Overview#

Windows Credential Provider is an API within the Windows SDK to allow the Windows Client Authentication Architecture to be customized by implementing and registering a Windows Credential Provider with Winlogon which provides for the Interactive Windows Logon Type.Windows Credential Provider are the primary Authentication Mechanism for user authentication for Windows 10 and are currently are the only method for users to prove their identity which is required for logon and other system authentication scenarios. With Windows 10 and the introduction of Microsoft Passport, Windows Credential Providers are more important than ever; they will be used for authentication into apps, websites, and more.

Windows Credential Provider is used when Winlogon wants to obtain credentials, the Windows Logon UI queries each Windows Credential Provider for the number of credentials that it wishes to enumerate. After all Windows Credential Providers have enumerated their "tiles", the Logon UI displays them to the user. The user then interacts with a "tile" to supply the necessary credentials. The Logon UI submits these credentials for authentication.

Multiple Windows Credential Providers can be installed on a single machine and Each Windows Credential Provider may have multiple Authentication Mechanisms referred to as "Tiles" when presented to the user.

Credential provider architecture#

The following table lists the components that are included in the Windows Logon Type interactive Windows Logon architecture of the Windows Server and Windows Operating System.

• Winlogon - Provides the Windows Logon Type interactive sign-in infrastructure.
• Credential UI - Provides interactive GUI rendering.
• CredSSP (password and Smart Card) - Describes credential information and serializing credentials using the Security Support Provider (SSP)
• Local Security Authority (LSA) - Processes sign-in credentials
• Windows Authentication Package - Includes NTLM and the Kerberos protocol. Communicates with server Windows Authentication Package to Authentication users.

The Windows Logon Type interactive Windows Logon in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a Secure Attention Sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process.

After receiving the SAS, the Windows.Security.Credentials.UI then generates the Windows Logon tile from the information received from the registered Windows Credential Provider.

System Credential Providers#

Microsoft provides a variety of Windows Credential Providers referred to as "Security Support Providers" as part of Microsoft Windows, such as

• password
• PIN
• Smart Card
• Windows Hello (Fingerprint recognition, Facial recognition, and Iris recognition).

Third-party Windows Credential Providers#

Other entities can write their own Windows Credential Providers and integrate them easily into Microsoft Windows. Each Third-party Windows Credential Provider SHOULD include at least one "Security Support Providers" as one of the Authentication Mechanisms for a "Tile".

More Information#

There might be more information for this subject on one of the following:

• Microsoft Account
• Windows Client Authentication Architecture
• Windows Hello