Novell is now a part of Micro Focus

Novell Credential Manager Interface

Novell Cool Solutions: Feature
By Brian Cooper

Digg This - Slashdot This

Posted: 5 Oct 2007


This document describes the Credential Manager Interface in the Novell Client for Windows and the Novell Client for Windows Vista. Novell credential management allows third-party software to track changes to passwords for purposes of single-sign-on and password synchronization.

Topics: Security, Password Synchronization
Products: Novell Client 4.91 SP4 for Windows XP/2000, and Novell Client 1.0 for Windows Vista
Audience: Client software developers
Level: Advanced

Password Management Basics

The cardinal rule of password management is to keep passwords secure. There are times, however, when a password must be shared, such as when third-party software needs to implement a single-sign-on experience. To do this seamlessly and securely, the Novell Client notifies external modules whenever the password is entered or changed. The Novell Client supports NPPasswordChangeNotify, which is a notification API that third-party DLLs can implement to track changes to the password. In addition, third-party software can implement a Login Extension DLL to capture login events, including password entry.

Login Extension: The Novell Client has long allowed third-party extensions to the login process. Several years ago, Novell determined that login extensions are an unsupported component. Nevertheless, the login extension model remains at the core of the Novell Login process, and is likely to do so for some time. Current documentation on login extensions can be found at

Among other things, a login extension allows access to the password string, which lets third-party software use the Novell password to permit access to additional systems that have synchronized their password with Novell's password. A login extension by definition only functions during the login process. If the user changes the password after logging in, a login extension will not be notified.

NPPasswordChangeNotify: When the user changes the password, the Novell Client looks for a Credential Manager interface. This is a DLL that implements the NPPasswordChangeNotify entry point and is registered with the client. If one or more Credential Managers are installed in the system, the Novell Client calls each one on the NPPasswordChangeNotify entry point. This notification occurs if the old password expired and was changed during login, as well as when the user presses Ctl-Alt-Del and invokes the password change dialog explicitly. The notification includes the name of the eDirectory tree, the fully qualified directory name (FQDN) of the user, and the old and new passwords.

The NPPasswordChangeNotify function is patterned after a Microsoft interface with the same name, with appropriate changes for Novell. The details of the Microsoft interface can be found at The differences between the Microsoft interface and the Novell interface are explained below.

NPPasswordChangeNotify Interface:

A DLL that implements either the Microsoft or Novell Credential Manager interface must export a function named NPPasswordChangeNotify with the following definition:

DWORD APIENTRY NPPasswordChangeNotify(
  LPCWSTR lpAuthentInfoType,
  LPVOID lpAuthentInfo,
  LPCWSTR lpPreviousAuthentInfoType,
  LPVOID lpPreviousAuthentInfo,
  LPWSTR lpStationName,
  LPVOID StationHandle,
  DWORD dwChangeInfo

The changes in the Novell interface from the Microsoft interface are as follows:

  • dwChangeInfo has a value of 0x4000, rather than values in the range of 1-3 that Microsoft provides.

  • *lpAuthentInfoType and *lpPreviousAuthentType point to the string "Novell" rather than "MSV1_0:Interactive."

  • The lpAuthentInfo and lpPreviousAuthentInfo pointers are always of type MSV1_0_INTERACTIVE_LOGON, which has the following structure definition (found in NTSecAPI.h):
  • typedef struct _MSV1_0_INTERACTIVE_LOGON {
      MSV1_0_LOGON_SUBMIT_TYPE MessageType;
      UNICODE_STRING LogonDomainName;
      UNICODE_STRING UserName;
      UNICODE_STRING Password;

    In this structure, MessageType always has a value of MsV1_0InteractiveLogon (2). LogonDomainName contains the name of the eDirectory tree. UserName is the Fully Qualified Directory Name (for example: ""). The Password field contains the old or new password string in plain text.

  • The value of the lpStationName parameter is "WinSta0," and the StationHandle parameter has a value of zero.

  • The return code from this function is ignored.

  • Other than the parameter differences noted above, the biggest difference between the Novell Credential Manager interface and the Microsoft interface is that a Novell Credential Manager is registered by having an entry under the following registry key:
  • [HKLM\Software\Novell\Network Provider\Credential Managers]
    The value should be a null-terminated string (REG_SZ) with an arbitrary name. The string should be the filename of the Novell Credential Manager DLL. There may be more than one credential manager; each one must have its own REG_SZ string. The Novell Client invokes each one sequentially. For example, the following registry file entry identifies a credential manager named "PwdSync" implemented as a DLL in the file C:\WINNT\SYSTEM32\LOGONNP.DLL.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Network Provider\Credential Managers]
  • Microsoft invokes the NPPasswordChangeNotify from a helper process, MPNotify.exe (;en-us;885423). The Novell Client invokes the NPPasswordChangeNotify from the password change function itself.

Example source code for a Microsoft Credential Manager can be found in the Microsoft Platform SDK, under the name Samples\WinBase\Security\WinNT\LogonNP.c. The same source can be used to create a Novell Credential Manager.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates