// Collect the username and password into a serialized credential for the correct usage scenario // (logon/unlock is what's demonstrated in this sample). LogonUI then passes these credentials // back to the system to log on. HRESULT CCustomCredential::GetSerialization( CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr, CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcs, PWSTR* ppwzOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon ) { UNREFERENCED_PARAMETER(ppwzOptionalStatusText); UNREFERENCED_PARAMETER(pcpsiOptionalStatusIcon); HRESULT hr; WCHAR wsz[MAX_COMPUTERNAME_LENGTH+1]; DWORD cch = ARRAYSIZE(wsz); DWORD cb = 0; BYTE* rgb = NULL; if (GetComputerNameW(wsz, &cch)) { PWSTR pwzProtectedPassword; UserNameSerialized = FieldStrings[SFI_USERNAME]; PasswordProtected = FieldStrings[SFI_PASSWORD]; hr = ProtectIfNecessaryAndCopyPassword(PasswordProtected, _cpus, &pwzProtectedPassword); // Only CredUI scenarios should use CredPackAuthenticationBuffer. Custom packing logic is necessary for // logon and unlock scenarios in order to specify the correct MessageType. if (CPUS_CREDUI == _cpus) { if (SUCCEEDED(hr)) { PWSTR pwzDomainUsername = NULL; hr = DomainUsernameStringAlloc(wsz, UserNameSerialized.data(), &pwzDomainUsername); if (SUCCEEDED(hr)) { // We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios. It contains a // KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon // as necessary. if (!CredPackAuthenticationBufferW((CREDUIWIN_PACK_32_WOW & _dwFlags) ? CRED_PACK_WOW_BUFFER : 0, pwzDomainUsername, pwzProtectedPassword, rgb, &cb)) { if (ERROR_INSUFFICIENT_BUFFER == GetLastError()) { rgb = (BYTE*)HeapAlloc(GetProcessHeap(), 0, cb); if (rgb) { // If the CREDUIWIN_PACK_32_WOW flag is set we need to return 32 bit buffers to our caller we do this by // passing CRED_PACK_WOW_BUFFER to CredPacAuthenticationBufferW. if (!CredPackAuthenticationBufferW((CREDUIWIN_PACK_32_WOW & _dwFlags) ? CRED_PACK_WOW_BUFFER : 0, pwzDomainUsername, pwzProtectedPassword, rgb, &cb)) { HeapFree(GetProcessHeap(), 0, rgb); hr = HRESULT_FROM_WIN32(GetLastError()); } else { hr = S_OK; } } else { hr = E_OUTOFMEMORY; } } else { hr = E_FAIL; } HeapFree(GetProcessHeap(), 0, pwzDomainUsername); } else { hr = E_FAIL; } } CoTaskMemFree(pwzProtectedPassword); } } else { KERB_INTERACTIVE_UNLOCK_LOGON kiul; // Initialize kiul with weak references to our credential. hr = KerbInteractiveUnlockLogonInit(wsz, UserNameSerialized.data(), pwzProtectedPassword, _cpus, &kiul); if (SUCCEEDED(hr)) { // We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios. It contains a // KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon // as necessary. hr = KerbInteractiveUnlockLogonPack(kiul, &pcpcs->rgbSerialization, &pcpcs->cbSerialization); } } if (SUCCEEDED(hr)) { ULONG ulAuthPackage; hr = RetrieveNegotiateAuthPackage(&ulAuthPackage); if (SUCCEEDED(hr)) { pcpcs->ulAuthenticationPackage = ulAuthPackage; pcpcs->clsidCredentialProvider = CLSID_CCustomProvider; // In CredUI scenarios, we must pass back the buffer constructed with CredPackAuthenticationBuffer. if (CPUS_CREDUI == _cpus) { pcpcs->rgbSerialization = rgb; pcpcs->cbSerialization = cb; } // At this point the credential has created the serialized credential used for logon // By setting this to CPGSR_RETURN_CREDENTIAL_FINISHED we are letting logonUI know // that we have all the information we need and it should attempt to submit the // serialized credential. *pcpgsr = CPGSR_RETURN_CREDENTIAL_FINISHED; } else { HeapFree(GetProcessHeap(), 0, rgb); } } } else { DWORD dwErr = GetLastError(); hr = HRESULT_FROM_WIN32(dwErr); } pLoginCommander->LoginFailed(); return hr; }
// Collect the username and password into a serialized credential for the correct usage scenario // (logon/unlock is what's demonstrated in this sample). LogonUI then passes these credentials // back to the system to log on. HRESULT CardUnlockCredential::GetSerialization( CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr, CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcs, PWSTR* ppwszOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon ) { //while (!_pListener->GetConnectedStatus()); //SetUserData(_pListener->GetUserName(), _pListener->GetPassword()); UNREFERENCED_PARAMETER(ppwszOptionalStatusText); UNREFERENCED_PARAMETER(pcpsiOptionalStatusIcon); KERB_INTERACTIVE_LOGON kil; ZeroMemory(&kil, sizeof(kil)); HRESULT hr; WCHAR wsz[MAX_COMPUTERNAME_LENGTH+1]; DWORD cch = ARRAYSIZE(wsz); if (GetComputerNameW(wsz, &cch)) { PWSTR pwzProtectedPassword; hr = ProtectIfNecessaryAndCopyPassword(_rgFieldStrings[SFI_PASSWORD], _cpus, &pwzProtectedPassword); if (SUCCEEDED(hr)) { KERB_INTERACTIVE_UNLOCK_LOGON kiul; // Initialize kiul with weak references to our credential. hr = KerbInteractiveUnlockLogonInit(wsz, _rgFieldStrings[SFI_USERNAME], pwzProtectedPassword, _cpus, &kiul); if (SUCCEEDED(hr)) { // We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios. It contains a // KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon // as necessary. hr = KerbInteractiveUnlockLogonPack(kiul, &pcpcs->rgbSerialization, &pcpcs->cbSerialization); if (SUCCEEDED(hr)) { ULONG ulAuthPackage; hr = RetrieveNegotiateAuthPackage(&ulAuthPackage); if (SUCCEEDED(hr)) { pcpcs->ulAuthenticationPackage = ulAuthPackage; pcpcs->clsidCredentialProvider = CLSID_CardUnlockProvider; // At this point the credential has created the serialized credential used for logon // By setting this to CPGSR_RETURN_CREDENTIAL_FINISHED we are letting logonUI know // that we have all the information we need and it should attempt to submit the // serialized credential. *pcpgsr = CPGSR_RETURN_CREDENTIAL_FINISHED; } } } CoTaskMemFree(pwzProtectedPassword); } } else { DWORD dwErr = GetLastError(); hr = HRESULT_FROM_WIN32(dwErr); } return hr; }