Discussion:
Where is the certificate returned by CredUIPromptForWindowCredenti
(too old to reply)
eugen_nw
2010-07-23 18:17:37 UTC
Permalink
Hello all,

I'm a bit at a loss here. I'm in the process of implementing authentication
in an application that allows other users than the current Windows user to
log in. One of the goals is to support authentication using X.509
certificates on smartcards. I've tested and
CredUIPromptForWindowsCredentials sees those certificates and allows me to
enter the PIN to authenticate. So far so good, I've tested and am able to
use the returned credentials to authenticate with A.D. The requirements for
this type of login is to keep an eye on the smartcard reader and if the
smartcard gets pulled out of the reader, the most recently logged in user is
automatically logged off from my application. The problem I'm facing is that
it is possible to have several smartcard readers connected to the computer
and unless I'm able to know which reader has the certificate that was picked
by the user using CredUIPromptForWindowsCredentials, I have no way of knowing
which smartcard reader I should watch for smart card removal.

A related topic of interest would be for me to be able to know in which
local certificate store resides a certificate that can be chosen in the UI
presented by CredUIPromptForWindowsCredentials - a.f.a.i.k. local
certificates can be used as well for login, provided that the user knows the
password.
--
Thank you, eugen
Carlos
2010-08-04 08:43:43 UTC
Permalink
Windows 7 offers new certificate selection API CertSelectCertificateChains
to select certificates.
You can find the code sample in win7 sdk /samples/
C:\Program Files\Microsoft
SDKs\Windows\v7.1\Samples\security\cryptoapi\CertSelect
Post by eugen_nw
Hello all,
I'm a bit at a loss here. I'm in the process of implementing
authentication
in an application that allows other users than the current Windows user to
log in. One of the goals is to support authentication using X.509
certificates on smartcards. I've tested and
CredUIPromptForWindowsCredentials sees those certificates and allows me to
enter the PIN to authenticate. So far so good, I've tested and am able to
use the returned credentials to authenticate with A.D. The requirements for
this type of login is to keep an eye on the smartcard reader and if the
smartcard gets pulled out of the reader, the most recently logged in user is
automatically logged off from my application. The problem I'm facing is that
it is possible to have several smartcard readers connected to the computer
and unless I'm able to know which reader has the certificate that was picked
by the user using CredUIPromptForWindowsCredentials, I have no way of knowing
which smartcard reader I should watch for smart card removal.
A related topic of interest would be for me to be able to know in which
local certificate store resides a certificate that can be chosen in the UI
presented by CredUIPromptForWindowsCredentials - a.f.a.i.k. local
certificates can be used as well for login, provided that the user knows the
password.
--
Thank you, eugen
kittu
2011-06-09 21:49:23 UTC
Permalink
eugen_nw wrote on 07/23/2010 14:17 ET
Post by eugen_nw
Hello all
I'm a bit at a loss here. I'm in the process of implementing authenticatio
in an application that allows other users than the current Windows user t
log in. One of the goals is to support authentication using X.50
certificates on smartcards. I've tested an
CredUIPromptForWindowsCredentials sees those certificates and allows me t
enter the PIN to authenticate. So far so good, I've tested and am able t
use the returned credentials to authenticate with A.D. The requirements fo
this type of login is to keep an eye on the smartcard reader and if th
smartcard gets pulled out of the reader, the most recently logged in user i
automatically logged off from my application. The problem I'm facing is tha
it is possible to have several smartcard readers connected to the compute
and unless I'm able to know which reader has the certificate that was picke
by the user using CredUIPromptForWindowsCredentials, I have no way of knowin
which smartcard reader I should watch for smart card removal
A related topic of interest would be for me to be able to know in whic
local certificate store resides a certificate that can be chosen in the U
presented by CredUIPromptForWindowsCredentials - a.f.a.i.k. loca
certificates can be used as well for login, provided that the user knows th
password
Thank you, euge
I am also facing a problem regarding CredUIPromptForWindowsCredential
functio
on Windows Server 2008
I have enabled following policy on gpedit.msc
Local Computer PolicyComputer ConfigurationAdministrative TemplatesWindow
ComponentsCredential User InterfaceRequire trusted path for credential entr

If above policy is disabled, CredUIPromptForWindowsCredentials return
outCredBuffer, and CredUnPackAuthenticationBuffer decrypts and fetche
usernam
and password from the buffer

However if I enable the policy, and follow the same steps
CredUnPackAuthenticationBuffer return error 775, which means
ERROR_NOT_CAPABLE

Any help is much appreciated.

Loading...