Click to Rate and Give Feedback
MSDN
MSDN Library
Security
Authentication

  Switch on low bandwidth view
Authentication Functions

Authentication functions are categorized according to usage as follows:

SSPI Functions

Security Support Provider Interface (SSPI) functions fall into the following major categories.

Package Management

SSPI package management functions initiate a security package, enumerate available packages, and query the attributes of a security package. The following SSPI functions provide management services for security packages.

FunctionDescription
EnumerateSecurityPackagesLists available security packages and their capabilities.
InitSecurityInterfaceRetrieves a pointer to a security support provider (SSP) dispatch table.
QuerySecurityPackageInfoQueries an individual security package for its capabilities, including authentication, transport, and message integrity- and privacy-related capabilities.

 

Credential Management

SSPI credential management functions provide a credentials handle, a reference to an opaque security object, for accessing a principal. The security object is opaque because the application has access only to the handle and not to the actual contents of the structure.

All references to the contents of a credential context are through the object's handle and the security package dereferences the handle to access the specifics of credentials. A credential handle is a 64-bit value between {0x00000000, 0x00000000} and {0xFFFFFFFF, 0xFFFFFFFE}.

Applications use the credentials handle with context management functions to create a security context.

Credential management functions also release credential handles and query the attributes of credentials. At present, the name associated with a credential is the only attribute that can be queried.

The following functions are used with credentials management.

FunctionDescription
AcquireCredentialsHandle (General)Acquires a handle to the preexisting credentials of a specified principal.
ExportSecurityContextExports a security context into a context buffer.
FreeCredentialsHandleReleases a credential handle and associated resources.
ImportSecurityContextImports a security context exported by using ExportSecurityContext into the current process.
QueryCredentialsAttributesQueries a credential handle for the name associated with the credential.

 

Context Management

SSPI context management functions create and use security contexts.

In a communication link, the client and server cooperate to create a shared security context. The client and server both use the security context with message support functions to ensure message integrity and privacy during the connection.

Security contexts are opaque security objects. Information in the security context is not available to the application. Context management functions create and use context handles and the security package dereferences the context handle to access its security content.

A context handle is a 64-bit value between {0x00000000, 0x00000000} and {0xFFFFFFFF, 0xFFFFFFFE}.

The following functions are used with context management.

FunctionDescription
AcceptSecurityContext (General)Used by a server to create a security context based on an opaque message received from a client.
ApplyControlTokenApplies a supplemental security message to an existing security context.
CompleteAuthTokenCompletes an authentication token. This function is used by protocols, such as DCE, that need to revise the security information after the transport application has updated some message parameters.
DeleteSecurityContextFrees a security context and associated resources.
FreeContextBufferFrees a memory buffer allocated by a security package.
ImpersonateSecurityContextImpersonates the security context to appear as the client to the system.
InitializeSecurityContext (General)Used by a client to initiate a security context by generating an opaque message to be passed to a server.
QueryContextAttributes (General)Queries the attributes of a security context.
QuerySecurityContextTokenObtains the impersonation token for a security context for direct manipulation.
SetContextAttributesSets the attributes of a security context.
RevertSecurityContextCeases impersonating a security context.

 

Message Support

SSPI message support functions enable an application to transmit and receive tamper-resistant messages and to encrypt and decrypt messages. These functions work with one or more buffers that contain a message and with a security context created by the context management functions. The functions' behavior differs based on whether a connection, datagram, or stream context is in use. For a description of these differences, see SSPI Context Semantics.

The following functions provide security support for messages.

FunctionDescription
DecryptMessage (General)Decrypts an encrypted message by using the session key from a security context.
EncryptMessage (General)Encrypts a message by using the session key from a security context.
MakeSignatureGenerates a secure signature based on a message and a security context.
VerifySignatureVerifies that a signature matches a received message.

 

Functions Implemented by SSP/APs

The following functions are implemented by security packages contained in Security Support Provider/Authentication Packages (SSP/APs).

In the following tables, the first set of functions is implemented by Windows XP and Windows 2000 SSP/AP security packages. The second set of functions is implemented by SSP/AP security packages only.

The Local Security Authority (LSA) accesses these functions by using the SECPKG_FUNCTION_TABLE structure provided by the SSP/AP's SpLsaModeInitialize function.

The following functions are implemented by all authentication packages.

FunctionDescription
LsaApCallPackageProcesses package-specific service requests.
LsaApCallPackagePassthroughProcesses package-specific service requests.
LsaApCallPackageUntrustedProcesses requests for services from processes that are not part of the trusted computing base.
LsaApInitializePackageInitializes an authentication package.
LsaApLogonTerminatedProcesses notifications about terminated logon sessions.
LsaApLogonUserLogs a user on to a system.
LsaApLogonUserExLogs a user on to a system and generates an audit trail.
LsaApLogonUserEx2Logs a user on to a system, generates an audit trail, and retrieves credential information.

 

The following additional functions are implemented by SSP/AP security packages.

FunctionDescription
SpAcceptCredentialsStores existing credentials information.
SpAcceptLsaModeContextInitializes a security context for server-side processes in a client/server application.
SpAcquireCredentialsHandleProvides a handle to user credentials.
SpAddCredentialsAdds user credentials.
SpApplyControlTokenApplies a control token to a security context.
SpDeleteContextDeletes a security context.
SpDeleteCredentialsDeletes user credentials.
SpFreeCredentialsHandleFrees a handle to user credentials.
SpGetCredentialsRetrieves user credentials.
SpGetExtendedInformationRetrieves extended information about the security package.
SpGetInfoProvides information about a security package.
SpGetUserInfoRetrieves user information.
SPInitializeInitializes a security package.
SpInitLsaModeContextInitializes a security context for client-side processes in a client/server application.
SpQueryContextAttributesRetrieves the attributes of a security context.
SpQueryCredentialsAttributesProvides information about the attributes of credentials.
SpSaveCredentialsSaves user credentials.
SpSetExtendedInformationSets extended information about the security package.
SpShutdownPerforms any cleanup required before the SSP/AP is unloaded.
SslCrackCertificateReturns an X509Certificate structure with the information contained in the specified certificate BLOB.
SslEmptyCacheRemoves the specified string from the Schannel cache.
SslFreeCertificateFrees a certificate that was allocated by a previous call to the SslCrackCertificate function.

 

Functions Implemented by User-mode SSP/APs

The following functions are implemented by security support provider/authentication packages (SSP/APs) that can be loaded into client/server applications.

An SSP/AP indicates that it implements the user-mode functions by returning TRUE in the MappedContext parameter of the SpInitLsaModeContext and SpAcceptLsaModeContext functions. The SpInitLsaModeContext function is used by the client side of a transport level application, while SpAcceptLsaModeContext is used by the server side.

Loading an SSP/AP into the client process or server process is handled by the security provider DLL, either Security.dll or Secur32.dll. The security provider DLL loads the SSP/AP by locating the address of the SpUserModeInitialize function implemented by the SSP/AP and calling it. This function returns a set of tables that contain pointers to the user-mode functions implemented in each security package.

After the SSP/AP is loaded into the client or server process, the Local Security Authority (LSA) will copy the security context information (returned by SpInitLsaModeContext or SpAcceptLsaModeContext) and any additional context-related data to the process and call the security package's SpInitUserModeContext function.

Client/server applications access user-mode functionality by calling Security Support Provider Interface (SSPI) functions. The SSPI functions are mapped by the security provider DLL by using the SECPKG_USER_FUNCTION_TABLE supplied by the package.

FunctionDescription
SpCompleteAuthTokenCompletes an authentication token.

Implements the SSPI CompleteAuthToken function.

SpDeleteContextDeletes a security context.

Implements the SSPI DeleteSecurityContext function.

SpExportSecurityContextExports a security context.

Implements the SSPI ExportSecurityContext function.

SpFormatCredentialsFormats credentials.
SpGetContextTokenRetrieves a context token.

Used by the SSPI ImpersonateSecurityContext function.

SpImportSecurityContextImports a security context.

Implements the SSPI ImportSecurityContext function.

SpInitUserModeContextCreates a user-mode security context.
SpInstanceInitInitializes user-mode security packages in an SSP/AP.
SpMakeSignatureCreates a signature for a message.

Implements the SSPI MakeSignature function.

SpMarshallSupplementalCredsSerializes credentials.
SpQueryContextAttributesRetrieves the attributes of a security context.

Implements the SSPI QueryContextAttributes (General) function.

SpSealMessageEncrypts a message.

Implements the SSPI EncryptMessage (General) function.

SpUnsealMessageDecrypts a message.

Implements the SSPI DecryptMessage (General) function.

SpUserModeInitializeCalled when an SSP/AP is loaded into an application's process space. This function provides the SECPKG_USER_FUNCTION_TABLE tables for each security package in the SSP/AP DLL.
SpVerifySignatureValidates the signature of a message.

Implements the SSPI VerifySignature function.

 

LSA Functions Called by SSP/APs

The Local Security Authority (LSA) provides the following functions to security packages deployed in security support provider/authentication packages (SSP/APs). The functions are available in the LSA_SECPKG_FUNCTION_TABLE structure and can be called while the SSP/AP is loaded into the LSA's process space. The following functions are available to all APs.

FunctionDescription
AddCredentialAdds user credentials.
AllocateClientBufferAllocates memory in the address space of the package's client.
AllocateLsaHeapAllocates memory from the heap.
CopyFromClientBufferCopies data from a buffer in the address space of the package's client.
CopyToClientBufferCopies data to a buffer in the address space of the package's client.
CreateLogonSessionCreates an LSA logon session.
DeleteCredentialDeletes user credentials.
DeleteLogonSessionDeletes an LSA logon session.
FreeClientBufferFrees memory in the address space of the package's client.
FreeLsaHeapFrees memory allocated by AllocateLsaHeap.
GetCredentialsRetrieves user credentials.

 

The following functions are available to SSP/APs.

FunctionDescription
AllocateSharedMemoryAllocates a section of shared memory.
AuditAccountLogonCreates audit records for attempted logons.
AuditLogonCreates an audit trail for a logon session.
CallPackageCalls a package.
CallPackageExCalls another package.
CallPackagePassthroughCalls one security package from another.
CancelNotificationCancels notification for special events.
ClientCallbackAllows a security package to invoke a function in the client process.
CloseSamUserCloses a handle to a Security Accounts Manager database entry.
ConvertAuthDataToTokenConverts authorization data to a user token.
CrackSingleNameConverts a name from one format to another.
CreateSharedMemoryCreates a section of memory shared between clients and the SSP/AP.
CreateThreadCreates a new thread.
CreateTokenCreates a token.
DeleteSharedMemoryDeletes a section of shared memory.
DuplicateHandleDuplicates a handle.
FreeReturnBufferFrees a buffer allocated by the LSA.
FreeSharedMemoryFrees a section of shared memory.
GetAuthDataForUserRetrieves authorization data for a user account.
GetCallInfoRetrieves information about the most recent function call.
GetClientInfoRetrieves information about the security package's user process.
GetUserAuthDataReturns the authorization data for a user.
GetUserCredentialsNot yet implemented.
ImpersonateClientLets a security package impersonate its client.
MapBufferMaps a buffer into the SSP/AP's address space.
OpenSamUserOpens a handle to a Security Accounts Manager database entry.
RegisterNotificationSets up security package notification for special events.
SaveSupplementalCredentialsObsolete. Do not use.
UnloadPackageUnloads an SSP/AP.
UpdateCredentialsUpdates a user's credential information.

 

LSA Functions Called By User-mode SSP/APs

A security package in a security support provider/authentication package (SSP/AP) executing in a user-mode process can use the pointers in the SECPKG_DLL_FUNCTIONS table to access the following functions.

FunctionPSDK status
AllocateHeapAllocates memory for buffers that are returned to the Local Security Authority (LSA).
FreeHeapFrees memory that was previously allocated by using AllocateHeap.
RegisterCallbackRegisters a callback function that can be called from LSA-mode.

 

GINA Export Functions

A GINA DLL must export the following functions.

FunctionDescription
WlxActivateUserShellActivates the user shell program.
WlxDisplayLockedNoticeAllows the GINA DLL to display lock information.
WlxDisplaySASNoticeWinlogon calls this function when no user is logged on.
WlxDisplayStatusMessageWinlogon calls this function with a status message to display.
WlxGetConsoleSwitchCredentialsWinlogon calls this function to read the currently logged on user's credentials to transparently transfer them to a target session.
WlxGetStatusMessageWinlogon calls this function to get the current status message.
WlxInitializeInitializes the GINA DLL for a specific window station.
WlxIsLockOkVerifies that workstation lock is okay.
WlxIsLogoffOkVerifies that logoff is okay.
WlxLoggedOnSASWinlogon calls this function when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.
WlxLoggedOutSASWinlogon calls this function when it receives a SAS event while no user is logged on.
WlxLogoffNotifies the GINA DLL that a logoff operation was requested.
WlxNegotiateIndicates whether the current version of Winlogon can be used with the GINA DLL.
WlxNetworkProviderLoadWinlogon calls this function after it loads a network provider to collect valid authentication and identification information.
WlxRemoveStatusMessageWinlogon calls this function to tell the GINA DLL to stop displaying the status message.
WlxScreenSaverNotifyAllows the GINA to interact with the screen saver operation.
WlxShutdownWinlogon calls this function just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.
WlxStartApplicationWinlogon calls this function when the system needs an application started in the user's context.
WlxWkstaLockedSASWinlogon calls this function when it receives a SAS while the workstation is locked.

 

Logon User Functions

The following functions provide the ability to log on a user.

FunctionDescription
LogonUserAttempts to log a user on to the local computer.
LogonUserExAttempts to log a user on to the local computer. This function is an extended version of the LogonUser function and retrieves information about the logged-on user's security identifier (SID), profile, and quota limits.
LogonUserExExWThe LogonUserExExW function attempts to log a user on to the local computer. This function is not declared in a public header and has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Advapi32.dll.

 

Winlogon Support Functions

GINA DLLs can call the following Winlogon support functions.

FunctionCalled by GINA
WlxAssignShellProtectionRequests protection for the shell program of a newly logged-on user.
WlxChangePasswordNotifyIndicates that the user has changed a password. Used to notify all network providers.
WlxChangePasswordNotifyExIndicates that the user has changed a password. Used to notify a single network provider or all network providers.
WlxCloseUserDesktopCloses a desktop for the user.
WlxCreateUserDesktopCreates a desktop for the user.
WlxDialogBoxCreates a modal dialog box from a dialog box template resource.
WlxDialogBoxIndirectCreates a modal dialog box from a dialog box template in memory.
WlxDialogBoxIndirectParamInitializes dialog box controls and then creates a modal dialog box from a dialog box template in memory.
WlxDialogBoxParamInitializes dialog box controls and then creates a modal dialog box from a dialog box template resource.
WlxDisconnectDisconnects a Terminal Services network session.
WlxGetOptionRetrieves the current value of a specified option.
WlxGetSourceDesktopDetermines the name and handle of the desktop that was active prior to Winlogon switching to the Winlogon desktop.
WlxMessageBoxCreates, displays, and operates a message box.
WlxQueryClientCredentialsQueries the credentials of a remote client that is not using an Internet connector license.
WlxQueryConsoleSwitchCredentialsQueries the credentials transferred from the Winlogon of the temporary session to the Winlogon of the destination session.
WlxQueryInetConnectorCredentialsQueries the credentials of a remote client that is using an Internet connector license.
WlxQueryTerminalServicesDataQueries Terminal Services user configuration information.
WlxSasNotifyNotifies Winlogon of a secure attention sequence (SAS) event.
WlxSetContextPointerSpecifies the context pointer passed by Winlogon as the first parameter to all the GINA functions.
WlxSetOptionSpecifies a value for a specific option.
WlxSetReturnDesktopSpecifies the desktop Winlogon will switch to after the current SAS event processing is complete.
WlxSetTimeoutChanges the time-out associated with a dialog box.
WlxSwitchDesktopToUserSwitches to the application desktop.
WlxSwitchDesktopToWinlogonSwitches to the Winlogon desktop.
WlxUseCtrlAltDelPrompts Winlogon to use the standard CTRL+ALT+DEL key combination as a secure attention sequence (SAS).
WlxWin31MigrateCompletes the setup of the Terminal Services client.

 

Network Provider Functions

The following topics provide reference information for the network provider functions.

TopicDescription
Functions Implemented by Network ProvidersDetails functions that can be implemented by network providers.
Support FunctionsDetails a function that is implemented by the operating system and can be called by network providers.
Connection Notification FunctionsDetails functions that are implemented by applications that need to receive notification from the Multiple Provider Router (MPR) when a network resource is connected or disconnected.

 

Functions Implemented by Network Providers

The following functions can be implemented by network providers. The only function that network providers are required to support is NPGetCaps.

FunctionDescription
NPAddConnectionConnects a local device to a network resource.
NPAddConnection3Connects a local device to a network resource and lets you specify the type of connection and the window that will own any messages or dialog boxes.
NPCancelConnectionDisconnects a network connection.
NPCloseEnumCloses an enumeration.
NPDeviceModeSets the parent window of a device. This window owns any dialog boxes that originate from the device.
NPDirectoryNotifyNotifies the network provider of certain directory operations.
NPEnumResourceEnumerates network resources or existing connections.
NPFormatNetworkNameFormats the network name in a provider-specific format.
NPGetCapsQueries a provider for supported capabilities. Returns the capabilities supported by the provider.
NPGetConnectionRetrieves information about a network connection.
NPGetConnection3Retrieves information about a network connection, even if it is currently disconnected.
NPGetConnectionPerformanceRetrieves performance information about a network connection.
NPGetDirectoryTypeRetrieves a value that indicates whether a special icon should be displayed for a directory.
NPGetPropertyTextAdds buttons to a property dialog box for a network resource.
NPGetResourceInformationRetrieves information about a network resource.
NPGetResourceParentRetrieves the parent of the specified network resource.
NPGetUniversalNameRetrieves the universal name.
NPGetUserRetrieves the user name of the current user.
NPOpenEnumOpens an enumeration of network resources or existing connections.
NPPropertyDialogHandles the event that occurs when a user clicks a button added by using NPGetPropertyText.
NPSearchDialogPerforms a network-specific search.

 

Support Functions

The following function is implemented by the operating system and can be called by network providers.

FunctionDescription
WNetSetLastErrorSets extended error information.

 

Connection Notification Functions

The following functions are implemented by applications that need to receive notification from the Multiple Provider Router (MPR) when a network resource is connected or disconnected. For more information about how to write an application that receives such notifications, see Receiving Connection Notifications.

FunctionDescription
AddConnectNotifyCalled before and after each add connection operation (WNetAddConnection, WNetAddConnection2, and WNetAddConnection3).
CancelConnectNotifyCalled before and after each cancel connection operation (WNetCancelConnection or WNetCancelConnection2).

 

LSA Logon Functions

The following Local Security Authority (LSA) authentication functions authenticate and log on users, and they provide logon session information.

FunctionDescription
LsaCallAuthenticationPackageRequests a package-specific service from an authentication package.
LsaConnectUntrustedEstablishes an untrusted connection to the LSA.
LsaDeregisterLogonProcessDisconnects from the LSA and frees resources allocated to the caller's context.
LsaEnumerateLogonSessionsRetrieves locally unique identifiers (LUIDs) for existing logon sessions.
LsaFreeReturnBufferFrees memory allocated for a buffer returned to a caller.
LsaGetLogonSessionDataRetrieves information about a specified logon session.
LsaLogonUserAuthenticates user logon data against stored credentials. If successful, it creates a new logon session and returns a user token.
LsaLookupAuthenticationPackageObtains the unique identifier of an authentication package.
LsaQueryDomainInformationPolicyRetrieves domain information from the Policy object.
LsaQueryForestTrustInformationRetrieves forest trust information for the specified LSA TrustedDomain object.
LsaRegisterLogonProcessEstablishes a trusted connection to the LSA.
LsaSetDomainInformationPolicySets domain information for the Policy object.
LsaSetForestTrustInformationSets the forest trust information for a specified LSA TrustedDomain object.

 

Functions Implemented by Authentication Packages

Custom authentication packages must implement these functions, which are called by the Local Security Authority (LSA). These functions are implemented by the MSV1_0 and Kerberos authentication packages provided by Microsoft.

FunctionDescription
LsaApCallPackageCalled when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage by an application that is using a trusted connection.

This function provides a way for logon applications to communicate directly with authentication packages.

LsaApCallPackagePassthroughCalled when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage for a pass-through logon request.
LsaApCallPackageUntrustedCalled when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage by an application using an untrusted connection. This function is used for communicating with processes that do not have the SeTcbPrivilege privilege.
LsaApInitializePackageCalled during system initialization to permit the authentication package to perform initialization tasks.
LsaApLogonTerminatedCalled when a logon session ends to permit the authentication package to free any resources allocated for the logon session.
LsaApLogonUserCalled when the authentication package has been specified in a call to LsaLogonUser. This function authenticates a security principal's logon data.
LsaApLogonUserExIdentical to LsaApLogonUser except that it returns the workstation name for audit purposes.

An authentication package can implement LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2. It does not need to implement them all.

LsaApLogonUserEx2Identical to LsaApLogonUserEx except that it returns the security principal's primary and supplemental credentials. An authentication package can implement LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2. It does not need to implement them all.

 

LSA Functions Called by Authentication Packages

The following Local Security Authority (LSA) functions can be called from a custom authentication package. When the LSA calls LsaApInitializePackage to initialize the package, it passes a table of support functions.

FunctionDescription
AddCredentialAssociates credentials, such as user name and password, with a logon session.
AllocateClientBufferAllocates a buffer within the calling client's process.
AllocateLsaHeapAllocates buffers that must be returned from the authentication package to the LSA.
CopyFromClientBufferCopies the contents of a buffer in the client's address space into a local buffer.
CopyToClientBufferCopies the contents of a local buffer into the client's address space.
CreateLogonSessionUsed by authentication packages to create a logon session.
DeleteCredentialRemoves credentials previously cached by AddCredential.
DeleteLogonSessionFrees extraneous logon sessions created while authenticating a security principal.
FreeClientBufferFrees client buffers previously allocated with the AllocateClientBuffer function.
FreeLsaHeapFrees buffers previously allocated by using the AllocateLsaHeap function.
GetCredentialsRetrieves credentials previously cached by AddCredential.

 

Subauthentication Functions

The following subauthentication functions can be called by Microsoft-provided authentication packages to provide additional, user-created logon authentication.

FunctionDescription
Msv1_0SubAuthenticationFilterPerforms user logon authentication that is specific to domain controllers.
Msv1_0SubAuthenticationRoutinePerforms client/server-specific authentication.

 

Credentials Management Functions

The following topics provide reference information for the credentials management functions.

TopicDescription
Credentials Management UI FunctionsDetails functions used for credentials management UI.
Low-level Credentials Management FunctionsDetails functions used for low-level credentials management.
Credential Management Notification FunctionsDetails functions that are implemented by credential managers to receive notifications when authentication information changes.

 

Credentials Management UI Functions

The following are credentials management UI functions.

FunctionDescription
CredUICmdLinePromptForCredentialsPrompt for and accept user credentials information from a user working in a command-line program.
CredUIConfirmCredentialsConfirm the validity of credentials returned by CredUIPromptForCredentials or CredUICmdLinePromptForCredentials.
CredUIParseUserNameExtract the domain and user account name from a fully qualified user name.
CredUIPromptForCredentialsDisplay a dialog box that accepts credentials information from a user.
CredUIPromptForWindowsCredentialsCreates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
CredUIReadSSOCredWRetrieves the user name for a single logon credential.
CredUIStoreSSOCredWStores a single logon credential.

 

Low-level Credentials Management Functions

The following are low-level credentials management functions.

FunctionDescription
CredDeleteDelete a credential from a user's credentials set.
CredEnumerateList the credentials in a user's credentials set.
CredFindBestCredentialSearches the Credentials Management (CredMan) database for the set of generic credentials that are associated with the current logon session and that best match the specified target resource.
CredFreeFree the memory used for a buffer returned by any of the credentials management functions.
CredGetSessionTypesRetrieve the maximum persistence supported by the current logon session.
CredGetTargetInfoRetrieve all known target name information for a named resource.
CredIsProtectedSpecifies whether the specified credentials are encrypted by a previous call to the CredProtect function.
CredMarshalCredentialTransform a credential into a text string.
CredPackAuthenticationBufferConverts a string user name and password into an authentication buffer.
CredProtectEncrypts the specified credentials so that only the current security context can decrypt them.
CredReadRead a credential from a user's credentials set.
CredReadDomainCredentialsRead the domain credentials from a user's credentials set.
CredRenameRename a credential from a user's credentials set.
CredUnmarshalCredentialTransform a marshaled credential string back into its nonmarshaled form.
CredUnPackAuthenticationBufferConverts an authentication buffer returned by a call to the CredUIPromptForWindowsCredentials function into a string user name and password.
CredUnprotectDecrypts credentials that were previously encrypted by using the CredProtect function.
CredWriteCreate a new credential or modify an existing credential in a user's credentials set.
CredWriteDomainCredentialsWrite domain credentials to a user's credentials set.

 

Credential Management Notification Functions

The following functions are implemented by credential managers to receive notifications when authentication information changes.

FunctionDescription
NPLogonNotifyNotifies the credential manager of a logon event.
NPPasswordChangeNotify Notifies a credential manager provider when the password of an account changes.

 

Smart Card Functions

The Smart Card SDK provides the following functions.

FunctionDescription
GetOpenCardNameReplaced by SCardUIDlgSelectCard, which displays the smart card Select Card dialog box.
SCardAccessStartedEventGets an event handle when the starting of a smart card resource manager is signaled.
SCardAddReaderToGroupAdds a reader to a reader group.
SCardBeginTransactionStarts a transaction.
SCardCancelTerminates all outstanding actions within a context.
SCardCancelTransactionReserved for future use.
SCardConnectEstablishes a connection between the calling application and a smart card.
SCardControlGets direct control of the reader after SCardConnect is called.
SCardDisconnectTerminates a connection between the calling application and a smart card.
SCardEndTransactionCompletes a transaction.
SCardEstablishContextEstablishes a resource manager context for accessing the smart card database.
SCardForgetCardTypeRemoves a previously defined smart card from the smart card subsystem.
SCardForgetReaderRemoves a previously defined reader from the smart card subsystem.
SCardForgetReaderGroupRemoves a previously defined reader group from the smart card subsystem.
SCardFreeMemoryReleases memory allocated by resource manager.
SCardGetAttribGets the current reader's attributes from a given reader, driver, or smart card.
SCardGetCardTypeProviderNameGets the provider name given a card name and provider type.
SCardGetProviderIdGets the identifier (GUID) of the primary service provider for a smart card.
SCardGetStatusChangeBlocks execution until status of the readers changes.
SCardGetTransmitCountRetrieves the number of transmit operations that have completed since the specified card reader was inserted.
SCardIntroduceCardTypeIntroduces a new smart card to the smart card subsystem.
SCardIntroduceReaderIntroduces a new reader to the smart card subsystem.
SCardIntroduceReaderGroupIntroduces a new reader group to the smart card subsystem.
SCardIsValidContextVerifies a smart card context handle.
SCardListCardsProvides a list of smart cards already introduced to the subsystem.
SCardListInterfacesProvides a list of interfaces supplied by a given smart card.
SCardListReaderGroupsProvides a list of reader groups already introduced to the subsystem.
SCardListReadersProvides a list of readers already introduced to the subsystem.
SCardLocateCardsLocates the cards that match a given ATR string.
SCardLocateCardsByATRLocates the cards that match a given ATR string.
SCardReadCacheRetrieves the value portion of a name-value pair from the global cache maintained by the Smart Card Resource Manager.
SCardReconnectReestablishes an existing connection from the calling application to the smart card.
SCardReleaseContextCloses an established resource manager context.
SCardReleaseStartedEventDecrements the reference count for a handle acquired by using the SCardAccessStartedEvent function.
SCardRemoveReaderFromGroupRemoves a reader from an existing reader group.
SCardSetAttribSets a given reader attribute.
SCardSetCardTypeProviderNameSets the provider name for a card name and provider type.
SCardStatusGets the current state of a reader.
SCardTransmitSends a service request to a smart card.
SCardUIDlgSelectCardDisplays the smart card Select Card dialog box.
SCardWriteCacheWrites a name-value pair from a smart card to the global cache maintained by the Smart Card Resource Manager.

 

SASL Functions

The Simple Authentication and Security Layer (SASL) provides the following functions.

FunctionsDescription
SaslAcceptSecurityContextWraps a standard call to the SSPI AcceptSecurityContext (General) function and includes creation of SASL server cookies.
SaslEnumerateProfilesLists the packages that provide a SASL interface.
SaslGetContextOptionRetrieves the specified property of the specified SASL context.
SaslGetProfilePackageReturns the package information for the specified package.
SaslIdentifyPackageReturns the negotiate prefix that matches the specified SASL negotiation buffer.
SaslInitializeSecurityContextWraps a standard call to the SSPI InitializeSecurityContext (General) function and processes SASL server cookies from the server.
SaslSetContextOptionSets the value of the specified property for the specified SASL context.

 

Send comments about this topic to Microsoft

Build date: 6/26/2009

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker