Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Troubleshooting password reset token expiry in Forms Based Authentication (FBA)

By Karl Newstead
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Users resetting passwords.

No special access or permissions are required.

When an Forms Based Authentication (FBA) user account is created or a password reset is triggered, the user receives an email containing a time-limited link to the password reset page.

This article explains the behaviour of that link and addresses a commonly suggested but incorrect configuration change.

1. Issue

When a user administrator creates a new FBA user, or manually triggers a password reset, the end user receives an email containing a link to the password reset page. This link includes a token that is valid for 24 hours.

If the user attempts to use the link after this period has elapsed, the link will be invalid and they will be unable to proceed. The administrator will need to trigger a new password reset.

The 24-hour token lifetime is fixed and cannot be configured.

Some sources recommend adding a passwordResetTokenExpiration property to the application's Web.config file to extend this duration. This property is not valid and should not be used.

If this property is added to the membership provider configuration in Web.config, the application will fail when a user attempts to reset their password.

The following exception will be recorded in the Windows Event Viewer (Application log):

Exception type:    InvalidOperationException
Exception message: The pre-application start initialization method Start on type
                   WebMatrix.WebData.PreApplicationStartCode threw an exception
                   with the following error message: Provider unrecognized
                   attribute: "passwordResetTokenExpiration".

The key error is:

Provider unrecognized attribute: "passwordResetTokenExpiration".

2. Resolution

If this property has been added to any Web.config, remove it and restart the application pool. Normal password reset functionality will then be restored.

To assist a user whose reset link has expired, trigger a new password reset from the user administration interface. The user will receive a fresh email with a new 24-hour token.

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page