Credential Provider - How to check the the username and password first?

Question

I have a windows credential provider v2 (Windows 10) for add OTP authentication to password login. So after entering the password, the user must enter OTP to login windows.

My problem is that even if the wrong password is entered, the operation continues and after entering the OTP, the user sees the wrong password message.

Is there any way to make sure the password is correct right first and then check OTP?

By this solution this I used the 'LogonUserEx' method in the 'GetSerialization' function, but sometimes I have problems with this. For example, when the user's password expired, this function return false.

if (!LogonUserEx(pszUsername, pszDomain, pszPassword,
            LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, NULL, NULL, NULL, NULL, NULL))
        {
            *pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED;
            SHStrDupW(L"Incorrect User Name or Password! Please try again ...", ppwszOptionalStatusText);
            *pcpsiOptionalStatusIcon = CPSI_ERROR;              
            return hr;
        }

`LogonUserEx` does not returns an `true` / `false`error sign. It is return full error code. Which one it is in your case? — Alexander, Jul 11 '22 at 07:33
Have a look at the error code `3221225585 / C0000071` expired password. Have found [here](https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4) — Alexander, Jul 11 '22 at 14:45
`LogonUserEx` always wrong choice here. need call `LsaLogonUser`. in case `STATUS_PASSWORD_EXPIRED` (like and other errors, you need pass it to system as is) — RbMm, Jul 12 '22 at 22:35

Credential Provider - How to check the the username and password first?

0 Answers0