3.1 Windows Credential Providers

Credential Providers are in-process COM objects used to collect credentials for authentication. Credential Providers describe the credential information required for authentication to the Local Security Authority (LSA) or to an application. For an interactive user logon, this credential information is presented to the user in the form of a “tile” that contains informational and editable fields. Users interact with the tile by entering their usernames and passwords, then clicking a right-arrow button.

Figure 3-1 Windows Welcome Screen

In Windows 10, Windows 8, Windows 7, Windows Server 2012, Windows Server 2016, and Windows Server 2019 the Winlogon process launches the LogonUI process after it receives a SAS event. LogonUI queries each Credential Provider for the number of credential tiles that it wants to display. A Credential Provider might, for example, display a tile for each local machine user. One of these tiles can be configured to be the default tile initially displayed to the user. After LogonUI is finished querying the Credential Providers for their tiles, it displays all of the enumerated tiles to the user. After the user supplies information for the requested fields, LogonUI submits the credentials for authentication.

Credential Providers are not enforcement mechanisms. They are used only to gather and serialize credentials. The Local Security Authority and authentication packages enforce security. Credential Providers are responsible for:

  • Describing the credential information required for authentication.

  • Handling communication and logic with external authentication authorities.

  • Packaging credentials for interactive network logon.

Even though multiple Credential Providers can be displayed to a user on a machine, only the one selected by the user is allowed to provide credentials to the interactive logon process.

3.1.1 Windows Live ID Based Credential Authentication

The Microsoft Windows Live ID based login is supported. To use this feature, ensure that your administrator has added your Windows Live ID to your PC. For more information on adding a Live ID to a Windows PC, refer the Microsoft article on Your life, connected and to create a Live ID, refer How do I sign up for a Microsoft account?

Logging on to Your PC Using Windows Live ID

Once your Live ID is added to the PC and after a successful Network login, in the Log on to this computer screen, enter your Live ID username and password.

Figure 3-2 Windows Live ID Login Screen

In the Client for OES, users are expected to authenticate to the network first using the Client for OES Credential Provider and then to their PC using Live ID. Or, you can combine your network login and your Windows Live ID login in the Network login screen.

To combine your network and Windows Live ID login:

  1. In the Network Login screen, click Show Advanced Options.

  2. In the Login dialog, on the Windows tab, type the Windows Live ID in the Local username text box and then click Apply.

    NOTE:Ignore the From: list box for now. It will be disabled in case of a Windows Live ID login.

Figure 3-3 Network Login with Windows Live ID

Limitations of Windows Live ID Based Login

The Client for OES password sync feature that is used to synchronize your Windows password to that of the eDirectory does not work in case of a Windows Live ID based login.

Figure 3-4 The Unsupported Password Sync Feature

Also, the change password feature is not supported by Client for OES when Windows Live ID is used for computer log in.

Figure 3-5 The Unsupported Client Change Password Feature