Edit

Share via

GetCertificateFromCred function

  • Article

Gets the certificate from the user credential.

Syntax

NTSTATUS GetCertificateFromCred(
  _In_  PVOID  ProviderHandle,
  _In_  HANDLE ClientToken,
  _In_  PVOID  SuppliedCred,
  _In_  ULONG  SuppliedCredSize,
  _Out_ PVOID  *CertContext
);

Parameters

ProviderHandle [in]

Identity provider handle.

ClientToken [in]

Token of the caller who is retrieving the certificate.

SuppliedCred [in]

A pointer to a SECPKG_SUPPLIED_CREDENTIAL structure that contains the credential of an online ID whose certificate is requested. The identity provider must validate the input data as if it is coming from an untrusted source.

SuppliedCredSize [in]

The size, in bytes, of the SuppliedCred buffer.

CertContext [out]

If the function succeeds, this parameter is a pointer to the returned CCERT_CONTEXT pointer. When you have finished using the certificate context, release it by calling the CertFreeCertificateContext function.

Return value

If the function succeeds, the function returns STATUS_SUCCESS.

If the function fails, the function may return one of the following NTSTATUS error codes.

Return value Description
STATUS_NOT_SUPPORTED
 The identity provider does not recognize the credential type of the supplied credential. LSA will try the next identity provider.
STATUS_LOGON_FAILURE
 The credential is incorrect.
STATUS_INVALID_PARAMETER
 A parameter is not valid. The credential may be in an incorrect format and not in the defined SECPKG_SUPPLIED_CREDENTIAL structure.
STATUS_NETWORK_UNREACHABLE
 The identity provider cannot contact the cloud to obtain the certificate.
STATUS_PASSWORD_EXPIRED
 The account password has expired.
STATUS_ACCOUNT_LOCKED_OUT
 The account has been locked out.
Others
 Other provider-specific error codes.

Remarks

Before fetching the certificate from the cloud, the identity provider should check that there is a valid certificate for this user in the user's "MY" certificate store. If a valid certificate exists, the provider should return this certificate to avoid unnecessary network traffic.

The identity provider can also cache the certificate locally as long as it is protected from the current user.

Requirements

Requirement Value
Minimum supported client
 Windows 8 [desktop apps only]
Minimum supported server
 Windows Server 2012 [desktop apps only]
Header
Lsaidprov.h