Skip to content

Porting a custom Gina to a Credential provider

I am still amazed by the popularity of my replacement Gina (it allows any user to unlock). Most users are quite happy using it with Windows XP and Server 2003, but I do get the occasionnal request for a Vista port. I am looking forward to doing it, but there are important desing changes that I must work with. I think I found a way to have a single source solution Gina and Credential Provider, with a clean architecture on any Windows version.

Credential Providers cannot make an authentication decision. They only collect credentials. The approach I took in “Aucun” is that the Gina actually makes the authentication decision. That will not work under the new Credential provider architecture.

When I started looking to port my Gina to a Credential Provider, I first though of saving the initial credentials (when the first user logs on), then check any other user’s credential in my own Credential Provider, and if all is good, replay the initial credentials.

That bothered on many grounds :

  • There will be a unlock event logged to the initial user, although that user never unlocked the workstation
  • I don’t like saving passwords, even to encrypted memory
  • That architecture didn’t look like something that would last

Looking deeper into the Credential Provider interface, I saw that there is one decision a Credential Provider can make. It can select what Authentication Package will honor the logon request (or unlock request, in my case). That takes place in my (your) ICredentialProviderCredential::GetSerialisation, by setting the ulAuthenticationPackage field of the CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure.

So I believe the right way of doing this is to have two components :

  1. An authentication package that implements the unlock policy (any user can unlock, depending on group membership).
  2. A credential provider that collects credentials (and while you’re at it, the session you want to unlock) and instruct winlogon to forward them the “unlock” authentication package.

That architecture fixes all three points above. And as a bonus, I can greatly simplify my existing Gina by merely collecting the credentials and forward them to the same authentication package. No need to hook dialog procedures and sending magic, reversed engineered constants to winlogon. In short, instead of making the Credential Provider look like a Gina, I make the Gina behave like a Credential Provider.

Authentication packages are the same under Vista and XP, that’s a good thing. But to debug them, you need the scary kernel remote debugging tools. You also need to reboot every time you mess up. But I have a working authentication package from CVS NT code source, and another called YPAuth (YP means yellow pages, the old name of NIS). None of them support the unlock scenario, though…

Stay tuned !

5 Comments

  1. Bear wrote:

    YP is “yellow pages”, the old name for NIS before some phone company made them change it for violating their copyright. You should be able to find it on any linux distribution, although you’ll almost certainly have to download it from a repository.

    Guillaume Reply:

    Thank you for the information, I updated the post !

    Wednesday, February 25, 2009 at 11:59 | Permalink
  2. I love this thing, it’s exactly what I need. Luckily, the machine I need it for has to stay XP for now due to a driver issue, but I look forward to your vista version for the future (and for other applications). Thanks!

    Guillaume Reply:

    Thank you for your comment ! A new version is comming soon (september 2009), it will not be Vista compatible, but it has all to ground work to make it happen. I expect to have the Vista version at the end of 2009.

    Monday, July 27, 2009 at 22:25 | Permalink
  3. Abhay wrote:

    Hi,
    I really needed that. Waiting for your new version of Vista. I would love to make contribution if there is anything that you can push me to do.

    Thanks
    Abhay

    Tuesday, September 8, 2009 at 1:31 | Permalink
  4. Any1 wrote:

    Me waiting for Vista/7 version too…

    Saturday, February 6, 2010 at 1:45 | Permalink
  5. Lisa wrote:

    Any updates on when your Vista/Win7 version will be ready? Did you start working on it already?

    Guillaume Reply:

    Yes, I started working on it again in october, but ran into issues finding where to fit in the Credential Provider architecture.

    I posted an update with the full story here : http://www.paralint.com/blog/2011/03/24/unlocking-another-users-session-using-credential-providers/

    Wednesday, March 23, 2011 at 17:00 | Permalink