CODEWITHSUNDEEP
c++windowscredential-providers
js.hrt
js.hrt

Reputation: 159

C++ Windows Credential Provider Error Screen

I have developed a custom credential provider for MFA and it is working fine. I am performing my additional authentication checks in GetSerialization() method by calling REST APIs. Now, in case of successful validation through REST API, I am allowing the user to login. But for the case of validation failure, I want to show error screen, like the one default provider shows in case of incorrect username or password (having a button for 'Ok'). I have understood that this is done in ReportResult() by default credential provider in case of logon failure. Can I call ReportResult() to display my custom error message with an 'Ok' button? Regards,

EDIT: I am doing it like this:

if (SUCCEEDED(HRESULT_FROM_NT(ntsStatus)) && SUCCEEDED(HRESULT_FROM_NT(ntsSubstatus)))
{
    SHStrDupW(L"Bad password", ppwszOptionalStatusText);
    *pcpsiOptionalStatusIcon = CPSI_ERROR;
}

But the screen isn't stopping. It logs in the user. I need to detect the scenario when the windows credentials are correct but the API call fails, so I need to catch that status and display error

Upvotes: 2

Views: 1689

Answers (2)

Alexander
Alexander

Reputation: 1341

Have to try

*pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED;

In my use case wih additional

*pcpsiOptionalStatusIcon = CPSI_WARNING;

it is enough to display status message.

Upvotes: 0

Wander3r
Wander3r

Reputation: 1881

ReportResult(
    NTSTATUS ntsStatus, 
    NTSTATUS ntsSubstatus,
    PWSTR* ppwszOptionalStatusText, 
    CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon
    )

You can set your own custom message by populating ppwszOptionalStatusText. If needed, icon can also be set pcpsiOptionalStatusIcon to one of CPSI_ERROR,CPSI_WARNING or CPSI_SUCCESS.

For eg., after checking on ntsStatus, you could customize like this

SHStrDupW(L"Bad password", ppwszOptionalStatusText);
*pcpsiOptionalStatusIcon = CPSI_ERROR;

Edit:

Inside GetSerialization(), once the API returns failure, set the CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE to not finished. Like this

*pcpgsr = CPGSR_RETURN_NO_CREDENTIAL_FINISHED;

This should stop the logon to continue.

Edit 2: As per @js.hrt comment below, to show the status screen from GetSerialization, by using *pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED; SHStrDupW(L"Bad password", ppwszOptionalStatusText); *pcpsiOptionalStatusIcon = CPSI_ERROR; in GetSerialization() without using report result.

Upvotes: 0

Related Questions