1

I am in process of building a custom credential provider (ICredentialProvider) to allow hardware based Windows login.

I wonder if there is a way for passing additional data (e.g. serial number of token or similar) from the credential provider (especially ICredentialProviderCredential::GetSerialization) to logon session created later?

Ratlos
  • 21
  • 3
  • 1
    if you write also custom authentication package, you can call [`LsaAddCredential`](https://learn.microsoft.com/en-us/windows/win32/api/ntsecpkg/nc-ntsecpkg-lsa_add_credential) for add some data. anyway only your auth package will be understand your data (how you want use this ?) – RbMm Feb 22 '23 at 00:02
  • I need to know if the user logged in using a token or username/password. If a token was used, I need to know which token was used. However, it is probably way easier to using the registry or a service based mechanism to store this information, as a custom auth package will likely overcomplicate the whole thing. – Ratlos Feb 22 '23 at 07:33
  • what "token" you mean ? which built-in auth package process this token ? – RbMm Feb 22 '23 at 07:55
  • For now, we use RFID tags/tokens to identify the user (on our side). This allow us to unlock related username and password required for actual login. In ICredentialProviderCredential.GetSerialization username and password are serialized and "Negotiate" auth package is selected (which will - as far as I understand this correctly - select "Kerberos" auth package internal in most cases). – Ratlos Feb 22 '23 at 08:34
  • so really you login by ntlm/kerberos. you can setup some custom tracking of such sessions. you can write very simply auth package, which primary implement `LsaApCallPackage` - call self package, which then call LsaAddCredential/LsaGetCredentials for mantaining additional data per logon session. or you can implement wrapper package, which implement LsaApLogonUserEx2, - it will be called msv1_0.LsaApLogonUserEx2 and on exit - add selg marker group to LSA_TOKEN_INFORMATION_Vx of something else.. – RbMm Feb 22 '23 at 08:53

0 Answers0