Play with Sitecore Password Policy

Sitecore has some settings to enable password policy in web.config file (/configuration/system.web/membership/providers/add). It supports the following settings:

  1. minRequiredPasswordLength: Minimum number of characters included in the password
  2. minRequiredNonalphanumericCharacters: Minimum number of non alphanumeric characters (basically, the special characters) included in the password
  3. maxInvalidPasswordAttempts: Maxmun times a user can try password before being locked out

It works fine when you creating new users, change existing user’s password, and reset password. However, I did find a bug in Email Campaign Manager (ECM 2.1 for my case) module.

As we know, when someone subscribes with a newsletter, ECM will create a new user in Sitecore system and assign respect role to that account. While creating the new user, a auto-generated password will be attached. Now it seems ECM’s code never check on Sitecore’s password policy, so that the generated password is invalid, and blocks the user being created. Here is the error message I got:

System.Web.Services.Protocols.SoapException: Server was unable to process request. --->
  System.Web.Security.MembershipCreateUserException: The password supplied is invalid. Passwords must conform to the password strength requirements configured for the default provider. at
  System.Web.Security.Membership.CreateUser(String username, String password, String email) at
  Sitecore.Modules.EmailCampaign.Contact.CreateAnonymous(String localName, ManagerRoot root) at
  Sitecore.Modules.EmailCampaign.Contact.GetAnonymousFromEmail(String email, ManagerRoot root) at
  Sitecore.Modules.EmailCampaign.Core.TypeResolver.GetCorrectAnonymouseFromEmail(String email, ManagerRoot root) at
  Sitecore.Modules.EmailCampaign.Core.ClientApiLocal.GetAnonymousFromEmail(String email, String rootID) at
  Sitecore.Modules.EmailCampaign.ECMClientService.GetAnonymousFromEmail(String email, String rootID)

Sitecore has recognised it as a bug and the reference number is 433626 (although I cannot find its information on Knowledge Base now). A hot-fix is on the way, I’ll update on it when it is ready.

Besides, another common request from user is to have password expiration after a certain time.  I get inspiration from Enforce Password Expiration – Sitecore and modified accordingly. It’s a good post to read. ^_^

Updated on 19 Jun

Sitecore has provided a hot-fix for ECM’s create new user issue. It is for Sitecore 7.2 rev. 141226 with ECM 2.1 rev. 140214.
Add Sitecore.Support.433626.dll to \bin folder
Add Sitecore.Support.433626.config to \App_Config\Include folder

It is tested working for my solution. Feel free to take the files.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s