ICredentialProviderFilter::UpdateRemoteCredential not called for unlock usage scenario RRS feed

  • Question

  • My Credential Provider is a two step process.  1: gather username/password just like the built in PasswordCredentialProvider and 2: gather and verify TOTP (yes, another mfa CP).

    The use case i'm trying to support with my credential provider is a system configured with NLA turned on and the majority of the users will logon through an RDP (remote) client.  If NLA is turned on then the CP should start on the 2nd step of gathering the TOTP.  I don't even really care about the username or password as i just pass the KERB_INTERACTIVE_UNLOCK_LOGON on down the line during GetSerialization.  I do pull out the username and domain so i can tell the LoginUI which user is getting enumerated (otherwise you just get the generic other user tile)

    My understanding for all this to work is that you have to have an ICredentialProviderFilter that implements the UpdateRemoteCredential method so that the ICredentialProvider::SetSerialization method will get called.  I have done this and it works.... BUT... it only works if the user is completely logged off and the login usage scenario is CPUS_LOGON.  If there already exists an RDP session on the host and the usage scenario is CPUS_UNLOCK_WORKSTATION the UpdateRemoteCredential method is never called and thus the SetSerialization method is never called.  The Filter method is always called.  Is there something i need to do in the Filter method to make sure the UpdateRemoteCredential is called for both LOGON and UNLOCK scenarios?

    Also, the MSDN documentation for ICredentialProvider::SetSerialization method says this: "SetSerialization is always called after SetUsageScenario."  But that is not the case.  I have only seen it get called if you implement ICredentialProviderFilter::UpdateRemoteCredential.  Which i have, but it doesn't get called in all scenarios.

    Anyone else run into this and overcome it?  Is this a known bug or am i likely doing something wrong?

    Any advice is appreciated.  Thanks!

    Friday, April 6, 2018 2:25 PM

All replies

  • I've got the same problem: UpdateRemoteCredential called only with LOGON scenario. With UNLOCK scenario - never :( But with original MS provider everything is working ok - you can logon and unlock remotely and enter credentials only on client side.
    Friday, July 20, 2018 1:51 PM
  • On W10 1803 everything is ok, but the problem exists on W10 1709.
    • Proposed as answer by astypalaia Monday, July 23, 2018 9:04 AM
    Monday, July 23, 2018 9:04 AM