I recently got feedback that my Hybrid Credential Provider sample (see the code download with this article – http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/) in MSDN magazine doesn’t support the Unlock scenario (i.e. it just supports Logon). Sorry about that!
Few notes about this. First – the credprov sample in the Vista RTM version of the Windows SDK (see "Samples\Security\CredentialProvider" from the SDK root directory) unfortunately has the same bug. Second – five newer credprov samples are available for download via the following link – http://www.microsoft.com/downloads/details.aspx?FamilyID=b1b3cbd1-2d3a-4fac-982f-289f4f4b9300&DisplayLang=en. The latter appear to have been fixed.
Finally, the bug is this – Credential::GetSerialization needs to return a KERB_INTERACTIVE_UNLOCK_LOGON structure instead of a KERB_INTERACTIVE_LOGON (see NTSecAPI.h in the SDK as well as SampleCredentialProvider\SampleCredentialProvider\CSampleCredential.cpp from the new credprov sample set). The following comment from the latter is particularly instructive:
"We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios. It contains a KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon as necessary."