February 12, 2007

Changing passwords in ASP.NET 2.0 applications from the database

At one time or another I think everyone has been locked out of a system and not been able to get back in. This can be especially troubling if you happen to be locked out of your administrator account. I have seen many people asking how to reset passwords for the host and admin accounts with DotNetNuke so I thought I would write up some simple instructions on how to change a password via the database for any ASP.NET 2.0 website.

The first thing to note is that you must know the working password of another account on your site. For this example I know the password of my "admin" account for DotNetNuke, you can use any account in your system that you know the password for. Once you have identified the user account, run the following query to obtain the needed user information. You will need to know the username and application name for the specific user account. In my example below the username is admin and the applicaton name is DotNetNuke.

SELECT password, passwordformat, passwordsalt
FROM aspnet_membership am
INNER JOIN aspnet_users au
ON (au.userid am.userid)
INNER JOIN aspnet_applications aa
ON (au.applicationId aa.applicationid)
WHERE au.username 'admin'
AND aa.applicationname 'DotNetNuke'

You will want to copy the results of this query to your clipboard as you will need this information for the next step of the process. Next we will be using the ASP.NET stored procedure "aspnet_Membership_setPassword" to set the password value for our user. Whne calling this stored procedure we must pass the following values to it. ApplicationName, Username, Password, PasswordSalt, ChangeTime, passwordFormat. Below is an example, you will simply need to substitute your values.

--Prepare the change date
DECLARE @changeDate datetime
@changeDate = getdate()

--set the password
exec aspnet_Membership_setPassword 'DotNetNuke'

--Sets the password to dnnadmin

After running this script you should now be able to login with the newly set password. A few things to remember about this method. First to guarantee that this will work correctly the known user account information must be taken from the same application as the machine and validation keys change the encryption methods used for setting the passwords. Also, you should remember that this method will work with ANY ASP.NET 2.0 website. This can be very helpful if you happen to be locked out of an account that cannot send forgotten password e-mails, such as host or admin in DotNetNuke.

tags: DNN, ASP.NET, .NET 2.0
comments powered by Disqus

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Content Copyright

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.