Skip to content

Unlocking another user’s session using Credential Providers

I have been working a little bit lately on a Credential Provider port of my custom GINA. I did some tests, I poked around the API and I whipped together something I could load and play with. The route I first thought of taking is still the right one, but I ran into some unexpected problems.

Microsoft new architecture is better, but the separation it enforces makes it hard to play tricks with the security policy. First, there are no shortcuts with Credential Providers. The documentation is formal :

CredentialProviders are not enforcement mechanisms. They are used to gather and serialize credentials. The Local Authority and Authentication Packages enforce security.

So we have to use an authentication package with the credential provider. Nothing that we didn’t see coming. I have played with authentication packages before, it just a matter of writing one.

Second, LogonUI will not kill another user’s session. I am able to get a credential provider tile on the unlock screen, logon with administrator credentials, but then I get this error message :

This computer is locked. Only the logged on user can unlock the computer.

Which makes some sense: why kill (or unlock) a user’s session if you can just start a new session next to it ? Unfortunatly, it does not help the most common use case my custom GINA users need to solve: many users need to access a single application running in a single session.

But I haven’t given up yet.

I tested on Windows 7 Ultimate 64bits, with or without fast user switching. If you ever able to unlock another user’s session, write a line in the comments. I would love to hear about it.

 

4 Comments

  1. Alex Romp wrote:

    So what do you think the prognosis for being able to unlock another user’s session with a credential provider is? Did Microsoft make it impossible under the new version? I’d be interested to know where you are with this project. It’s a very cool idea. I wish I’d known about your GINA back when we needed that, but unfortunately the systems we use now are all based on Win7 or Server 2008 R2. We would be interested in a working version if you have one sometime, and we’d be willing to purchase it.

    Guillaume Reply:

    I all depends on how Winlogon and LogonUI interact after talking to the credential provider. And to be honest, I have yet to figure it out :

    What must the authentication package return in ordre to unlock the session ?
    Does it have to return the token or not ?
    Does it matter if the first tile wasn’t the one that the current user was logged on with ?

    Thank you for the offer of funding my work. The GINA is open source but making this CredentialProvider turns out to be hard enough that I might accept donations.

    Thursday, September 29, 2011 at 15:35 | Permalink
  2. Rob wrote:

    keep us updated!

    Guillaume Reply:

    It is going slowly, but I have not given up just yet…

    Thursday, March 22, 2012 at 15:28 | Permalink
  3. Bob Johnson wrote:

    Any luck? Are you willing to share what you have so far?

    Guillaume Reply:

    I am willing, yes, but I haven’t spent any time on this for quite some time. I hang around Stack Overflow (and SuperUser and ServerFault), maybe ask a question there will help move forward ?

    Wednesday, June 6, 2012 at 14:51 | Permalink
  4. Ben wrote:

    Thumbs up – I hope you succeed with this. We use the original version in a charity org with heaps of volunteers using computers for a brief time only. Having a communal shared login was the original nightmare approach, and when we finally issued everyone with their own logon’s – the frequent problem was finding a shared computer locked by a user who’d left for the day. Being able to delegate certain staff to be able to check that nothing important was running in the locked session, then logging it out without giving them admin privileges was brilliant. I’ve got all my fingers and toes crossed that there is somehow a way to do this in Win7, as that’s our next frontier. Keep up the good work.

    Sunday, September 2, 2012 at 19:41 | Permalink