CredentialProvider

[CredentialProvider]
Activate=0x03|{TS+LOGONUI}||0x06|*
AllowCertificate=
AllowToken=0x01|{LOGONUI}||0xFF|*
AutoLogonEnable=1
AutoLogonDisable=1|{LOGONUI}||*|0
BlockGUID=8bf9a910-a8ff-457f-999f-a5ca10b4a885;8FD7E19C-3BF7-489B-A72C-846AB3678C96;E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435;94596c7e-3744-41ce-893e-bbf09122f76a
CommandLink=<action1>,<text1>,<match1>;<action2>,<text2>,<match2>;...
CommandSelect=<action1>,<text1>,<match1>;<action2>,<text2>,<match2>;...
ComponentEnable=std:1;crt:1;pin:1;unlock:1;change:1
ComponentDisable=
:DependLibrary=
DependService=filter:self
:ImageSizeIcon=
:ImageSizeTile=
InitChangePin=0x03
ModeAllowGeneration2=0
ModeAllowNoNeedPIN=1
ModeAllowNoUPN=0
ModeAlwaysReportResult=1
:ModeCachePollContext=1
ModeConvertUPNtoSAM=0
ModeDirectLoad=0
ModeRequirelogon=0
ModeShowMultipleEmpty=0
ModeSingleCertificate=0
ModeSlimKerberos=0
ModeUnknownUseFirstSid=0
:ModeUnprotectedPin=0
ModeWrapping=0
RememberLastUsed=10
:TileUpdateDelay=99
UpdateRemoteEnable=1
UpdateRemoteBlockSelfFailure=0
UpdateRemoteBlockSelfHasAll=0
UpdateRemoteRegisterAllCert=0
UpdateRemoteTranslateUser=1
UpdateRemoteTranslateUserDomain=0
UpdateRemoteUseAnyCert=0
UpdateRemoteUseLastCert=1|{TS}||0|*
UpdateRemoteUseSingleCert=1|{TS}||0|*
WrappedFieldPosition=std:13,15,0,1,2,,-,-,6:0x00000000;crt:0,-,1,2,3,4,-,-,-:0x00000000;pin:3,4,0,-,-,,-,-,1:0x00000000

Activate

The activate value tells when our credential provider should tell the caller that we want to be auto selected by default. Usually the caller just ignores this, but sometimes this works. We can only suggest, the caller decides.

Values

The value is a bitmask for credential scenario usage.

0x01

Not CPUS_CREDUI

0x02

CPUS_CREDUI

0x03

Using both

0x04

Not CPUS_CREDUI if last used

0x08

Block activate if PIN is not needed

Example 1. Activating both options.

Normally we will try to activate for both usages.

[CredentialProvider]
Activate=0x03

AllowCertificate

You can limit the number of certificates that are used by specifying a matching condition.

[CredentialProvider]
AllowCertificate={MatchSomeThing}

Values

See Match for more information.

AllowToken

You can limit the number of tokens that are used. The value is a bitmask of those tokens that are allowed. Default is all token types accepted.

[CredentialProvider]
AllowToken=0x0F

Values

0x01

COMPONENT_TOKEN_CARD

0x02

COMPONENT_TOKEN_VSC

0x04

COMPONENT_TOKEN_CSP

0x08

COMPONENT_TOKEN_TPM

0x0F

All tokens (default)

AutoLogonEnable, AutoLogonDisable

It is possible to enable or disable auto logon. Auto logon is possible when single sign-on is active and the token is opened. Usually, you do not want to use auto logon for Windows Logon. Locking the desktop will then auto logon again.

[CredentialProvider]
AutoLogonEnable=1
AutoLogonDisable=1|{LOGONUI}||*|0

BlockGUID

The credential provider will usually replace another credential provider, so the original credential provider needs to be blocked. Each provider is identified by a GUID, so you need to specify the list of GUID:s that should be blocked. Separate them using a semicolon.

[CredentialProvider]
BlockGUID=8bf9a910-a8ff-457f-999f-a5ca10b4a885;8FD7E19C-3BF7-489B-A72C-846AB3678C96;E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435;94596c7e-3744-41ce-893e-bbf09122f76a

CommandLink controls how to show an extra dialog for CredentialProvider.

[CredentialProvider]
CommandLink=<action>,<text>,<match>;...;<action_N>,<text_N>,<match_N>

Values

action

Action name

text

Text to show from string table on the form {string:<number>}. See more in language string tables.

match

Matching condition

CommandSelect

CommandSelect controls how to show the dialog for CredentialProvider.

[CredentialProvider]
CommandSelect=<action>,<text>,<match>;...;<action_N>,<text_N>,<match_N>

Values

action

Action name

text

Text to show from string table on the form {string:<number>}. See more in language string tables.

match

Matching condition

ComponentEnable, ComponentDisable

The credential provider has five different purposes and they can be controlled separately.

To allow for conditions we have added a whitelist/blacklist to specify when they should be enabled.

[CredentialProvider]
ComponentEnable=std:1;crt:1;pin:1;unlock:1;change:1
ComponentDisable=
pin is only used by Microsoft Smart Card Providers, so it should only be used with MiniDriver activated.

Values

std

Standard, select certificate and enter PIN.

crt

Certificate, only select certificate.

pin

PIN, only enter PIN.

unlock

Unlock PIN, allow auto switch for std to unlock when PIN is locked.

change

Change PIN, change current PIN for logged on user.

DependLibrary

The parameter is primarily intended for developers and should never be changed.

Used to load library before CredentialProvider load. Checks Load section for custom libraries.

[CredentialProvider]
DependLibrary=<library1>;<library2>;

DependService

Used to start or wait for service before CredentialProvider load. Default filter:self, wait for own service on load.

[CredentialProvider]
DependService=<type>:<service1>;<type>:<service2>;

Where each <service> tells what to do.

<type>

filter,std,crt,pin,unlock,change

<name>

Wait for service <name>

<name> start

Start service <name>

<name> wait

Wait for service <name> for 10 seconds

<name> wait <timeout>

Wait for service <name> for <timeout> milliseconds

ImageSizeIcon

Used to set image size for Credential Provider generation 2 LogonUI scenario.

[CredentialProvider]
ImageSizeIcon=0x0030

ImageSizeTile

Used to set image size for Credential Provider generation 1 scenarios. Large tile in LogonUI and small tile in CredUI.

[CredentialProvider]
ImageSizeTile=0x00C00030

InitChangePin

This entry forces a PIN change for Credential Provider. It is used together with PinExpire key.

[CredentialProvider]
InitChangePin=0x03

Values

0x00

Do not force PIN change.

0x01

Force PIN change for Windows logon.

0x02

Force PIN change for CredUI.

0x03

Force PIN change for all scenarios. This value is the default value.

ModeAllowGeneration2

Two different versions, or generations, of credential providers are available. The second generation added the possibility to group credential tiles, only used by Windows Logon. This does not work well with smart cards with multiple certificates, so it should be avoided.

[CredentialProvider]
ModeAllowGeneration2=0

Values

0

off

1

on

ModeAllowNoNeedPIN

The ModeAllowNoNeedPIN parameter checks if key requires PIN or not.

[CredentialProvider]
ModeAllowNoNeedPIN=1

Values

0

off (no check), prompts for PIN input.

1

on, checks if PIN is required.

ModeAllowNoUPN

Windows Logon can be done with certificates without an UPN, depending on your Windows configuration. The default setting is disabled, so those certificates should usually be ignored.

[CredentialProvider]
ModeAllowNoUPN=0

Values

0

off

1

on

ModeAlwaysReportResult

Some Windows login scenarios do not result in a ReportResult call from the LogonUI process. The ModeAlwaysReportResult parameter always reports internal results, even when the LogonUI process does not.

[CredentialProvider]
ModeAlwaysReportResult=1

Values

0

off

1

on

ModeCachePollContext

Parameter used to open an extra session towards first KSP/CSP when polling for certificates. This session will be open until Credential Provider is unloaded. KSP/CSP will normally unload everything when last session is closed, so this behavior will increase performance, since a session will always be open.

Values

0

off

1

on

ModeConvertUPNtoSAM

The grouping of tiles used for second generation credential providers will require matching of the certificate UPN to get the right user identifier. This search can be done with two different modes.

[CredentialProvider]
ModeConvertUPNtoSAM=0

Values

0

off

1

on

ModeDirectLoad

The loading of credential providers is asynchronous, so you may want to start the loading of the available certificates directly at the initial call. Currently, the loading is so fast that this parameter will not make a difference.

[CredentialProvider]
ModeDirectLoad=0

Values

0

off

1

on

ModeRequireLogon

Any certificate can be used to logon to Windows, but you can specify that the Microsoft logon enhanced key usage is set in the certificate.

[CredentialProvider]
ModeRequireLogon=0

Values

0

off

1

on

ModeShowMultipleEmpty

Our credential provider can show all empty smart card readers as empty credential tiles, or a single empty credential.

[CredentialProvider]
ModeShowMultipleEmpty=0

Values

0

off

1

on

ModeSingleCertificate

Our credential provider can show all available certificates as a credential or only the first available certificate.

[CredentialProvider]
ModeSingleCertificate=0

Values

0

off

1

on

ModeSlimKerberos

Our credential provider can remove unnecessary values from the credential information returned, that is, the smart card name or the smart card reader name. This ensures that the caller does not know which smart card or smart card reader was used. This makes the unable to disturb anything they do not know anything about.

[CredentialProvider]
ModeSlimKerberos=0

Values

0

off

1

on

ModeUnknownUseFirstSid

The grouping of tiles used for second generation credential providers will require matching of the certificate UPN to get the right user identifier. But in which group should the unknown credentials be located?

[CredentialProvider]
ModeUnknownUseFirstSid=0

Values

0

off

1

on

ModeTileAlwaysPresent

Normally nothing will be shown when no smart card reader and no credentials are present. Use this parameter to add an extra empty tile when nothing is present.

[CredentialProvider]
ModeTileAlwaysPresent=0

Values

0

off

1

on

ModeUnprotectedPin

For the returned credential the PIN value is usually protected to avoid reading. This is not required and may be turned off for diagnostic purposes.

[CredentialProvider]
ModeUnprotectedPin=0

Values

0

off

1

on

ModeWrapping

Our credential provider can run in full mode, pass through mode or pass through only mode. The full mode completely replaces an existing provider. In pass through mode the exiting provider is called to create the returned credential blob. In pass through only mode we act as a man in the middle for another credential provider to send information to trace, this mode is only intended for developers.

[CredentialProvider]
ModeWrapping=0

Values

0

off, no wrapping meaning Full mode will be used.

1

on, wrapping meaning pass-through mode will be used.

2,{GUID}

on, pass-through-only mode for Credential Provider GUID.

RememberLastUsed

Our credential provider can remember the last used credential and select that credential as default next time our credential provider is used. Reference to credentials is stored in the local configuration, see example below.

[CredentialProvider]
RememberLastUsed=<numberofcredentials>

This value only tells which of our credentials that we consider to be default by those returned from us. Microsoft have their own selection rules to tell which actual credential that will be default.

Values

<numberofcredentials>

The number of credentials to remember, default is 10.

Example

Example 2. Reference to credentials stored in the local configuration

The references to credentials is stored in the local configuration like this to make sure that the right certificate is prompted when you log on to your computer.

[CredentialProvider]
LastUsed_LOGON=94850533F8F61B56;
LastUsed_CREDUI=972ACC1807EAD617;
Local configuration is by default stored in the Windows registry and not to file.

TileUpdateDelay

The parameter is primarily intended for developers and should never be changed.

The TileUpdateDelay parameter is used to delay credential tile update after event is sent to Windows.

[CredentialProvider]
TileUpdateDelay=99

UpdateRemoteEnable

When our credential provider is running in Terminal Server environment, we can be called to update a credential sent from the client. This allows for single sign-on-experience when used in pre-auth scenarios. This parameter is used to enable this translation.

UpdateRemoteEnable=1

Values

0

off

1

on

UpdateRemoteBlockSelfFailure

When update remote is active, this parameter tells if our credential provider should block itself when it fails to translate the credential.

UpdateRemoteBlockSelfFailure=0

Values

0

off

1

on

UpdateRemoteBlockSelfHasAll

When update remote is active, this parameter tells if our credential provider should block itself when all values are successfully translated and auto logon will be possible.

UpdateRemoteBlockSelfHasAll=0

Values

0

off

1

on

UpdateRemoteRegisterAllCert

When update remote is active, this parameter tells if our credential provider should register all available certificates to current desktop. Certificate used as credential will always be registered.

UpdateRemoteRegisterAllCert=0

Values

0

off

1

on

UpdateRemoteTranslateUser

When update remote is active, this parameter tells if our credential provider should translate the credential using only the username. Translation with username/domain will be run first.

UpdateRemoteTranslateUser=1

Values

0

off

1

on

UpdateRemoteTranslateUserDomain

When update remote is active, this parameter tells if our credential provider should translate the credential using username/domain.

UpdateRemoteTranslateUserDomain=0

Values

0

off

1

on

UpdateRemoteUseAnyCert

When update remote is active, this parameter tells if it should use any certificate that currently is on a logged-on token. Last used certificate is checked first.

UpdateRemoteUseAnyCert=0

Values

0

off

1

on

UpdateRemoteUseLastCert

When update remote is active, this parameter tells if it should use the last certificate that is on a logged-on token.

UpdateRemoteUseLastCert=1|{TS}||0|*

Values

0

off

1

on

UpdateRemoteUseSingleCert

When update remote is active, this parameter tells if it should use the only available certificate that is on a currently logged-on token.

UpdateRemoteUseSingleCert=1|{TS}||0|*

Values

0

off

1

on

WrappedFieldPosition

When our credential provider is wrapping another credential provider it must know which field is used for which purpose. The values usually never change and it is intended to be used only by the development team. Thus, no documentation is available.

WrappedFieldPosition=std:13,15,0,1,2,,-,-,6:0x00000000;crt:0,-,1,2,3,4,-,-,-:0x00000000;pin:3,4,0,-,-,,-,-,1:0x00000000