ICredentialProviderFilter

Security for Applications in Windows Vista

APX

I wrote a class implementing ICredentialProviderFilter in order to not allow Microsoft password provider to show up, because I need a two factors logon.

But I don't know why, the password provider always shows up.

Im writting the registry entry to register my filter.

Is posible to filter microsoft password provider

There is any way I can know if my filter is being loaded

Thanks in advance

Here is the code im using in Filter method

UNREFERENCED_PARAMETER(cpus);

UNREFERENCED_PARAMETER(dwFlags);

for (DWORD index = 0; index < cProviders; index++) {

if (IsEqualGUID(rgclsidProviders[index], CLSID_CSampleProvider))

rgbAllow[index] = TRUE;

else

rgbAllow[index] = FALSE;

}

return S_OK;
Top

Re: Security for Applications in Windows Vista ICredentialProviderFilter

APX

I think the code is fine, but Vista is never loading my filter.
So, I delete all the credential providers in the registry leaving only mine, I know, I wont get a MS certification, but when the only tool you have is a hammer, all the problems start to seem a nail Big Smile


Top

Re: Security for Applications in Windows Vista ICredentialProviderFilter

courion24

I wouldn't be so glib about editing the registry to unregister the Microsoft Password CredProv. You're going to have to do extra uninstall work to clean up what you did. Moreover, if there's a bug in Microsoft's filter implementation, that's deserving of a hotfix IMO. Microsoft had assured us that the only time the Password CredProv would show up when it is filtered out is if *all* Credential Providers somehow get filtered out. LogonUI has to show something.

Can you verify your code works by having it filter out some other provider, like the Microsoft Smart Card provider or maybe a sample provider you register based on the public sample code

Any comment from MS

-Rob


Top

Re: Security for Applications in Windows Vista ICredentialProviderFilter

APX

I know what I did sucks, and I shouldnt be doing it, but is imposible to get some feedback
I have another problem with resources integrity levels, since months, and noone have a clue what could be happening, or at least noone replied my post.
Also I'm seeing lots of products that suggest to turn off protected mode in order to allow their BHOs to work, and I'm talking about Single Sign On products from recognized companies.
Check eToken web Sign on manual from Aladdin soft, and you'll see it.

If you boot in safe mode the password provider is shown, even if I delete the registry entry.

I'll try installing a dummy provider just to see if i can filter it.

thanks mate


Top

Re: Security for Applications in Windows Vista ICredentialProviderFilter

wolf777

APX wrote:
I think the code is fine, but Vista is never loading my filter.
So, I delete all the credential providers in the registry leaving only mine, I know, I wont get a MS certification, but when the only tool you have is a hammer, all the problems start to seem a nail


Be sure to have your filter properly registered. There should be a registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\<your filter CLSID> with a default value of your filter's name.

Of course you must then have a valid CLSID record pointing on your filter's dll. We have our filter together with our Credential Provider in the very same dll and also the registry entries are similar. For our software, the filtering works well. I would not recommend to delete the MS Provider keys, it is much easier to use the filter.


Top

Re: Security for Applications in Windows Vista ICredentialProviderFilter

blanden

Hello,

I am new to COM programming and want to use a wrapped CP to disable the MS in-box password provider. I've created a few custom CP's that function well, but that is because I've only had to use the classes that are defined for you by MS in their Sample Credentials.

I've tried to implement ICredentialProviderFilter myself, but my filter function is not being invoked by LOGONUI. I have a subkey registered to HKLM/....../Credential Provider Filters so I don't believe that is the problem. I've had trouble finding help on the COM aspect of credential development, but disabling this provider is the final touch on a project I'm working on. I would greatly appreciate if someone could refer me to a helpful source or even post their class implementation for ICredentialProviderFilter.

Thank you




Top