Login feature does not support Active Directory.

These sites include samples of Facebook Login.

  • Developer Sample site > Social Networking > Facebook Connect
    • siteroot/developer/FacebookConnect/Login.aspx
    • siteroot/developer/FacebookConnect/CustomSignup.aspx
  • The OnTrek site's home page has a Facebook Login on the

NOTE: The user experience is enabled only after a developer sets up the feature. See Also: Setting Up Facebook Login

If a user clicks a Facebook Login button but is not logged into Facebook, the following screen appears.

When you complete this screen or if you are already logged into Facebook, you are forwarded to a page that prompts you to register with or log into Ektron.

This screen asks if you have a membership account. If so, do you want to connect this Facebook username and password with the Ektron account? If you agree, you will access your membership account via the Facebook Login with Facebook credentials from now on. If you do not have a membership account, complete the lower half of the screen. This is the same screen that new members use to create Ektron accounts. From then on, you can click the Facebook Login button to log into Ektron using a Facebook username and password.

When you log out of Ektron, that action does not log you out of Facebook. Conversely, if a user logs out of Facebook, you are not logged out of Ektron.

NOTE: Facebook often caches information in your browser. If you see JavaScript errors or other odd behavior, clear the browser cache, close all browser windows, and try again.

Setting up Facebook login

Setting Up Facebook Login

To set up the Facebook Login feature:

Step 1: Connect Facebook to Your Ektron Web Site

Follow these steps to obtain Facebook keys, paste them into the web.config file, and identify your site to Facebook.

  1. In you don't have one, create a Facebook account. Go to www.facebook.com and follow the sign up instructions.
  2. Sign in to the Facebook Developer site, http://www.facebook.com/developer.
  3. Click +Create New App.
  4. Enter an App Name and APP Namespace for your application. The name cannot include facebook or any variations, such as FB. Click Continue. A new screen appears, showing your App ID and AppSecret.

  5. Open your Web site's root folder/web.config file.
  6. Copy the Facebook keys into these web.config elements.
    • APP IDek_FacebookApiKey
    • App Secretek_FacebookSecret

    NOTE: Keys shipped in Ektron sample sites are for localhost. Also, make sure the Facebook keys were generated for the host header/URL to which you're applying them. And, if you are testing secure site setup, verify that the web.config element ek_useSSL is true.

  7. Save and close web.config.

    NOTE: After you update web.config with Facebook keys, wait a few minutes before logging into the Ektron site via the Facebook Login server control.

  8. Return to the Facebook Basic screen.
  9. Under Select how your app integrates with Facebook, click Website.
  10. In the Site URL field, enter your Web site's URL.
    • for a public site, enter its URL. For example, http://www.example.com.
    • for a shared server or if you are accessing the site from a remote machine, use the IP address. As examples, http://192.168.14.10, http://192.168.14.10/QA
    • for a local server, use localhost. As examples, http://localhost, http://localhost/EktronTech
  11. Save and close the Facebook screen.
  12. After setting up your application, you can return to this screen at any time to view the keys, edit the Site URL, etc.

Step 2: Create or Modify a Facebook Login/Signup Page

A Facebook form appears if a user clicks a Facebook Login button and is not currently logged into Facebook.

The form is created by Facebook, not Ektron.  You can customize parts of it, such as the title and site image, using Facebook's Application settings.

When the user completes the form, he is forwarded to an Ektron form that prompts him to register or log in to Ektron.

You specify which form appears via the Facebook Login server control's SignupTemplate property.

The default form in the Developer sample site, siteroot/Developer/FacebookConnect/register.aspx, is shown above. You can use the default form as is, modify it, or create your own.

The logic to connect a Facebook user with an Ektron account (circled) is not part of the Facebook Login server control. However, sample code for that functionality is included in the Ektron Tech sample site's register.aspx page.

Alternative to Redirecting to the Signup Form

If you do not want to redirect the user to a signup form after Facebook login, you can hook the Ektron_FacebookNewMemberLoggedIn JavaScript event and do whatever you want with it. For example, you could raise a modal dialog with a short signup form. .

Step 3: Place the Facebook Login Server Control on a Page

  1. In Visual Studio, open the template onto which you want to place a Facebook Login server control. See Also: Working with Ektron Server Controls
  2. Drag and drop the control.
  3. Use the following information to complete its properties.
    Facebook Login server control properties

    The following are Ektron-specific server control properties. You can find information about native .NET properties such as font, height, width and border style in Visual Studio® help.

    • Authenticated (String)

      Indicates if you are logged into the CMS Explorer and can use it to browse to content, collections, and so on. See Also: Browsing Your Ektron Site Using CMS Explorer.

    • FacebookButtonText (String)

      Enter the Facebook Login button text. The default is Connect with Facebook.

    • Hide (Boolean)

      Hides or displays the output of the control in design time and run time.

      • True—Hide the control output.
      • False—Display the control output.
    • InstructionDetail (String)

      Enter additional text that appears above the Facebook Login button. The default is Sign in using your Facebook account.

    • InstructionHeader (String)

      Enter text that appears above the Facebook Login button. The default is Sign in using your Facebook account.

    • Language

      Set a language for viewing content; shows results in design-time (in Visual Studio) and at run-time (in a browser).

    • SignupTemplate (String)

      Enter the path to the template that appears after a user completes the Connect with Facebook screen.

You can customize the markup for the form using the LoginTemplate and LogoutTemplate server controls.

Using Facebook connect extension with the Targeted Content widget

Using Facebook Connect Extension with the Targeted Content Widget

Facebook Login lets you retrieve the following Facebook profile information, using Facebook Connect Extension.

  • Age
  • Gender
  • Marital Status
  • Likes
  • Employment

To learn how to do this, see the Knowledge Base article "INFO:Targeted Content Widget: Facebook Connect Extension" (http://dev.ektron.com/kb_article.aspx?id=32156). See Also: Creating Conditions with the Targeted Content Widget

Previous TopicNext Topic|