Most of this information was taken from the forum post by dub.survivor and used with Umbraco version 4.0.2.1 (Assembly version: 1.0.3441.17657).
The ASP.net tables can be created in my Umbraco database, or another database as they use the connectionString settings, using the aspnet_regsql tool. The following command parameters creates the required membership (m) and role (r) tables were created on local server database. Add profile (p) to create the table to store additional information about a user, e.g. preferences or address. The roles are the same as groups.
eg aspnet_regsql -S (local) -E -A mr -d TestDatabase
msdn.microsoft.com/.../ms229862(VS.80).aspx
-S <server> specify name of server running SQL database
-E Authenticates with windows credentials, otherwise use: -U <login ID> -P <password>
-A mr Add support for [m] = membership, [r] = Role Manager, [p] = Profile
-d <database name>, uses default database name of "aspnetdb" if it is not provided
The Aspnet_regsql.exe file is located in the [drive:]\%windir%\Microsoft.NET\Framework\version folder on your Web server.
Web.config needs these sections updating, this uses both the umbraco member provider, so the admin account can login to the admin UI and the SQL server provider for site members.
<connectionStrings configSource="connectionStrings.config"/>
...
<membership defaultProvider="SqlServerMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear />
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
<add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="umbracoDb" requiresQuestionAndAnswer="false" applicationName="DemoUmbraco4" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="SqlServerRoleProvider">
<providers>
<clear/>
<!-- Used for user, e.g. admin access -->
<add name="UmbracoRoleProvider" type="umbraco.providers.members.UmbracoRoleProvider" />
<add connectionStringName="SqlServerRoleProvider" applicationName="DemoUmbraco4" name="SqlServerRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>
<!-- If profile was added, define fields to be stored, using the same connectionStringName and applicationName as in membership and roleManager -->
<profile enabled="true" defaultProvider="SqlProfile" automaticSaveEnabled="true">
<!-- Properties section not used as built with Provider.
<properties>
</properties>
-->
<providers>
<clear />
<add name="SqlProfile" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="umbracoDb" applicationName="DemoUmbraco4" />
</providers>
</profile>
The providers for membership and roles now use the aspnet ones System.Web.Security.SqlMembershipProvider and
System.Web.Security.SqlRoleProvider respectively, with the SqlProfileProvider if the member database was built with Profile (p). Note that these require a connection string so added a connection string that specified the database and username and password. I don't think that it is possible to use Integrated Security as is recommended by Microsoft. Dub.survivor tried that and when he chose the public access option on a page he got an error about not able to log in to database. Removing Integerated Security and specifying username and password fixed the error. The applicationName is optional but it is recommended practice according to this blog post. Always set applicationName, otherwise it will not transfer to another computer. This would apply to all the asp.net membership providers.
A good article on creating the profile section can be found here on Examining ASP.NET's Membership, Roles, and Profile.
Roles and users can initially be created using the Asp.Net Web Site Administration Tool (WAT). To use the ASP.NET Website Administration Tool, create a web site project in Visual Studio and configure the connection string and web.config with the settings as the example above. Then from the top bar menu in Visual Studio choose the ASP.NET Configuration menu option. Then, from the Security tab, change the authentication type to "From the internet," which can be accomplished either by clicking the "Select authentication type" link in the Authentication box or by clicking the "Use the security Setup Wizard to configure security step by step" link. If you have not configured the project to use an alternative database this will automatically create a database in your application's App_Data folder named ASPNETDB.mdf that has the predefined schema. You can also use the Website Administration Tool to specify authorization settings. For more on using the Website Administration Tool, see Website Administration Tool Overview, focusing on the Security tab. Files at [drive:]\%windir%\Microsoft.NET\Framework\version\ASP.NETWebAdminFiles\.
Once the users and roles have been created using WAT, then from the Umbraco admin UI, the Public Access option allows these roles to be choosen to restrict access to sections of the web site.
You can create new members in the Umbraco UI, and edit role (group) membership and email address, but nothing else. You need to create user controls to do this and then edit the Umbraco dashboard.config file in the config directory to add the usercontrol to the admin UI.
The profiles details can only be automatically accessed in Visual Studio if the project is of type Web Site. But this is not useful for creating controls for use with Umbraco. So you need to create a wrapper for the profiles and define the fields programmatically. So they are no longer defined in the web.config, hence why they are missing from the example above. The method described by Joel Spolsky on how to assign profile values works well. It does mean that it involves a coding change to add profile fields. I want to try the table-profile-provider which stores the profile field values in their own columns in the database.
Other useful URLs
=================
How to assign Profile values
stackoverflow.com/.../asp-net-membership-how-to-assign-profile-values
TableProfile provider
www.asp.net/.../
Rolling your own Website Administration Tool
aspnet.4guysfromrolla.com/articles/052307-1.aspx
www.4guysfromrolla.com/articles/101106-1.aspx
aspnet.4guysfromrolla.com/articles/120705-1.aspx
Profiles In ASP.NET 2.0
http://odetocode.com/articles/440.aspx
ASP.NET 2.0 Security Controls
articles.sitepoint.com/.../1
Password Recovery
www.asp.net/Learn/security/tutorial-13-vb.aspx