I am using your code and working on a Windows 10 Cred Provider, and I am having trouble with the CPUS_UNLOCK_WORKSTATION scenario. My CP simply serializes a Username and Password and logs the user in. This works in the CPUS_LOGON scenario, but I get a bad username and password in the CPUS_UNLOCK_WORKSTATION scenario.

According to MS docs (https://docs.microsoft.com/en-us/windows/desktop/api/credentialprovider/ne-credentialprovider-credential_provider_usage_scenario), "Credential providers that implement this scenario should be prepared to serialize credentials to the local authority for authentication. These credential providers also need to enumerate the currently logged-in user as the default tile."

How exactly do I do that? I think that the CredentialProviderBase:SetUserArray is the place to do it, but I don't know how.

Any insight you can give would be appreciated. Thank you.

I also posted this issue in https://github.com/phaetto/windows-credentials-provider because truthfully I am using code from both repos.

Hi Steve,
Glad to meet you. I have been searching for Credential Provider ported in .Net. Thanks for that. However I am very new to these concepts. I have a requirement where a WPF or WinForm should popup. I work for a company called iCrypto. We Identity Verification and Attestation services company.

1. After primary auth is success, I would pull my custom cred provider with a winform containing an box to enter OTP from our iCrypto OTP
2. if user is not registered, using the same form user have to enroll by entering certain user details
3. the webapi details are preconfigured into registry during msi installation.
4. I know window enumerates the dlls but help me in understanding how can I intiate the window form and if auth success is with OTP whatever, how can I return SUCCESS/OK event.
5. I could not able to understand cpp.
6. Also Could you breifly explain me what exactly happens when ICredentialsProvider is implemented and deployed. what is first method that executes on the dll.

Hi,

When i try to run the code with my own intermediate dll file i cant get it to work.
Is is possible to add a precompiled dll file to the repository ? So that i can test if the base code works on my machine.

Best Regards,
Hans

Hi,

As I see here:
#8

I changed the introp dll and it now is like this:

int SetFieldBitmap([MarshalAs(UnmanagedType.Interface)] [In] ICredentialProviderCredential pcpc, [In] uint dwFieldID, [ComAliasName("CredentialProvider.Interop.wireHBITMAP")] [In] IntPtr hbmp);

My question is, do I need ref before IntPtr hbmp?

And how can I pass a bitmap to it? I use the following code but get 'access violation' error:

Bitmap tileIcon2 = new Bitmap("c:\\test\\1.bmp");
IntPtr phbmp = Marshal.AllocCoTaskMem(100000);
Marshal.WriteIntPtr(phbmp, tileIcon2.GetHbitmap());
int r = credentialProviderCredentialEvents.SetFieldBitmap(this, 4, phbmp);

Unable to Login VIA this Credential Provider

Thanks for sharing this sample project! I'm looking into implementing a credential provider myself and was pleasantly surprised when stumbling across a sample C# project. This makes it so much easier to get started.

Sorry if asking a trivial question, but the high-level working of the project is a bit unclear to me. I see that the CredentialProviderCredential.GetSerialization method has username & password handling, but where do these come from? Are they entered in text fields by the user, do they origin from a file, from special authentication HW or something else?

make pluginsystem to authenticate and generate ui

Hi,

Thanks for this sample, It's just a question no bug report.

Is it possible to trigger the authentication by Api?

I saw your sample and shows the Prompt, Actually I want to call the custom provider directly by Api, no user click or any action from user.

Thanks in advance.

I am successfully using the GetBitmapValue method in ICredentialProviderCredential to set my tile's logo.

Bitmap tileIcon;
tileIcon = Resources.blocked2;
phbmp = tileIcon?.GetHbitmap() ?? IntPtr.Zero;

But how do I change that bitmap later on when I call SetFieldBitmap method from ICredentialProviderCredentialEvents?
I don't know how to convert from System.Drawing.Bitmap to _userHBITMAP.

This is what I have tried:

Bitmap newLogo = Resources.unblocked;
IntPtr phBmp = newLogo.GetHbitmap();
credentialProviderCredentialEvents.SetFieldBitmap(this, 2, ref phBmp);

This doesn't work because SetFieldBitmap wants a _userHBITMAP and not an IntPtr.

I've never heard of a _userHBITMAP and can't find any documentation on how to use it.

Hi,

We are working on a custom implementation of a credential provider and have tried your version. this one works for us so we tried to create a clean assembly using this as a template,

When i implement the GetFieldDescriptotAt method it results in a access violation error (which seems to be a memory pointer issue). I have copied the exact code from your project but it does not work. Also tried another marshal.

(BTW: I noticed that the default implementation of the interface lacks the [Out] directive).

        public int GetFieldDescriptorAt(uint dwIndex, [Out] IntPtr ppcpfd)
        {
            Debug.Write("GetFieldDescriptorAt");

            try
            {
                Diagnostics.LogMethodEntry();
                _logger.Debug($"GetFieldDescriptorAt: dwIndex [{dwIndex}].");

                var credential = CredentialsManager.GetCredential(0) as ICredentialDescriptor;
                var descriptor = credential.GetDescriptor((int)dwIndex);
                _logger.Debug($"Returning descriptor of type [{descriptor.cpft}] with label [{descriptor.pszLabel}]");
                int size = Marshal.SizeOf(descriptor);
                IntPtr tempPtr = Marshal.AllocCoTaskMem(size);
                //IntPtr tempPtr = Marshal.AllocHGlobal(size);
                Marshal.StructureToPtr(descriptor, tempPtr, false);
                Marshal.StructureToPtr(tempPtr, ppcpfd, false);
                return HRESULT.S_OK;
            }
            catch (Exception ex)
            {
                _logger.Error(ex, $"{ex.Message}");
                return HRESULT.E_UNEXPECTED;
            }
            catch
            {
                _logger.Error($"Uncaught exception");
                throw;
            }
            finally
            {
                Diagnostics.LogMethodExit();
            }
        }

No error occures in this method but the GetBitmap raises an issue as seen in the WinDbg log

onecoreuap\ds\security\fido\credprov\dll\fidoprovider.cpp(62)\fidocredprov.dll!00007FFD731975AD: (caller: 00007FFD6E7AAC48) ReturnHr(2) tid(1010) 80070057 The parameter is incorrect.
onecoreuap\shell\auth\credprov2fahelper\dll\credprov2fahelper.cpp(80)\CredProv2faHelper.dll!00007FFD7A1C554A: (caller: 00007FFD6E7B3ACF) ReturnHr(1) tid(1010) 800704EC This program is blocked by group policy. For more information, contact your system administrator.
    Msg:[Device unlock policy not configured] 
AdviseGetCredentialCountGetCredentialAtGetFieldDescriptorCountGetFieldDescriptorAtGetDescriptorGetFieldDescriptorAtGetDescriptor(d98.1010): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
credprovhost!_GetBitmapData+0x44:

I have no clue why this is occuring. I'm actually testing both your provider and mine from the same solution with the same test client (CredUI) so i'm would at least expect both providers to act the same.

Any thoughts on this.

Regards,
Martijn

I'm working on a custom credential provider that relies on a additional information from a special USB stick. This seem to work well when testing on physical HW as well as when testing after user login in a Hyper-V "Enhanced session" that forwards connected USB drives to network shares beneath \\tsclient.

However, the credential provider doesn't seem to be able to access these forwarded USB drives from the Widows login page, meaning before the user logs in. I'm wondering if this is a fundamental problem with Hyper-V, or if it's possible to somehow work around this limitation so that the credential provider more easily can be tested in a VM?

Hi,

Cloned & Re-builed the code in VS-2017.

On a virtual box (Windows 10), i have installed the Credential Provider using Install.reg. When i restart / Sign-out the System, could not see the NEW Credential Provider.

Hi,
I am writing a Custom Windows Credential Provider using C++ on Windows 10, where I have implemented the domain password expiry in my code and I am able to change the Domain password looking into this blog. How can I handle password expiry in the credential provider?
But there is one scenario, where in LOCK condition, CPUS_UNLOCK_WORKSTATION_condition, I am not able to load the Change Password UI for domain password expiry.

With this following code below:

_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_LOGIN_NAME, CPFS_HIDDEN );
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_PASSWORD,CPFS_HIDDEN );

for the above two statements, the code works fine and it hides the field components for Username and Passwords.

And I am facing problems for the below lines of code statements:

_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_OLDPASSWORD_TEXT, CPFS_DISPLAY_IN_SELECTED_TILE);
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_OLDPASSWORD, CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_NEWPASSWORD_TEXT, CPFS_DISPLAY_IN_SELECTED_TILE);		
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_NEWPASSWORD, CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_CONFPASSWORD_TEXT,CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_CONFPASSWORD,CPFS_DISPLAY_IN_SELECTED_TILE);
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_SUBMIT_BUTTON, CPFS_DISPLAY_IN_SELECTED_TILE);

I am not able to load these fields. these APIs are failing to load fields OldPasswordText, OldPassword, NewPasswordText, NewPassword, ConfirmPasswordText and ConfirmPassword and Submitbutton.

I am calling these above functions from Credential :: Initialize().
I am calling Initialize() function from

Credential ::ReportResult() 
{
        // _cpus = CPUS_UNLOCK_WORKSTATION** and with 
        if (ntsStatus == STATUS_PASSWORD_MUST_CHANGE || (ntsStatus == STATUS_ACCOUNT_RESTRICTION && ntsSubstatus == 
             STATUS_PASSWORD_EXPIRED))
        {
                  Initialize(_cpus, s_rgCredProvFieldDescriptors, s_rgFieldStatePairs, nullptr);
        }
}

below lines of code are from logfiles, which I am providing for reference.

Initialize() FAILED SFI_OLDPASSWORD_TEXT: 183 where 183 is the value, I am getting from GetLastError()
Initialize() FAILED SFI_OLDPASSWORD: 183
Initialize() FAILED SFI_OLDPASSWORD: 183
Initialize() FAILED SFI_NEWPASSWORD_TEXT: 183
Initialize() FAILED SFI_NEWPASSWORD_TEXT: 183
Initialize() FAILED SFI_NEWPASSWORD: 183
Initialize() FAILED SFI_CONFPASSWORD_TEXT: 183
Initialize() FAILED SFI_CONFPASSWORD: 183
Initialize() FAILED SFI_SUBMIT_BUTTON: 183

Help in resolving the issue, if i am doing anything wrong.

Regards
Aslam

Hello there, great product:
I am using CredentialProvider to develop my custom login method，After my research，the Credential Provider seems to require the user's original Windows password. my question is : Is the Credential Provider have to know the original Windows password, and pass it to the operating system for verification, Otherwise the user cannot log in successfully?