NEW! Windows Vista Credential Provider Samples

Five Credential Providers sample are available for download on Microsoft.com. These samples are designed for Windows Vista RTM (build 6000) and allow ISVs to customize logon like GINA. A technical reference is also available for download. 
 
If you have any comments or questions about these samples or documentation, please contact credprov@microsoft.com. These samples are provided by the Windows Shell team and are not in the Windows Vista RTM SDK.  Credential Provider samples will be added to future versions of the Windows SDK.

 About Credential Providers

Credential Providers are in-process COM objects used to collect credentials in Windows Vista. To develop a Credential Provider you will need Windows Vista and the Windows Vista SDK. You should also be reasonably familiar with programming Windows, be comfortable with Windows Security concepts, and be a reasonably experienced COM programmer.

Introduction from the Technical Reference

This document describes the Credential Provider Framework. It is intended to be read by developers and IT Professionals who wish to implement custom authentication mechanisms for Windows Vista.

Before Windows Vista, organizations requiring custom authentication mechanisms for Windows logon were forced to replace the Microsoft Graphical Identification and Authentication Dynamic Link Library (MSGINA DLL) with their own GINA. In general, this architecture caused many problems for software vendors and IT professionals. Specifically, GINAs required constant upkeep and would routinely break with the release of each Service pack or new version of Windows. Another drawback of the GINA replacement model is that code written for authentication at Logon did not naturally extend to authentication in Credential UI.

This limitation is removed in Windows Vista with the advent of the Windows Vista Credential Provider Framework.

In previous versions of Windows (such as Windows XP), MSGINA.DLL (or its replacement) was loaded after Winlogon detected a Secure Action Sequence (SAS) event. The user would enter their authentication credentials and then the GINA would pass this information back to Winlogon for authentication.

In Windows Vista, Winlogon always launches Logon UI after it receives a SAS event. Logon UI queries each Credential Provider for the number of credentials it wishes to enumerate. Credential Providers have the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, Logon UI displays them to the user. The user interacts with a tile to supply their credentials. Logon UI submits these credentials for authentication.

Combined with supporting hardware, Credential Providers can extend the Microsoft Windows operating system to enable users to logon through biometric (fingerprint, retinal, or voice recognition), password, PIN and Smart Card certificate, or any custom authentication package and schema a third party developer desires to create. Corporations and IT Professionals may develop and deploy custom authentication mechanisms for all domain users and may explicitly require users to use this custom logon mechanism. 

Credential Providers are not enforcement mechanisms. They are used to gather and serialize credentials. The Local Authority and authentication packages enforce security.

Credential Providers may be designed to support Single Sign On (SSO), authenticating users to a secure network access point (leveraging RADIUS and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for User Account Control.

Multiple Credential Providers may co-exist on a machine.

Credential Providers are registered on a Windows Vista machine and responsible for:

• Describing the credential information required for authentication
•  Handling communication and logic with external authentication authorities
• Packaging credentials for interactive and network logon