This section describes how to restrict login attempts and manage passwords.
Ektron has a login security feature that, by default, locks out a user after 5 unsuccessful attempts to log in on one computer. You control login security by changing the ek_loginAttempts
element in the web.config
file.
WARNING! If you want your Ektron eCommerce feature to comply with PA DSS certification, the ek_loginAttempts
value must be between 1 and 6.
You can control the following capabilities.
By default, if a user unsuccessfully tries to log in 5 times, this error appears: The account is locked. Please contact your administrator. Afterwards, even if the user enters the correct password, he is locked out.
NOTE: You can change the error message text in the resource file. See Also: Procedure for Translating Workarea Strings.
To change the number of login attempts prior to lockout, edit the ek_loginAttempts
element in the siteroot/web.config
file. For example, to allow 3 unsuccessful logins before lockout, change the value
to 3. You cannot enter a value greater than 254.
Once an account is locked out, the Account Locked field is checked on the Edit User screen.
To unlock the account, an administrator user (or a user assigned to the user-admin role) accesses the Edit User screen and unchecks the box. At this point, the user can sign in again.
NOTE: To unlock all users, set the ek_login Attempts
element in the siteroot/web.config
file to -1. See Also: Disabling the Login Attempts Feature.
You can use the Account Locked field (described above) to manually lock a user out of Ektron. To do so, go to the Edit User screen, identify the user, and check the Account Locked field.
That user cannot sign in until either you uncheck the box or change the value of the ek_loginAttempts
element in the web.config
file to -1.
To disable the Login Attempts feature, set the value of the ek_loginAttempts
element in the web.config
file to -1. If you do, any user can try to log in as many times as he wants. The error message never appears, and he is not prevented from entering a password.
NOTE: Setting the ek_loginAttempts
element in the web.config
file to -1 unlocks all locked accounts.
You can change the images used for the login and logout buttons. To do so:
web.config
file in your Web site’s root directory. <add key="ek_Image_1" value="btn_close.gif" /> <add key="ek_Image_2" value="btn_login.gif" /> <add key="ek_Image_3" value="btn_login_big.gif" />
NOTE: You must update the images and web.config
whenever you upgrade Ektron.
You may find that in certain browsers, the login screen occupies the entire browser window instead of just a small box. Browsers such as Internet Explorer 8 and Firefox have a feature called tabs. When the login window pops up, it appears as a new tab. You can change this behavior by turning off tabs within the browser.
This section contains the following topics relating to managing passwords.
The builtin user is an emergency user if you cannot log in to Ektron as the administrator. The builtin user is defined in the Ektron setup screen.
To edit the username and password:
The builtin user can log in to Ektron whether or not Active Directory or LDAP is enabled. The builtin user's default username and password combination is builtin/builtin. For security reasons, Ektron recommends changing them during installation.
If you log into the Workarea as the builtin user, you can access only the following screens on the Settings tab.
WARNING! Use the builtin user only to correct a bad or expired license key. It is not designed for regular Ektron operations. If you try to edit content while signed on as a builtin user, you will generate errors.
If you cannot sign in to Ektron because the builtin user password was changed and you don’t know the new password, use the BuiltinAccountReset.exe utility. This resets your Ektron user password to Builtin \ Builtin. This utility is located in C:\Program Files\Ektron\CMS400versionnumber\Utilities
.
By default, passwords are case insensitive. So for example, if the password is TOKEN and the user enters token, the signon is successful.
If you want to make passwords case sensitive, change the value of the ek_passwordCaseSensitive
element of the siteroot/web.config
file from false
to true
.
If you do, and the password is TOKEN and the user enters token, the signon is unsuccessful. The user would have to enter TOKEN to successfully sign on.
Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to change his password at least every 90 days. This feature is only enabled when the ek_ecom_ComplianceMode
key in the site’s web.config
file is set to true.
Once such a user goes 85 days without changing his password, a dialog box appears at next log-in, asking to change the password. If they do not want to do so at that time, they can click Skip. They are allowed to do this for the next 5 days. Once 90 days have passed, they must change their password before they can log into Ektron.
Ektron has a password security feature that automatically logs out an administrator or user with the Commerce Admin role after 15 minutes of inactivity. Activity is based on requests made to the server.
This feature is enabled when the site’s web.config
file‘s ek_ecom_ComplianceMode
key is set to true
. In addition, if you are using IIS7, the line in red below needs to appear between the <modules>
tags in the web.config
file. This line is a part of the default install. You should make sure it has not been removed.
<modules>
<add name="MyDigestAuthenticationModule"
type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule,
Ektron.ASM.EkHttpDavHandler" />
<add name="ScriptModule"
type="System.Web.Handlers.ScriptModule, System.Web.Extensions,
Version=1.0.61025.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
<add name="EkUrlAliasModule" type="UrlAliasingModule"
preCondition="integratedMode" />
</modules>
If you are using IIS 6, the line in red below needs to appear between the <httpModules>
tags in the web.config
file. This line is a part of the default install. You should make sure it has not been removed.
<httpModules> <add name="DigestAuthenticationModule" type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule, Ektron.ASM.EkHttpDavHandler " /> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add name="EkUrlAliasModule" type="UrlAliasingModule" /> </httpModules>
Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to use at least 7 characters in his password. Further, the password must contain at least one alphabetic and one numeric character.
This feature is enabled only when the ek_ecom_ComplianceMode
key in the site’s web.config
file is set to true
.
Ektron has a password security feature that forces an administrator or user with the Commerce Admin role to create a password that does not match his last 4 passwords. This feature is enabled only when site’sweb.config
file has the ek_ecom_ComplianceMode
key is set to true
and the ek_ecom_PasswordHistory
key is set to at least 4.
You can set ek_ecom_PasswordHistory
to a number higher than 4 if you want a higher level of security. If you set this key to less than 4 and the ek_ecom_ComplianceMode key
is set to true
, Ektron enforces at least 4.
The Ektron password validation provider lets developers create custom password validation strategies for Ektron. These providers can enforce custom password rules inside the system, beyond the out-of-box capabilities.
This section explains how to create a custom password validation provider for Ektron.
using System; using System.Collections; using System.Configuration.Provider; using Microsoft.Practices.EnterpriseLibrary.Validation; using Ektron.Cms; using Ektron.Cms.Common; using Ektron.Cms.Commerce; using Ektron.Cms.Commerce.PasswordValidation.Provider; using System.Collections.Generic; using System.Text; using System.Text.RegularExpressions;
namespace Ektron.Cms.Extensibility.Commerce.Samples { public class CustomPasswordProvider : Ektron.Cms.Commerce.PasswordValidation.Provider. PasswordValidationProvider, Ektron.Cms.Commerce.IPasswordValidation
#region constructor, member variables public CustomPasswordProvider() { } #endregion
GetRegexFor
methods required by the PasswordValidationProvider base class. These methods return the regexs that will validate passwords in Ektron for specific user types.NOTE: This example enforces a minimal requirement for authors/members, and adds a length and diversity requirement for administrators.
#region public methods public override string GetRegexForAdmin() { return "[/.{7}/, Password must contain at least seven characters]" + ",[/[0-9]+/, Password must contain at least one number]" + ",[/[a-zA-Z]+/, Password must contain at least one alphabetical character]" + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, double-quotes, percent-signs, or pound-signs]"; } public override string GetRegexForAuthor() { return "[/.{1}/, Password too short]" + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, double-quotes, percent-signs, or pound-signs]"; } public override string GetRegexForCommerceAdmin() { return "[/.{1}/, Password too short]" + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, double-quotes, percent-signs, or pound-signs]"; } public override string GetRegexForMember() { return "[/.{1}/, Password too short]" + ",[/^[^ \t'\"%#]+$/, Password cannot contain spaces, tabs, single-quotes, double-quotes, percent-signs, or pound-signs]"; } #endregion
ValidateFor
methods, which use the regexs to validate passwords. We use the generic function Validate
to which we pass parameters.public override ValidationResults ValidateForAdmin(string password) { return Validate(password, GetRegexForAdmin()); } public override ValidationResults ValidateForAuthor(string password) { return Validate(password, GetRegexForAuthor()); } public override ValidationResults ValidateForCommerceAdmin(string password) { return Validate(password, GetRegexForCommerceAdmin()); } public override ValidationResults ValidateForMember(string password) { return Validate(password, GetRegexForMember()); } protected ValidationResults Validate(string password, string regexErrorMessage) { ValidationResults results = new ValidationResults(); string regex, errorMessage; string[] parts; string[] raw = regexErrorMessage.TrimStart('[').TrimEnd(']').Split( new string[] { "],[" }, StringSplitOptions.None); foreach (string combined in raw) { parts = combined.Split(new string[] { "/," }, StringSplitOptions.None); regex = parts[0].Trim('/'); errorMessage = parts[1].Trim().TrimStart('"').TrimEnd('"'); if (!Regex.IsMatch(password, regex)) { results.AddResult(new ValidationResult(errorMessage, this, "", "", null)); } } return results; }
NOTE: The system handles password expiration dates. Setting PasswordExpirationEnabled and RequiresPasswordExpiration tells Ektron to check and enforce those values.
NOTE: When compliance mode is on, password validation cannot be disabled.
public override bool PasswordExpirationEnabled() { return RequestInformation.CommerceSettings.ComplianceMode; } public override bool RequiresPasswordExpiration(long userId) { return (userId == 1); }
siteroot/web.config
file lets you manage password providers within Ektron. passwordValidationProvider
section in the web.config
file. <providers>
key.<passwordValidationProvider defaultProvider="CustomPasswordProvider"> <providers> <add name="CustomPasswordProvider" type="Ektron.Cms.Extensibility.Commerce.Samples.CustomPasswordProvider, CustomPasswordProvider" /> </providers> </shipmentProvider>
You can add any number of login buttons to a template. You can insert a login button on each template, or set up a special Web page, called login.aspx, from which users can log into the Ektron site without the public being able to access the page.
The Login server control paints a login button on the template when displayed in a browser. When the Login server control is inserted and the project is built, the control displays the following buttons on a Web page.
—When user is not logged in, this button appears. Clicking the button opens the login window, where a user can enter a username and password. Upon authentication, the user is logged in to the Ektron Web site.
—After a user logs in, this button replaces the login button to let the user log out.
—When logged in, this button appears under the logout button, allowing the user to access the Workarea.
—Lets the user preview the entire Web site as if all checked-in content were published.
—Turns off site preview mode.
—Launches online help for Ektron.
The following are Ektron-specific server control properties. You can find information about native .NET properties such as font, height, width and border style in Visual Studio® help.
Indicates if you are logged into the CMS Explorer and can use it to browse to content, collections, and so on. See Also: Browsing Your Ektron Site Using CMS Explorer.
When using Single Signon, the Login Server Control can add users to Ektron. In this scenario, when a user signs on using Active Directory credentials, that user is created within the Ektron database. Use this property to define the type of user automatically added to Ektron. See Also: Single Sign On
If this property is set to true and Active Directory Integration is enabled, users are automatically logged in using Active Directory authentication. They do not need to enter a username or password. The default is False.
NOTE: For this property to function properly, you must be using Active Directory authentication with your Ektron site. See Also: Active Directory
By default, Fill occurs during the Page_Init event. Set to false if you want to postpone the fill-action until later. In this case, Fill is automatically called during the Page Render event. You might do this if you need to set or change a property on the control in code-behind and have it render with your changes shown.
Hides or displays the output of the control in design time and run time.
Set a language for the Login server control. This property shows results in design-time (in Visual Studio) and at run-time (in a browser).
Lets only membership users log in. This property prevent users from logging as an Ektron user and accessing the Workarea. If an Ektron user tries to log in using this control, this message appears: “Only members are allowed to login here.” The default is False.
When set to False, the logout process omits the Logout window.
Hides the Help button that appears below the Login button when set to true.
If you are editing this server control from a text file and want to suppress the Help button, add the following code to the login tag source:
<CMS:Login ID="Login1" runat="server" SuppressHelpButton="True" />
Suppresses the output of the span/div tags around the control.
Lets a developer specify a server control’s tag.
Facebook Login, an alternative to Ektron's standard login, lets users log in using their Facebook username and password instead of creating an Ektron username and password. Here is an example of Facebook Login control.
This control lets Membership and Ektron users log into an Ektron Web site. If users have an Ektron user profile, they can be prompted to link the Facebook username and password with that profile.
Facebook Login allows log in only—it provides no other Facebook features, such as viewing profiles or sending messages.
NOTE: The Facebook Login feature does not support Active Directory.
These sites include samples of Facebook Login.
siteroot/developer/FacebookConnect/Login.aspx
siteroot/developer/FacebookConnect/CustomSignup.aspx
NOTE: The user experience is enabled only after a developer sets up the feature. See Also: Setting Up Facebook Login
If a user clicks a Facebook Login button but is not logged into Facebook, the following screen appears.
When you complete this screen or if you are already logged into Facebook, you are forwarded to a page that prompts you to register with or log into Ektron.
This screen asks if you have a membership account. If so, do you want to connect this Facebook username and password with the Ektron account? If you agree, you will access your membership account via the Facebook Login with Facebook credentials from now on. If you do not have a membership account, complete the lower half of the screen. This is the same screen that new members use to create Ektron accounts. From then on, you can click the Facebook Login button to log into Ektron using a Facebook username and password.
When you log out of Ektron, that action does not log you out of Facebook. Conversely, if a user logs out of Facebook, you are not logged out of Ektron.
NOTE: Facebook often caches information in your browser. If you see JavaScript errors or other odd behavior, clear the browser cache, close all browser windows, and try again.
To set up the Facebook Login feature:
Follow these steps to obtain Facebook keys, paste them into the web.config
file, and identify your site to Facebook.
www.facebook.com
and follow the sign up instructions.facebook
or any variations, such as FB
. Click Continue. A new screen appears, showing your App ID and AppSecret.web.config
file.web.config
elements.ek_FacebookApiKey
ek_FacebookSecret
NOTE: Keys shipped in Ektron sample sites are for localhost. Also, make sure the Facebook keys were generated for the host header/URL to which you're applying them. And, if you are testing secure site setup, verify that the web.config
element ek_useSSL
is true
.
web.config
.NOTE: After you update web.config
with Facebook keys, wait a few minutes before logging into the Ektron site via the Facebook Login server control.
A Facebook form appears if a user clicks a Facebook Login button and is not currently logged into Facebook.
The form is created by Facebook, not Ektron. You can customize parts of it, such as the title and site image, using Facebook's Application settings.
When the user completes the form, he is forwarded to an Ektron form that prompts him to register or log in to Ektron.
You specify which form appears via the Facebook Login server control's SignupTemplate
property.
The default form in the Developer sample site, siteroot/Developer/FacebookConnect/register.aspx
, is shown above. You can use the default form as is, modify it, or create your own.
The logic to connect a Facebook user with an Ektron account (circled) is not part of the Facebook Login server control. However, sample code for that functionality is included in the Ektron Tech sample site's register.aspx
page.
If you do not want to redirect the user to a signup form after Facebook login, you can hook the Ektron_FacebookNewMemberLoggedIn
JavaScript event and do whatever you want with it. For example, you could raise a modal dialog with a short signup form. .
The following are Ektron-specific server control properties. You can find information about native .NET properties such as font, height, width and border style in Visual Studio® help.
Indicates if you are logged into the CMS Explorer and can use it to browse to content, collections, and so on. See Also: Browsing Your Ektron Site Using CMS Explorer.
Enter the Facebook Login button text. The default is Connect with Facebook.
Hides or displays the output of the control in design time and run time.
Enter additional text that appears above the Facebook Login button. The default is Sign in using your Facebook account.
Enter text that appears above the Facebook Login button. The default is Sign in using your Facebook account.
Set a language for viewing content; shows results in design-time (in Visual Studio) and at run-time (in a browser).
Enter the path to the template that appears after a user completes the Connect with Facebook screen.
You can customize the markup for the form using the LoginTemplate and LogoutTemplate server controls.
Facebook Login lets you retrieve the following Facebook profile information, using Facebook Connect Extension.
To learn how to do this, see the Knowledge Base article "INFO:Targeted Content Widget: Facebook Connect Extension" (http://dev.ektron.com/kb_article.aspx?id=32156
). See Also: Creating Conditions with the Targeted Content Widget