locked
ICredentialProviderFilter RRS feed

  • Question

  • I wrote a class implementing ICredentialProviderFilter in order to not allow Microsoft password provider to show up, because I need a two factors logon.

    But I don't know why, the password provider always shows up.

    Im writting the registry entry to register my filter.

    Is posible to filter microsoft password provider?

    There is any way I can know if my filter is being loaded?

     

    Thanks in advance

    Here is the code im using in Filter method

     

    UNREFERENCED_PARAMETER(cpus);

    UNREFERENCED_PARAMETER(dwFlags);

    for (DWORD index = 0; index < cProviders; index++) {

                        if (IsEqualGUID(rgclsidProviders[index], CLSID_CSampleProvider))

                                     rgbAllow[index] = TRUE;

                        else

                                     rgbAllow[index] = FALSE;

    }

    return S_OK;

    Thursday, April 26, 2007 5:46 PM

All replies

  • I think the code is fine, but Vista is never loading my filter.
    So, I delete all the credential providers in the registry leaving only mine, I know, I wont get a MS certification, but when the only tool you have is a hammer, all the problems start to seem a nail Big Smile
    Friday, April 27, 2007 12:46 PM
  • I wouldn't be so glib about editing the registry to unregister the Microsoft Password CredProv. You're going to have to do extra uninstall work to clean up what you did. Moreover, if there's a bug in Microsoft's filter implementation, that's deserving of a hotfix IMO. Microsoft had assured us that the only time the Password CredProv would show up when it is filtered out is if *all* Credential Providers somehow get filtered out. LogonUI has to show something.

     

    Can you verify your code works by having it filter out some other provider, like the Microsoft Smart Card provider or maybe a sample provider you register based on the public sample code?

     

    Any comment from MS?

     

    -Rob

    Friday, April 27, 2007 2:54 PM
  • I know what I did sucks, and I shouldnt be doing it, but is imposible to get some feedback
    I have another problem with resources integrity levels, since months, and noone have a clue what could be happening, or at least noone replied my post.
    Also I'm seeing lots of products that suggest to turn off protected mode in order to allow their BHOs to work, and I'm talking about Single Sign On products from recognized companies.
    Check eToken web Sign on manual from Aladdin soft, and you'll see it.

    If you boot in safe mode the password provider is shown, even if I delete the registry entry.

    I'll try installing a dummy provider just to see if i can filter it.

    thanks mate
    Friday, April 27, 2007 3:09 PM
  •  APX wrote:
    I think the code is fine, but Vista is never loading my filter.
    So, I delete all the credential providers in the registry leaving only mine, I know, I wont get a MS certification, but when the only tool you have is a hammer, all the problems start to seem a nail


    Be sure to have your filter properly registered. There should be a registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\<your filter CLSID> with a default value of your filter's name.

    Of course you must then have a valid CLSID record pointing on your filter's dll. We have our filter together with our Credential Provider in the very same dll and also the registry entries are similar. For our software, the filtering works well. I would not recommend to delete the MS Provider keys, it is much easier to use the filter.
    Wednesday, May 9, 2007 10:28 AM
  •  

    Hello,

     

    I am new to COM programming and want to use a wrapped CP to disable the MS in-box password provider. I've created a few custom CP's that function well, but that is because I've only had to use the classes that are defined for you by MS in their Sample Credentials.

     

    I've tried to implement ICredentialProviderFilter myself, but my filter function is not being invoked by LOGONUI. I have a subkey registered to HKLM/....../Credential Provider Filters so I don't believe that is the problem. I've had trouble finding help on the COM aspect of credential development, but disabling this provider is the final touch on a project I'm working on. I would greatly appreciate if someone could refer me to a helpful source or even post their class implementation for ICredentialProviderFilter.

     

    Thank you  

    Wednesday, August 1, 2007 9:26 PM
  • In the tests that I executed below, any actual filtration was disabled in method "Filter" for simplicity.  I am not an experienced COM programmer which is likely why my implementation failed.

     

    At first, I instantiated my filter from the constructor in CMyProvider (based on the MS example "CSampleProvider").  Methods "Filter" and "UpdateRemoteCredential" are never invoked in my filter.  Next I instantiated my filter in the same manner as CMyProvider via the class factory, etc.  This was worse in that no tiles appeared (pretty effective filtering!).

     

    The registry values look to be correct.

     

    How did you instantiate your filter object and from where?

     

    Thanks

    dmm

     

    Tuesday, April 8, 2008 7:38 PM
  • You shouldn't need to manually instantiate the filter. You just register it,
    and code enough of the COM boilerplate that when Windows asks your DLL for an
    instance, it can be generated. From your post, I'm not sure if you're doing
    that or not, so I'll go ahead and post some code samples for you and anyone
    else who comes looking.

    Here's a snippet from my "register.reg":

    Code Snippet
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{<LMSCredentialProvider GUID snipped>}]
    @="LMSCredentialProvider"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{<LMSCredentialProvider GUID snipped>}]
    @="LMSCredentialProvider"

    [HKEY_CLASSES_ROOT\CLSID\{<LMSCredentialProvider GUID snipped>}]
    @="LMSCredentialProvider"

    [HKEY_CLASSES_ROOT\CLSID\{<LMSCredentialProvider GUID snipped>}\InprocServer32]
    @="LMSCredentialProvider.dll"
    "ThreadingModel"="Apartment"

     

     


    As mentioned in the other thread, I have a separate class for the filter in
    the same DLL.

    Here is CLMSFilter.h:

    Code Snippet
    #pragma once
    #include "credentialprovider.h"
    #include
    #include
    #include "dll.h"

    //This class implements ICredentialProviderFilter, which is responsible for
    filtering out other credential providers.
    //The LMS Credential Provider uses this to mask out the default Windows
    provider.
    class CLMSFilter : public ICredentialProviderFilter
    {
    public:
    //This section contains some COM boilerplate code

    // IUnknown
    STDMETHOD_(ULONG, AddRef)()
    {
    return _cRef++;
    }

    STDMETHOD_(ULONG, Release)()
    {
    LONG cRef = _cRef--;
    if (!cRef)
    {
    delete this;
    }
    return cRef;
    }

    STDMETHOD (QueryInterface)(REFIID riid, void** ppv)
    {
    HRESULT hr;
    if (IID_IUnknown == riid ||
    IID_ICredentialProviderFilter == riid)
    {
    *ppv = this;
    reinterpret_cast(*ppv)->AddRef();
    hr = S_OK;
    }
    else
    {
    *ppv = NULL;
    hr = E_NOINTERFACE;
    }
    return hr;
    }

    public:
    friend HRESULT CLMSFilter_CreateInstance(REFIID riid, __deref_out void**
    ppv);

    //Implementation of ICredentialProviderFilter
    IFACEMETHODIMP Filter(CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus, DWORD
    dwFlags, GUID* rgclsidProviders, BOOL* rgbAllow, DWORD cProviders);
    IFACEMETHODIMP UpdateRemoteCredential(const
    CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcsIn,
    CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcsOut);

    protected:
    CLMSFilter();
    __override ~CLMSFilter();

    private:
    LONG _cRef;
    };

     

     


    You shouldn't need to do anything special with your CredentialProvider class.

    You will also need to modify dll.cpp to know about your Credential Provider
    filter class. I believe the only changes I made to the basic MS sample were:
    1. add "extern HRESULT CLMSFilter_CreateInstance(REFIID riid, void** ppv);"
    towards the top of the file.
    2. Modify the function with signature "STDMETHOD (CreateInstance)(IUnknown*
    pUnkOuter, REFIID riid, void** ppv)" to be as follows:

    Code Snippet
    STDMETHOD (CreateInstance)(IUnknown* pUnkOuter, REFIID riid, void** ppv)
    {
    HRESULT hr;
    if (!pUnkOuter)
    {
    if (IID_ICredentialProvider == riid)
    hr = CLMSProvider_CreateInstance(riid, ppv);
    else if (IID_ICredentialProviderFilter == riid)
    hr = CLMSFilter_CreateInstance(riid, ppv);
    }
    else
    {
    hr = CLASS_E_NOAGGREGATION;
    }
    return hr;
    }

     

     


    I think that's everything. Go ahead and check your code against what I've
    posted: hopefully, there's something there that will help you out.

    Wednesday, April 9, 2008 2:29 PM
  • I may be missing something but you don't seem to have an actual implementation of CLMSFilter_CreateInstance?? What gets called from dll.cpp?
    Wednesday, October 6, 2010 5:37 PM
  • Hi sushi_cw,

    I have a working credential provider code here, and I want to filter out the microsoft credentials. I am following your guidelines, but I find problem implementing your second part. I get error saying that IID_ICredentialProvider and IID_ICredentialProviderFilter are not yet declared. How and where do I declare them?

    Thanks,

    Reinardus

    Tuesday, June 21, 2011 4:12 AM