CredProvider.NET icon indicating copy to clipboard operation
CredProvider.NET copied to clipboard

Published 20 hours ago verified publisher icon SteveSyfuhs

When system is Locked, CPUS_UNLOCK_WORKSTATION in a Custom Credential Provider,Domain Password Expiry Scenario is not working and not displaying Password change UI.

Open Mahaboob-Aslam opened this issue 3 years ago • 0 comments

Hi, I am writing a Custom Windows Credential Provider using C++ on Windows 10, where I have implemented the domain password expiry in my code and I am able to change the Domain password looking into this blog. How can I handle password expiry in the credential provider? But there is one scenario, where in LOCK condition, CPUS_UNLOCK_WORKSTATION_condition, I am not able to load the Change Password UI for domain password expiry.

With this following code below:

_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_LOGIN_NAME, CPFS_HIDDEN );
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_PASSWORD,CPFS_HIDDEN );

for the above two statements, the code works fine and it hides the field components for Username and Passwords.

And I am facing problems for the below lines of code statements:

_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_OLDPASSWORD_TEXT, CPFS_DISPLAY_IN_SELECTED_TILE);
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_OLDPASSWORD, CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_NEWPASSWORD_TEXT, CPFS_DISPLAY_IN_SELECTED_TILE);		
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_NEWPASSWORD, CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_CONFPASSWORD_TEXT,CPFS_DISPLAY_IN_SELECTED_TILE);			
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_CONFPASSWORD,CPFS_DISPLAY_IN_SELECTED_TILE);
_pCredProvCredentialEvents->SetFieldState((ICredentialProviderCredential*)this, SFI_SUBMIT_BUTTON, CPFS_DISPLAY_IN_SELECTED_TILE);

I am not able to load these fields. these APIs are failing to load fields OldPasswordText, OldPassword, NewPasswordText, NewPassword, ConfirmPasswordText and ConfirmPassword and Submitbutton.

I am calling these above functions from Credential :: Initialize(). I am calling Initialize() function from

Credential ::ReportResult() 
{
        // _cpus = CPUS_UNLOCK_WORKSTATION** and with 
        if (ntsStatus == STATUS_PASSWORD_MUST_CHANGE || (ntsStatus == STATUS_ACCOUNT_RESTRICTION && ntsSubstatus == 
             STATUS_PASSWORD_EXPIRED))
        {
                  Initialize(_cpus, s_rgCredProvFieldDescriptors, s_rgFieldStatePairs, nullptr);
        }
}

below lines of code are from logfiles, which I am providing for reference.

Initialize() FAILED SFI_OLDPASSWORD_TEXT: 183 where 183 is the value, I am getting from GetLastError() Initialize() FAILED SFI_OLDPASSWORD: 183 Initialize() FAILED SFI_OLDPASSWORD: 183 Initialize() FAILED SFI_NEWPASSWORD_TEXT: 183 Initialize() FAILED SFI_NEWPASSWORD_TEXT: 183 Initialize() FAILED SFI_NEWPASSWORD: 183 Initialize() FAILED SFI_CONFPASSWORD_TEXT: 183 Initialize() FAILED SFI_CONFPASSWORD: 183 Initialize() FAILED SFI_SUBMIT_BUTTON: 183

Help in resolving the issue, if i am doing anything wrong.

Regards Aslam

Mahaboob-Aslam avatar Jun 22 '21 13:06 Mahaboob-Aslam