Credential Provider Wrapping

Date: Author: Product Version: Reviewed By: Revision History: Date November 27, 2007

November 9, 2010 Michael Michlin v3.6

Version 1.0

Summary of Changes Initial Draft by Michael Michlin

Credential Provider Wrapping

Introduction
Credential Providers are Vista-specific mechanism that replaces GINA modules used on Windows 2000, XP and 2003.Credential providers are software modules that collect credentials from users and pass them on to Windows for authentication. Windows Vista comes with two builtin providers for password and smart card authentication. Windows logon process instantiates all registered credential providers and lets the user to choose one for authentication. This allows software companies to create providers that leverage custom authentication methods fingerprint, smart cards, etc. Imprivata also implements a credential provider, whose purpose is to perform OneSign authentication in addition to Windows authentication. OneSign credential provider is shown as one of the tiles, while other tiles belong to other providers. The problem arises when a user (for whatever reason) chooses not the OneSign tile, but one of the other tiles. The user will be authenticated to Windows, but OneSign authentication functionality would not be involved and the Agent will be disabled. A similar problem with 3 -party GINA modules is solved by GINA chaining OneSign GINA instantiates another GINA (called Target Gina) and delegates (all) calls to it. The information passed to/from these calls (user credentials) is used to perform OneSign authentication. The same technology is possible with credential providers. Since credential providers are COM objects with a documented interface it is possible for one provider to load another provider and delegate calls to it intercepting the data passed as input and output parameters. Although the technology is the same, the word wrapping is used instead of chaining. An additional piece of Vista logon infrastructure, called Credential Provider Filters, allows filtering out some providers, so that a provider wrapped by OneSign wouldnt appear unwrapped. In the GINA world, we have two natively supported target GINA modules Microsoft and Novell, for which OneSign has intimate knowledge of UI elements. This allows hooking of different windows presented by the above GINAs and manipulating controls on these windows. Other GINA modules are supported in so called hook-less mode, where OneSign doesnt know anything about the UI and is only able to intercept credentials of authenticated users. If OneSign rd rd is installed after the 3 -party GINA, OneSign will automatically chain to the 3 -party GINA in the rd hook-less mode. If the 3 -party GINA is installed after OneSign, the manual change in the registry is required to provide proper chaining. In credential provider world, we also have natively supported providers the built-in Password and Smart Card ones. These providers are wrapped out-of-the-box that is, when OneSign client is installed. The Novell credential provider is not supported as of this writing but is going to rd be supported natively in one of the future releases. Wrapping 3 -party credential providers rd installed before OneSign will be done automatically. 3 -party credential providers installed after OneSign requires administrator intervention; however, as opposed to GINA modules, this requires changing many registry entries, which is an error prone process if done manually. To solve this problem Imprivata provides the Credential Provider Wrapping utility, which is discussed in this document.
rd

Credential Provider Wrapping Utility

The Credential Provider Wrapping utility ISXCredProvDiag.exe is found in the OneSign installation directory usually c:\Program Files\Imprivata. When started without command line parameters, the utility opens in the UI mode. Command line parameters allow performing several actions without showing any UI. Both UI and Command Line modes are described in the following sub-sections.

Copyright 2005 Imprivata, Inc.

Confidential

Page 2 of 4

Credential Provider Wrapping The utility requires access to the sensitive part of the registry and, therefore, requires administrative rights and elevated privileges to run it.

UI Mode
When started without command line parameters, the Credential Provider Wrapping utility displays the following window:

The window has two panes: the upper pain lists the natively supported credential providers. They are shown for information purposes only and no actions can be performed on them. The lower rd pane shows 3 -party credential providers, which can be wrapped or unwrapped by selecting the provider in the list and pressing the respective button. The Wrapped column displays the current state of the provider Yes if the provider is wrapped and No otherwise. When the user wraps or unwraps a provider, the changes are immediately done on the machine, on which the utility is running. Since it would be impractical for the administrator to visit each computer in the enterprise, the utility allows creating a registry file, which reflects the current state of the local machine. The registry file can be later distributed to workstations via Active Directory Group Policy.

Command Line Mode

The Credential Provider Wrapping utility supports the following command line syntax: ISXCredProvDiag /help | /wrapall | /unwrapall | /generate [file_name] Parameter /help (/?) /wrapall (/wa) /unwrapall (/uwa) Description Displays usage text Creates wrappers for all registered 3rd-party credential providers Removes wrappers for all registered 3rd-party credential providers Confidential Page 3 of 4

Copyright 2005 Imprivata, Inc.

Credential Provider Wrapping

/generate (/g)

Generates distributable registry file with file_name name. The generated registry file will contain entries for adding or removing wrappers according to the current state of the local machine.

Copyright 2005 Imprivata, Inc.

Confidential

Page 4 of 4