Credential Providers in Windows 10

Credential providers are the primary mechanism for user authentication—they currently are the only method for users to prove their identity which is required for logon and other system authentication scenarios. With Windows 10 and the introduction of Microsoft Passport, credential providers are more important than ever; they will be used for authentication into apps, websites, and more.

Microsoft provides a variety of credential providers as part of Windows, such as password, PIN, smartcard, and Windows Hello (Fingerprint, Face, and Iris recognition). These are referred to as «system credential providers» in this article. OEMs, Enterprises, and other entities can write their own credential providers and integrate them easily into Windows. These are referred to as «third-party credential providers» in this article. Note that both V1 and V2 credential providers are supported in WindowsВ 10. It is important for creators and managers of third-party credential providers to understand these recommendations.

System credential providers

We strongly recommend that there always be at least one system credential provider available for every user on the device in addition to any third-party credential providers. Additionally, during the set-up of the third-party credential provider, each user on the device should be prompted to set up at least one system credential provider (if no other recovery options are available; see Scenario A, below).

Scenario A

A local account user has set up a third-party credential provider and regularly uses it to log into the device. One day, the user installs some update to the device that breaks the third-party credential provider, and the user is unaware of this change before restarting the machine.

On the next restart, the user is on the logon screen and is unable to use the expected third-party credential provider. If the user has set up a system credential provider, the user will be able to log into the machine using it. If not, the user has no way to recover the account on the machine.

Scenario B

An MSA/AD/AAD account user has set up a third-party credential provider and regularly uses it to log into the device. One day, the user installs some update to the device that breaks the third -party credential provider, and the user is unaware of this change before restarting the machine.

On the next restart, the user is on the logon screen and is unable to use the expected third-party credential provider. If the user has set up a system credential provider, the user will be able to log into the machine using it. Alternatively, if the system’s password credential provider is available, the user can remotely request/reset the password and use that to log into the machine. If neither option is available, the user has no way to recover the account on the machine.

Conclusion

In summary, we want to discourage the disabling of all system credential providers on a device. While third-party credential providers may fulfill additional authentication requirements for particular groups of users, it is very important to ensure that the user can always regain access to their machine when a breaking change occurs. System credential providers provide this guarantee.

Custom credential providers

The Windows credential provider framework enables developers to create custom credential providers. When Winlogon wants to collect credentials, the Logon UI queries each credential provider for the number of credentials that it wishes to enumerate. After all providers have enumerated their tiles, the Logon UI displays them to the user. The user then interacts with a tile to supply the necessary credentials. The Logon UI submits these credentials for authentication. Credential providers can also be used by the Credential UI when credentials are necessary. See CREDENTIAL_PROVIDER_USAGE_SCENARIO for a list of scenarios where a credential provider can be supported.

Thanks to this system, it is much easier to create a credential provider than it was historically. Much of the work is handled by the combination of Winlogon, the Logon UI and the Credential UI. In order to do so, you will need to create your own implementation of ICredentialProvider and ICredentialProviderCredential. If you are implementing a V2 credential provider, which is recommended, you will also need to implement ICredentialProviderCredential2.

It is important to note that credential providers are not enforcement mechanisms. They are simply used to gather and serialize credentials, submitting them for authorization. The local authority and authentication packages will handle and any necessary security enforcement.

Combining credential providers with supported hardware, you can extend Windows to support logging on with biometric information, passwords, PINs, Smart Card certificates, or any custom authentication package you choose to create. You can customize the logon experience for the user in a variety of ways as well. For example, when the Logon UI queries your credential provider for the credential tiles, you can specify a default tile to provide a customized experience for a user. Credential providers can even be designed to support single sign on (SSO), authenticating users to a secure access point as well as machine logon.

Credential providers are registered on a Windows machine and are responsible for the following.

• Describing the credential information required for authentication.
• Handling the communication and logic with any external authentication authorities.
• Packaging the credentials for interactive and network logon.

Keep in mind that multiple credential providers can be installed on a single machine.

Wrapping credential providers

Wrapping a system credential provider can be done to add functionality to that credential provider that is not natively supported. This is not recommended because it can lead to problematic behavior. Changes can be made to the credential provider which may conflict with the wrapper causing a poor user experience or even preventing the user from getting into their device. This is especially true with the frequent update cadence of Windows 10.

If functionality in a credential provider is needed that is not included natively, the recommended path is to create a custom credential provider. This is a more stable approach that does not take dependencies on the system providers.

Documentation for creating a Custom Credential Provider in Windows

Where is the documentation on creating a custom Windows Credential Provider located? Everything I’ve found so far points to the same article on how to make a custom credential provider (MSDN Magazine: «Create Custom Login Experiences With Credential Providers For Windows Vista»), but neither that article nor anything else I can find provides documentation on how things actually work. At best there are some code samples, but those don’t explain the full mechanics of credential providers or usefully show how to roll your own.

5 Answers 5

There is now a proper documentation here. It contains everything you should know when developing custom credential providers.

In an article on Windows Vista Smart Card Infrastructure, there is a link to Credential Provider Technical Reference (link to Credential Provider Technical Reference on archive.msdn.microsoft.com). The list contains a document which describes the Windows Vista Credential Provider Framework. I think you will find this technical reference quite helpful in understanding how Credential Provider in Windows works.

Hope you find what you are looking for!

In the Windows SDK, there is a Credential Provider code example in the Samples\security folder. There is also documentation (in MHTML format) for the example, contained in the SDK files. In the latest Windows SDK, the Credential Provider example has been updated to be suitable for Windows 7, says the document.

Strangely, the documentation doesn’t seem to be available online anywhere. It’s just there in the SDK docs.

Please note that Microsoft Windows SDK is something that you need to separately install, even if you already have Visual Studio installed.

Welcome to the beautiful world of Windows 10.

Microsoft have actually updated the documentation a tiny little bit for Windows 10, there is this page, and at the bottom, it links to the technical reference for credentail providers with updates for Windows 10. Which has (at the time of writing this) a big disclaimer at the top that it is only pre-release information and accuracy is not guaranteed. For example, at the bottom of the reference is still the e-mail address credprov@microsoft.com which has apparently been invalid for a long time already.

The most recent source code example is the open-source C# wrapper pgina which may help illustrate how to use this CredentialProvider API.

Credential provider windows sdk

This repository will be updated with all the examples and links that I can find with relevant knowledge & information about CP in MS Windows 7 up to version 10.

Credential providers are the primary mechanism for user authentication—they currently are the only method for users to prove their identity which is required for logon and other system authentication scenarios. With Windows 10 and the introduction of Microsoft Passport, credential providers are more important than ever; they will be used for authentication into apps, websites, and more. currently after you you can provide an authentication option for windows Logon-the login screen in the Image below. or a credential picker UI.

To learn more about the windows authentication proccess please read: Sonny articale on medium

• Left down is the «Tile» every user in MS Windows 10 have one, and a CP can have a tile too.
• Middle down is the «Credential-Providers» icons list. a user can select only one at a time. the fields shown are depended on this.
• The center middle is the provider field/s — this time a password field.
• The «I forgot my PIN» will be shown only for providers that support change password scenario. the text can be selected.
• The title below that will be shown if there are other available CP in this tile.

Links to CP Technical Reference, guides, and articles

Links to CP API — Windows 10

• ICredentialProvider interface — This is the CP, the other two are just UI.
• ICredentialProviderCredential interface — Its a MUST if you want to provide a UI interaction.
• ICredentialProviderCredential2 interface — If you want your provider to be listed under the user tile you MUST implement this, othewiwe you will gain you own tile.

Links to CP code examples

• Windows 8 & 8.1 Sample by Microsoft Start from here — if you have knowledge
• Windows 7 Samples by Microsoft in one link
• pGina Start from here — if you want to quick implement without to realy know whats going on.
• pGina FORK The fork was created first simply because it’s the way to contribute on Github. Later on due to time pressure and a refused pull request. Now the code differs so much that it’s hard to merge it back again.
• MultiOneTimePassword
• multiOTPCredentialProvider
• MultiotpCPV2RDP
• multiOTP open source
• dxlogin I recommand to look into this one for is well docommanded CP
• Phaetto C# Credential Provider Do notice that he didnt impelemt logon and worksation

Links from the web for download / view

• https://blogs.technet.microsoft.com/aho/2009/11/14/custom-credential-provider-for-password-reset/
• https://www.microsoft.com/en-us/download/details.aspx?id=4057
• https://code.msdn.microsoft.com/windowsapps/V2-Credential-Provider-7549a730 its the same one as the windows 8 from above but without the updates.
• https://msdn.microsoft.com/en-us/library/cc540483.aspx
• Signature-based User Authentication PDF very useful

Background on the Windows Logon Process

• Yoni Avital presention — E2EVC 2015 Diving into Windows Logon Process

About

This repository will be updated with all the examples and links that I can find with relevant knowledge & information about CP in MS Windows vista up to version 10.

Credential provider windows sdk

Windows Credential Provider

Made only with C#, .NET

There was no implementation in .NET that could work as credential provider in windows, so I created this example.

The code is totally free for any use.

Read this before you start

Installing an untested credential provider might lock you out of the system, as the code will run in process with winlogon.

Use a live distro to remove the dll if that happens.

Better yet, use a VM to do your experiments.

Consider yourself warned.

To start a setup to develop your own Windows Credential Provider:

• Install the COM component by building the project
• Merge the registry to install the cred. provider

The projects are setup for x64 systems — you might need to change that if you want it to run on 32bit platforms. Same goes for registry installation.

When you run TestConsoleApp you should be able to see your provider under «more choices» (windows 10).

It connects the logon procedure with alternative means to logon, like images from cameras, voices with microphone.

I have included the official doc on how to use the credential provider — note that you have to have some knowledge about COM and the examples are in C++.

I have also included the guide on how to (re)export Interop typelib from IDL in windows SDK. You can use that to export almost any component.

About

An example implementation of a windows credential provider that is tightly connected with logon system

ICredentialProvider interface (credentialprovider.h)

Exposes methods used in the setup and manipulation of a credential provider. All credential providers must implement this interface.

Inheritance

The ICredentialProvider interface inherits from the IUnknown interface. ICredentialProvider also has these types of members:

Methods

The ICredentialProvider interface has these methods.

Method	Description
ICredentialProvider::Advise	Allows a credential provider to initiate events in the Logon UI or Credential UI through a callback interface.
ICredentialProvider::GetCredentialAt	Gets a specific credential.
ICredentialProvider::GetCredentialCount	Gets the number of available credentials under this credential provider.
ICredentialProvider::GetFieldDescriptorAt	Gets metadata that describes a specified field.
ICredentialProvider::GetFieldDescriptorCount	Retrieves the count of fields in the needed to display this provider’s credentials.
ICredentialProvider::SetSerialization	Sets the serialization characteristics of the credential provider.
ICredentialProvider::SetUsageScenario	Defines the scenarios for which the credential provider is valid. Called whenever the credential provider is initialized.
ICredentialProvider::UnAdvise	Used by the Logon UI or Credential UI to advise the credential provider that event callbacks are no longer accepted.

Remarks

This interface is how you will interact with the Logon UI and the Credential UI for your app.

An instantiated credential provider is maintained for the entire lifetime of a Logon UI. Because of this, the Logon UI can maintain the state of a credential provider. In particular, it remembers which provider and tile provided a credential. This means that you can potentially store state information when you are using a CREDENTIAL_PROVIDER_USAGE_SCENARIO of CPUS_LOGON, CPUS_UNLOCK_WORKSTATION, and CPUS_CHANGE_PASSWORD. This is not the case with the Credential UI. The Credential UI creates a new instance of the provider every time an application calls CredUIPromptForWindowsCredentials. Because of this, the Credential UI cannot remember a credential provider’s state.

Be aware that a CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION generated in one scenario might be saved and used in a subsequent usage scenario. Because of this, it is necessary to make sure your ICredentialProvider implementation is robust enough to handle this scenario.

WindowsВ 8 adds new functionality in the credential providers API, primarily the ability to group credentials by user.