3.1 Windows Credential Providers
Credential Providers are in-process COM objects used to collect credentials for authentication. Credential Providers describe the credential information required for authentication to the Local Security Authority (LSA) or to an application. For an interactive user logon, this credential information is presented to the user in the form of a “tile” that contains informational and editable fields. Users interact with the tile by entering their usernames and passwords, then clicking a right-arrow button.
Figure 3-1 Windows Welcome Screen
In Windows 7, Windows Vista, and Windows Server 2008, the Winlogon process launches the LogonUI process after it receives a SAS event. LogonUI queries each Credential Provider for the number of credential tiles that it wants to display. A Credential Provider might, for example, display a tile for each local machine user. One of these tiles can be configured to be the default tile initially displayed to the user. After LogonUI is finished querying the Credential Providers for their tiles, it displays all of the enumerated tiles to the user. After the user supplies information for the requested fields, LogonUI submits the credentials for authentication.
Credential Providers are not enforcement mechanisms. They are used only to gather and serialize credentials. The Local Security Authority and authentication packages enforce security. Credential Providers are responsible for:
-
Describing the credential information required for authentication.
-
Handling communication and logic with external authentication authorities.
-
Packaging credentials for interactive network logon.
Even though multiple Credential Providers can be displayed to a user on a machine, only the one selected by the user is allowed to provide credentials to the interactive logon process.
For more information, see Create Custom Login Experiences With Credential Providers For Windows Vista