locked
Authentication Package Proxy issue... RRS feed

  • Question

  • Hello there!

    In order to migrate a GINA code we have here to new Windows versions (Vista, 7 and 2008), we decided to implement a "Credential Provider Wrapper" (wrapping default "PasswordProvider" and based on "SampleWrapExistingCredentialProvider" code provided by Microsoft) and a "Authentication Package" (that is, in fact, a proxy to "msv1_0.dll" Authentication Package) built from scratch.

    The "Credential Provider" is demanded, among other needs, to force the use of our "Authentication Package Proxy" when the user wants to logon on the equipment. We accomplish that by changing the content of "CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION" structure returned by default "PasswordProvider" on "GetSerialization" method wrapped invocation.

    At our "Authentication Package Proxy" we delegate the "LogonUserEx2" method invocation to "msv1_0.dll" library and, in case of success, we perform additional credential validation on our solution's server calling the "login" service.

    We have used an additional "Authentication Package Proxy" because our server "login" service must be called only after a successful logon operation executed by user and with all credential information (domain, user and "clear" password). Using just the "Credential Provider" I must preceed our "login" service invocation to Windows efective logon result placing our code on "GetSerialization", what is not desirable. Or I can put our service invocation on "ReportResult" method calling it if we receive a successful logon process indication, but the result is not very good because the "Welcome" window is already put on its way and mouse pointer desapeared.

    As I could see all over the Internet the "Credential Provider" is the pattern that will probably be supported for all future versions of Windows but, as it lacks on flexibility, it will be very desirable to count with a "Authentication Package Proxy".

    I'm very affraid the "Authentication Package Proxy" thing to not be supported on other windows version as "Credential Provider" will. For now I've tested only on Vista environments.

    What should I do ?

    Make all necessary effort to keep all our services logic into the "Credential Provider" or embrace the scenario above with both "CP-Wrapper" and "AP-Proxy" without fear ?

    Can anyone give me a hint on that ?

    Thanks and best regards,

    Mauro.

     

    Tuesday, August 9, 2011 2:54 PM