I am using the standard asp.net membership provider. I have users who
forget their password. They attempt to login 5 times and they get
locked out. The membership configuration in web.config follows.
<add connectionStrin gName="SomeDB" enablePasswordR etrieval="false "
enablePasswordR eset="true" requiresQuestio nAndAnswer="fal se"
applicationName ="SomeApp" requiresUniqueE mail="true"
passwordFormat= "Hashed" maxInvalidPassw ordAttempts="5"
passwordAttempt Window="10" passwordStrengt hRegularExpress ion=""
minRequiredPass wordLength="6" minRequiredNona lphanumericChar acters="0"
name="AspNetSql MembershipProvi der"
type="System.We b.Security.SqlM embershipProvid er"/>
Once the user is locked out, the reset password doesn't work. I have
to unlock the user before it will send a new password. Is this the
correct operation of this feature? Do I have to manually unlock these
users before they can retrieve a new password?
Thanks.
Rob