We have a working a custom credential provider,
and a working way to change password when user is logged in.
We are trying to handle the use-case of changing password when the
password is known as expired.
We managed to get the status in ReportResult:
STATUS_PASSWORD_MUST_CHANGE we save that the password must change.
Windows display a message to say, the user need to change his password,
but when clicking on OK, it fallback to logon screen, not our CPUS_CHANGE_PASSWORD scenario.
We have tried to force this scenario when enumerating credentials, but still, the LOGON UI is still drawn instead of the CPUS_CHANGE_PASSWORD one.
How can we do to redraw the UI with the correct Scenario after clicking on OK?
Thanks
Related
I am working on the windows credential provider
We start our project based on this https://github.com/DavidWeiss2/windows-Credential-Provider-library
We want to make this authentication passwordless. Therefore we have a "database" in forms of external file that keep the password, username and domain pairs. Due to security reason we hashed it. (eg: C:\Temp\MyCredsDatabase.dat)
If the user change the password from window's Built-in GUI System -> Account -> Sign-in Option -> Change Password, the next login will be failed simply because the user already update their password but our database still using the old password
Well, if I decrypt the password directly from the Microsoft's SAM database it will be whether illegal or hard because Windows keep updating their security package to secure this database.
Is there any possibility that whenever user update the password, we get the password value, and update our "database"?
Or should I save our local database's content with another format?
Like, instead of using the user's information in a plain text for login using our Custom Credential Provider, can I use part of the SAM's value to login?
Your credential provider should implement the CPUS_CHANGE_PASSWORD scenario which is triggered in the change password GUI workflow.
At that point, in ICredentialProviderCredential::GetSerialization, you should have the raw non encrypted password value.
Then in ICredentialProviderCredential::ReportResult, if NTSTATUS == STATUS_SUCCESS you could do whatever you want, including updating your database.
Is it possible for an app or a web page to change a password stored in smart lock without user interaction? In other words, must a user press a button in order for a password to be changed in smart lock?
If you call the save API and the user has an existing credential with a matching identifier, you can update the password or account type field without showing the user any UI (but they had to see UI and accept to save the info with their Google Account the first time in order to have an existing credential stored)
I am newbie developer in mac development. What I need to do is create an authentication dialog when the user clicks the Print button in any application.
I need to store the username and password for 1 hour (to avoid authentication all the time) but this should be deleted when the user logs out from the machine.
What I am thinking is to use NSUserDefaults to store the data, and create a logout hook to delete this data. Is this the proper way of doing this?
Use Authorization Services. It sounds like your app fits the "Simple, Self-Restricted Application" model described in the guide.
When you create your authorization right, use the timeout attribute to set the length of time that the user's credentials will be cached.
After looking through the code for building custom credential providers for Windows 7, I managed to get my own tile to show up on the logon screen, and can logon as the desired user. However, I am trying to implement a system where an event (a Bluetooth device in range) triggers a logon/unlock, without needing to click on the tile.
I can set it to fill in the password automatically (maybe I will implement pulling the password from the device), but either way, I must click the tile first. If it is locked, I need to click "Other Credentials" before that, too.
How would I go about implementing the logon credential provider without displaying a tile on the logon screen? It would be nice if I could keep the existing password option focused, and bypass it the moment the device comes in range.
EDIT: I made some progress, but I still think I need to do this without a tile. If I set the *pbAutoLogon parameter to true, and fill in the username and password before that, then the following behavior occurs:
If the default credential is selected (lock/unlock), then I need to click on "other credentials". If I log off, both credentials are displayed by default.
If both credentials are shown, and my provider is enabled after that, then the logon is automatic.
If my provider is enabled first, then "other credentials" is selected, I still need to click on my provider, after which logon is automatic
You need to change your credential settings to log in automatically and then your provider needs to tell LoginUI that the credentials have changed.
One of the sample credential providers supplied by microsoft works in this way.
I have an HTML page with a login form and a registration form inside of an overlay. When the user submits either of these forms, an AJAX request is made back to the server.
If the registration or login is successful, then the user is logged in and certain parts of the page are updated. If there is an issue with the login/registration credentials, then the user is asked to correct the error.
How do I get the browser to prompt the user to save or remember the username/password used for this scenario?
I was able to get Firefox to prompt the user and remember the password by following the answer here:
How can I get browser to prompt to save password?
But this solution did not work in webkit browsers or IE. Also, I tried adding the autocomplete attribute to the forms with value "on", but this also did not solve the problem.
Thanks in advance :)
I'm not sure if you are going to be able to find a solution to this that works across all browsers in a timely manner and if you do it may be very brittle and could break after any browser update.
A more reliable and robust way of doing this could be to do it with your own code by building this functionality into your UI. This would probably even save you some time in the long run. You could have a "remember me" checkbox or a "remember me" popup that comes up after a successful login.
If the user opts to be remembered just write an encrypted cookie with their username which if detected will allow them to bypass login. Assuming SSL I don't see this route as being much less secure than trying to force the browser to do it as the information will be stored un-encrypted on most users computers either way.