Credential Provider and Azure Ad

Question

Credential Provider and Azure Ad

Gene 6

I have a credential provider that's working for local accounts and local domain accounts, but failing for Azure AD accounts.
It's based on the https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/CredentialProvider.

The local user case works as intended, but the non-local doesn't.

The sample code uses
DWORD dwAuthFlags = CRED_PACK_PROTECTED_CREDENTIALS | CRED_PACK_ID_PROVIDER_CREDENTIALS;
and I get error 87 when I call CredPackAuthenticationBuffer.

If I try
DWORD dwAuthFlags = CRED_PACK_ID_PROVIDER_CREDENTIALS;

I don't get errors reported but get an invalid username or password on the screen.

I also tried
DWORD dwAuthFlags = CRED_PACK_GENERIC_CREDENTIALS | CRED_PACK_ID_PROVIDER_CREDENTIALS;
again, not errors from the code but this time I get invalid parameter.

I've tried just AzureAD\username and AzureAD\username@keyman .com of course using my username and domain.

Any guidance would be welcome.

Xiaopo Yang - MSFT 7,106 Reputation points Microsoft Vendor

2022-11-07T06:43:15.223+00:00

It's definite that there are configurations in Azure AD account and It's necessary to change the sample Authentication code. For example, Log in to a Windows virtual machine in Azure by using Azure AD.
There is a sample, Google Credential Provider for Windows, which lets users sign in to Windows devices with the Google Account they use for work and you can refer to. There are also some CP code examples, one of which is MultiOneTimePassword which supports various authentication.
Gene 6 Reputation points

2022-11-07T21:40:46.023+00:00

Thank you Xiaopo. It appears that the Microsoft sample is indeed out of data and doesn't work correctly Azure AD accounts. The MultiOneTimePassword didn't deal with non-local users at all, which gave me the clue that I needed.
Xiaopo Yang - MSFT 7,106 Reputation points Microsoft Vendor

2022-11-08T02:25:55.99+00:00

Does your computer join in Azure AD? I mean can you login your Windows using Azure AD account normally? Probably, It's not a custom credential provider issue.
Gene 6 Reputation points

2022-11-08T05:01:38.637+00:00

Sure. I joined the machine to an Azure AD and could log in using that account.
My problem was that my CP using the Azure AD credentials wouldn't login.

I have it working now....at least for now. <grin>

Xiaopo Yang - MSFT 7,106 Reputation points Microsoft Vendor

2022-11-07T06:43:15.223+00:00

It's definite that there are configurations in Azure AD account and It's necessary to change the sample Authentication code. For example, Log in to a Windows virtual machine in Azure by using Azure AD.
There is a sample, Google Credential Provider for Windows, which lets users sign in to Windows devices with the Google Account they use for work and you can refer to. There are also some CP code examples, one of which is MultiOneTimePassword which supports various authentication.
Gene 6 Reputation points

2022-11-07T21:40:46.023+00:00

Thank you Xiaopo. It appears that the Microsoft sample is indeed out of data and doesn't work correctly Azure AD accounts. The MultiOneTimePassword didn't deal with non-local users at all, which gave me the clue that I needed.
Xiaopo Yang - MSFT 7,106 Reputation points Microsoft Vendor

2022-11-08T02:25:55.99+00:00

Does your computer join in Azure AD? I mean can you login your Windows using Azure AD account normally? Probably, It's not a custom credential provider issue.
Gene 6 Reputation points

2022-11-08T05:01:38.637+00:00

Sure. I joined the machine to an Azure AD and could log in using that account.
My problem was that my CP using the Azure AD credentials wouldn't login.

I have it working now....at least for now. <grin>

Credential Provider and Azure Ad

Activity