Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I recently got feedback that my Hybrid Credential Provider sample (see the code download with this article - http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/) in MSDN magazine doesn’t support the Unlock scenario (i.e. it just supports Logon). Sorry about that!

Few notes about this. First - the credprov sample in the Vista RTM version of the Windows SDK (see "Samples\Security\CredentialProvider" from the SDK root directory) unfortunately has the same bug. Second - five newer credprov samples are available for download via the following link - http://www.microsoft.com/downloads/details.aspx?FamilyID=b1b3cbd1-2d3a-4fac-982f-289f4f4b9300&DisplayLang=en. The latter appear to have been fixed.

Finally, the bug is this - Credential::GetSerialization needs to return a KERB_INTERACTIVE_UNLOCK_LOGON structure instead of a KERB_INTERACTIVE_LOGON (see NTSecAPI.h in the SDK as well as SampleCredentialProvider\SampleCredentialProvider\CSampleCredential.cpp from the new credprov sample set). The following comment from the latter is particularly instructive:

"We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios. It contains a KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon as necessary."

Permalink |

1 Comment »

  1. Hi Dan,

    I am strating to write a Vista Credential Provider and it seems that your sample code for this article was pulled from the MSDN Mag. I don’t care about that simple bug, I’d like to look at the code anyway. Is there anywhere I could download the sample code?

    Thank you,

    Hector Obregon

    Comment by Hector M Obregon — March 21, 2008 @ 1:36 am

RSS feed for comments on this post. TrackBack URL

Leave a comment