none
Boot as safe mode, Vista never call custom Credential Provider

    Question

  • Boot as safe mode, why LogonUI never call custom Credential Provider?

     

     

    many thanks!

    Tuesday, May 22, 2007 9:08 AM

All replies

  • In safe mode, by default, only the built-in CPs are loaded.

    It's handling the cases where a faulting CP or filter could prevent logon altogether.

    Wednesday, May 23, 2007 10:36 PM
  • Eric,

     

    I understand the need to protect against a faulting CP, but given this functionality, is there any way for an administrator to enforce logon policy and requiring the use of a 3rd party CP? Perhaps a local/group policy that allows you to set safe mode to allow the use of add-on CPs as well as the filtering of built-in CPs? You could test out a new CP with this policy off and once you were satisfied that the CP worked, you could change the policy.

     

    -Rob

    Wednesday, May 23, 2007 10:54 PM
  • I said it was by default...

    This is covered in the FAQ (Appendix A of the RTM Cred Provider Sample Overview).

      

    Q: My implementation of ICredentialProviderFilter is not loaded in SAFE mode. Is this a bug? Is there a way to run my Filter in SAFE mode?

    A: This is not a bug. SAFE mode is intended to serve as a workaround in order to correct repair Operating Systems malfunctioning due to incorrectly configured components such as device drivers. By default, only the in-box Password Provider is loaded in SAFE mode. The in-box Smart Card Provider is also available if the machine is booted into SAFE mode with networking. This provides a fallback in case of a bad error. To over-ride the fallback logic and force logonUI to load Credential Provider filters in SAFE Mode, create and set the following registry key:

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]

    “ProhibitFallbacks”=dword:1

     

    In my opinion, you should not set this as part of your installation, at least not without explicit consent.

    This is for the administrator of the machine to handle.

    One CP and its filter only allowing its CP to run is fine.

    But another CP could do that too. If the 2 CPs and their filters run on the same machine, all CPs will be filtered out... and you won't be able to logon.

    Safe mode could help if fallbacks aren't prohibited.

    Note that it might be smarter for the filters to never remove a CP that's the last one allowed...

     

    Thursday, May 24, 2007 9:45 PM
  • Thanks Eric.

     

    One interesting note - you mention that two Credential Providers could conflict, filtering out each other and all other Credential Providers and leaving the user no way to log on to the system. I remember someone else from Microsoft telling me last year that this situation would trigger a forced fallback to the Microsoft password provider. So I guess that functionality was never implemented, eh? I guess it isn't the only place where developers have more than enough rope to hang their customers with. :-)

     

    -Rob

    Friday, May 25, 2007 11:58 AM
  • It is implemented and will happen by default.

    But by specifying this key, you express intention to not have this fallback...

    Friday, May 25, 2007 6:54 PM