Authentication Functions

Authentication functions are categorized according to usage as follows:

• SSPI Functions
  • Package Management
  • Credential Management
  • Context Management
  • Message Support
• Functions Implemented by SSP/APs
• Functions Implemented by User-mode SSP/APs
• LSA Functions Called by SSP/APs
• LSA Functions Called By User-mode SSP/APs
• GINA Export Functions
• Logon User Functions
• Winlogon Support Functions
• Network Provider Functions
  • Functions Implemented by Network Providers
  • Support Functions
  • Connection Notification Functions
• LSA Logon Functions
• Functions Implemented by Authentication Packages
• LSA Functions Called by Authentication Packages
• Subauthentication Functions
• Credentials Management Functions
  • Credentials Management UI Functions
  • Low-level Credentials Management Functions
  • Credential Management Notification Functions
• Smart Card Functions
• SASL Functions

SSPI Functions

Security Support Provider Interface (SSPI) functions fall into the following major categories.

• Package management

  Functions that list the available security packages and select a package.

• Credential management

  Functions that create and work with handles to the credentials of principals.

• Context management

  Functions that use credentials handles to create a security context.

• Message support

  Functions that use security contexts to ensure message integrity and privacy during message exchanges over the secured connection. Integrity is achieved through message signing and signature verification. Privacy is achieved through message encryption and decryption.

Package Management

SSPI package management functions initiate a security package, enumerate available packages, and query the attributes of a security package. The following SSPI functions provide management services for security packages.

Function	Description
EnumerateSecurityPackages	Lists available security packages and their capabilities.
InitSecurityInterface	Retrieves a pointer to a security support provider (SSP) dispatch table.
QuerySecurityPackageInfo	Queries an individual security package for its capabilities, including authentication, transport, and message integrity- and privacy-related capabilities.

 

Credential Management

SSPI credential management functions provide a credentials handle, a reference to an opaque security object, for accessing a principal. The security object is opaque because the application has access only to the handle and not to the actual contents of the structure.

All references to the contents of a credential context are through the object's handle and the security package dereferences the handle to access the specifics of credentials. A credential handle is a 64-bit value between {0x00000000, 0x00000000} and {0xFFFFFFFF, 0xFFFFFFFE}.

Applications use the credentials handle with context management functions to create a security context.

Credential management functions also release credential handles and query the attributes of credentials. At present, the name associated with a credential is the only attribute that can be queried.

The following functions are used with credentials management.

Function	Description
AcquireCredentialsHandle (General)	Acquires a handle to the preexisting credentials of a specified principal.
ExportSecurityContext	Exports a security context into a context buffer.
FreeCredentialsHandle	Releases a credential handle and associated resources.
ImportSecurityContext	Imports a security context exported by using ExportSecurityContext into the current process.
QueryCredentialsAttributes	Queries a credential handle for the name associated with the credential.

 

Context Management

SSPI context management functions create and use security contexts.

In a communication link, the client and server cooperate to create a shared security context. The client and server both use the security context with message support functions to ensure message integrity and privacy during the connection.

Security contexts are opaque security objects. Information in the security context is not available to the application. Context management functions create and use context handles and the security package dereferences the context handle to access its security content.

A context handle is a 64-bit value between {0x00000000, 0x00000000} and {0xFFFFFFFF, 0xFFFFFFFE}.

The following functions are used with context management.

Function	Description
AcceptSecurityContext (General)	Used by a server to create a security context based on an opaque message received from a client.
ApplyControlToken	Applies a supplemental security message to an existing security context.
CompleteAuthToken	Completes an authentication token. This function is used by protocols, such as DCE, that need to revise the security information after the transport application has updated some message parameters.
DeleteSecurityContext	Frees a security context and associated resources.
FreeContextBuffer	Frees a memory buffer allocated by a security package.
ImpersonateSecurityContext	Impersonates the security context to appear as the client to the system.
InitializeSecurityContext (General)	Used by a client to initiate a security context by generating an opaque message to be passed to a server.
QueryContextAttributes (General)	Queries the attributes of a security context.
QuerySecurityContextToken	Obtains the impersonation token for a security context for direct manipulation.
SetContextAttributes	Sets the attributes of a security context.
RevertSecurityContext	Ceases impersonating a security context.

 

Message Support

SSPI message support functions enable an application to transmit and receive tamper-resistant messages and to encrypt and decrypt messages. These functions work with one or more buffers that contain a message and with a security context created by the context management functions. The functions' behavior differs based on whether a connection, datagram, or stream context is in use. For a description of these differences, see SSPI Context Semantics.

The following functions provide security support for messages.

Function	Description
DecryptMessage (General)	Decrypts an encrypted message by using the session key from a security context.
EncryptMessage (General)	Encrypts a message by using the session key from a security context.
MakeSignature	Generates a secure signature based on a message and a security context.
VerifySignature	Verifies that a signature matches a received message.

 

Functions Implemented by SSP/APs

The following functions are implemented by security packages contained in Security Support Provider/Authentication Packages (SSP/APs).

In the following tables, the first set of functions is implemented by Windows XP and Windows 2000 SSP/AP security packages. The second set of functions is implemented by SSP/AP security packages only.

The Local Security Authority (LSA) accesses these functions by using the SECPKG_FUNCTION_TABLE structure provided by the SSP/AP's SpLsaModeInitialize function.

The following functions are implemented by all authentication packages.

Function	Description
LsaApCallPackage	Processes package-specific service requests.
LsaApCallPackagePassthrough	Processes package-specific service requests.
LsaApCallPackageUntrusted	Processes requests for services from processes that are not part of the trusted computing base.
LsaApInitializePackage	Initializes an authentication package.
LsaApLogonTerminated	Processes notifications about terminated logon sessions.
LsaApLogonUser	Logs a user on to a system.
LsaApLogonUserEx	Logs a user on to a system and generates an audit trail.
LsaApLogonUserEx2	Logs a user on to a system, generates an audit trail, and retrieves credential information.

 

The following additional functions are implemented by SSP/AP security packages.

Function	Description
SpAcceptCredentials	Stores existing credentials information.
SpAcceptLsaModeContext	Initializes a security context for server-side processes in a client/server application.
SpAcquireCredentialsHandle	Provides a handle to user credentials.
SpAddCredentials	Adds user credentials.
SpApplyControlToken	Applies a control token to a security context.
SpDeleteContext	Deletes a security context.
SpDeleteCredentials	Deletes user credentials.
SpFreeCredentialsHandle	Frees a handle to user credentials.
SpGetCredentials	Retrieves user credentials.
SpGetExtendedInformation	Retrieves extended information about the security package.
SpGetInfo	Provides information about a security package.
SpGetUserInfo	Retrieves user information.
SPInitialize	Initializes a security package.
SpInitLsaModeContext	Initializes a security context for client-side processes in a client/server application.
SpQueryContextAttributes	Retrieves the attributes of a security context.
SpQueryCredentialsAttributes	Provides information about the attributes of credentials.
SpSaveCredentials	Saves user credentials.
SpSetExtendedInformation	Sets extended information about the security package.
SpShutdown	Performs any cleanup required before the SSP/AP is unloaded.
SslCrackCertificate	Returns an X509Certificate structure with the information contained in the specified certificate BLOB.
SslEmptyCache	Removes the specified string from the Schannel cache.
SslFreeCertificate	Frees a certificate that was allocated by a previous call to the SslCrackCertificate function.

 

Functions Implemented by User-mode SSP/APs

The following functions are implemented by security support provider/authentication packages (SSP/APs) that can be loaded into client/server applications.

An SSP/AP indicates that it implements the user-mode functions by returning TRUE in the MappedContext parameter of the SpInitLsaModeContext and SpAcceptLsaModeContext functions. The SpInitLsaModeContext function is used by the client side of a transport level application, while SpAcceptLsaModeContext is used by the server side.

Loading an SSP/AP into the client process or server process is handled by the security provider DLL, either Security.dll or Secur32.dll. The security provider DLL loads the SSP/AP by locating the address of the SpUserModeInitialize function implemented by the SSP/AP and calling it. This function returns a set of tables that contain pointers to the user-mode functions implemented in each security package.

After the SSP/AP is loaded into the client or server process, the Local Security Authority (LSA) will copy the security context information (returned by SpInitLsaModeContext or SpAcceptLsaModeContext) and any additional context-related data to the process and call the security package's SpInitUserModeContext function.

Client/server applications access user-mode functionality by calling Security Support Provider Interface (SSPI) functions. The SSPI functions are mapped by the security provider DLL by using the SECPKG_USER_FUNCTION_TABLE supplied by the package.

Function	Description
SpCompleteAuthToken	Completes an authentication token. Implements the SSPI CompleteAuthToken function.
SpDeleteContext	Deletes a security context. Implements the SSPI DeleteSecurityContext function.
SpExportSecurityContext	Exports a security context. Implements the SSPI ExportSecurityContext function.
SpFormatCredentials	Formats credentials.
SpGetContextToken	Retrieves a context token. Used by the SSPI ImpersonateSecurityContext function.
SpImportSecurityContext	Imports a security context. Implements the SSPI ImportSecurityContext function.
SpInitUserModeContext	Creates a user-mode security context.
SpInstanceInit	Initializes user-mode security packages in an SSP/AP.
SpMakeSignature	Creates a signature for a message. Implements the SSPI MakeSignature function.
SpMarshallSupplementalCreds	Serializes credentials.
SpQueryContextAttributes	Retrieves the attributes of a security context. Implements the SSPI QueryContextAttributes (General) function.
SpSealMessage	Encrypts a message. Implements the SSPI EncryptMessage (General) function.
SpUnsealMessage	Decrypts a message. Implements the SSPI DecryptMessage (General) function.
SpUserModeInitialize	Called when an SSP/AP is loaded into an application's process space. This function provides the SECPKG_USER_FUNCTION_TABLE tables for each security package in the SSP/AP DLL.
SpVerifySignature	Validates the signature of a message. Implements the SSPI VerifySignature function.

 

LSA Functions Called by SSP/APs

The Local Security Authority (LSA) provides the following functions to security packages deployed in security support provider/authentication packages (SSP/APs). The functions are available in the LSA_SECPKG_FUNCTION_TABLE structure and can be called while the SSP/AP is loaded into the LSA's process space. The following functions are available to all APs.

Function	Description
AddCredential	Adds user credentials.
AllocateClientBuffer	Allocates memory in the address space of the package's client.
AllocateLsaHeap	Allocates memory from the heap.
CopyFromClientBuffer	Copies data from a buffer in the address space of the package's client.
CopyToClientBuffer	Copies data to a buffer in the address space of the package's client.
CreateLogonSession	Creates an LSA logon session.
DeleteCredential	Deletes user credentials.
DeleteLogonSession	Deletes an LSA logon session.
FreeClientBuffer	Frees memory in the address space of the package's client.
FreeLsaHeap	Frees memory allocated by AllocateLsaHeap.
GetCredentials	Retrieves user credentials.

 

The following functions are available to SSP/APs.

Function	Description
AllocateSharedMemory	Allocates a section of shared memory.
AuditAccountLogon	Creates audit records for attempted logons.
AuditLogon	Creates an audit trail for a logon session.
CallPackage	Calls a package.
CallPackageEx	Calls another package.
CallPackagePassthrough	Calls one security package from another.
CancelNotification	Cancels notification for special events.
ClientCallback	Allows a security package to invoke a function in the client process.
CloseSamUser	Closes a handle to a Security Accounts Manager database entry.
ConvertAuthDataToToken	Converts authorization data to a user token.
CrackSingleName	Converts a name from one format to another.
CreateSharedMemory	Creates a section of memory shared between clients and the SSP/AP.
CreateThread	Creates a new thread.
CreateToken	Creates a token.
DeleteSharedMemory	Deletes a section of shared memory.
DuplicateHandle	Duplicates a handle.
FreeReturnBuffer	Frees a buffer allocated by the LSA.
FreeSharedMemory	Frees a section of shared memory.
GetAuthDataForUser	Retrieves authorization data for a user account.
GetCallInfo	Retrieves information about the most recent function call.
GetClientInfo	Retrieves information about the security package's user process.
GetUserAuthData	Returns the authorization data for a user.
GetUserCredentials	Not yet implemented.
ImpersonateClient	Lets a security package impersonate its client.
MapBuffer	Maps a buffer into the SSP/AP's address space.
OpenSamUser	Opens a handle to a Security Accounts Manager database entry.
RegisterNotification	Sets up security package notification for special events.
SaveSupplementalCredentials	Obsolete. Do not use.
UnloadPackage	Unloads an SSP/AP.
UpdateCredentials	Updates a user's credential information.

 

LSA Functions Called By User-mode SSP/APs

A security package in a security support provider/authentication package (SSP/AP) executing in a user-mode process can use the pointers in the SECPKG_DLL_FUNCTIONS table to access the following functions.

Function	PSDK status
AllocateHeap	Allocates memory for buffers that are returned to the Local Security Authority (LSA).
FreeHeap	Frees memory that was previously allocated by using AllocateHeap.
RegisterCallback	Registers a callback function that can be called from LSA-mode.

 

GINA Export Functions

A GINA DLL must export the following functions.

Function	Description
WlxActivateUserShell	Activates the user shell program.
WlxDisplayLockedNotice	Allows the GINA DLL to display lock information.
WlxDisplaySASNotice	Winlogon calls this function when no user is logged on.
WlxDisplayStatusMessage	Winlogon calls this function with a status message to display.
WlxGetConsoleSwitchCredentials	Winlogon calls this function to read the currently logged on user's credentials to transparently transfer them to a target session.
WlxGetStatusMessage	Winlogon calls this function to get the current status message.
WlxInitialize	Initializes the GINA DLL for a specific window station.
WlxIsLockOk	Verifies that workstation lock is okay.
WlxIsLogoffOk	Verifies that logoff is okay.
WlxLoggedOnSAS	Winlogon calls this function when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.
WlxLoggedOutSAS	Winlogon calls this function when it receives a SAS event while no user is logged on.
WlxLogoff	Notifies the GINA DLL that a logoff operation was requested.
WlxNegotiate	Indicates whether the current version of Winlogon can be used with the GINA DLL.
WlxNetworkProviderLoad	Winlogon calls this function after it loads a network provider to collect valid authentication and identification information.
WlxRemoveStatusMessage	Winlogon calls this function to tell the GINA DLL to stop displaying the status message.
WlxScreenSaverNotify	Allows the GINA to interact with the screen saver operation.
WlxShutdown	Winlogon calls this function just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.
WlxStartApplication	Winlogon calls this function when the system needs an application started in the user's context.
WlxWkstaLockedSAS	Winlogon calls this function when it receives a SAS while the workstation is locked.

 

Logon User Functions

The following functions provide the ability to log on a user.

Function	Description
LogonUser	Attempts to log a user on to the local computer.
LogonUserEx	Attempts to log a user on to the local computer. This function is an extended version of the LogonUser function and retrieves information about the logged-on user's security identifier (SID), profile, and quota limits.
LogonUserExExW	The LogonUserExExW function attempts to log a user on to the local computer. This function is not declared in a public header and has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Advapi32.dll.

 

Winlogon Support Functions

GINA DLLs can call the following Winlogon support functions.

Function	Called by GINA
WlxAssignShellProtection	Requests protection for the shell program of a newly logged-on user.
WlxChangePasswordNotify	Indicates that the user has changed a password. Used to notify all network providers.
WlxChangePasswordNotifyEx	Indicates that the user has changed a password. Used to notify a single network provider or all network providers.
WlxCloseUserDesktop	Closes a desktop for the user.
WlxCreateUserDesktop	Creates a desktop for the user.
WlxDialogBox	Creates a modal dialog box from a dialog box template resource.
WlxDialogBoxIndirect	Creates a modal dialog box from a dialog box template in memory.
WlxDialogBoxIndirectParam	Initializes dialog box controls and then creates a modal dialog box from a dialog box template in memory.
WlxDialogBoxParam	Initializes dialog box controls and then creates a modal dialog box from a dialog box template resource.
WlxDisconnect	Disconnects a Terminal Services network session.
WlxGetOption	Retrieves the current value of a specified option.
WlxGetSourceDesktop	Determines the name and handle of the desktop that was active prior to Winlogon switching to the Winlogon desktop.
WlxMessageBox	Creates, displays, and operates a message box.
WlxQueryClientCredentials	Queries the credentials of a remote client that is not using an Internet connector license.
WlxQueryConsoleSwitchCredentials	Queries the credentials transferred from the Winlogon of the temporary session to the Winlogon of the destination session.
WlxQueryInetConnectorCredentials	Queries the credentials of a remote client that is using an Internet connector license.
WlxQueryTerminalServicesData	Queries Terminal Services user configuration information.
WlxSasNotify	Notifies Winlogon of a secure attention sequence (SAS) event.
WlxSetContextPointer	Specifies the context pointer passed by Winlogon as the first parameter to all the GINA functions.
WlxSetOption	Specifies a value for a specific option.
WlxSetReturnDesktop	Specifies the desktop Winlogon will switch to after the current SAS event processing is complete.
WlxSetTimeout	Changes the time-out associated with a dialog box.
WlxSwitchDesktopToUser	Switches to the application desktop.
WlxSwitchDesktopToWinlogon	Switches to the Winlogon desktop.
WlxUseCtrlAltDel	Prompts Winlogon to use the standard CTRL+ALT+DEL key combination as a secure attention sequence (SAS).
WlxWin31Migrate	Completes the setup of the Terminal Services client.

 

Network Provider Functions

The following topics provide reference information for the network provider functions.

Topic	Description
Functions Implemented by Network Providers	Details functions that can be implemented by network providers.
Support Functions	Details a function that is implemented by the operating system and can be called by network providers.
Connection Notification Functions	Details functions that are implemented by applications that need to receive notification from the Multiple Provider Router (MPR) when a network resource is connected or disconnected.

 

Functions Implemented by Network Providers

The following functions can be implemented by network providers. The only function that network providers are required to support is NPGetCaps.

Function	Description
NPAddConnection	Connects a local device to a network resource.
NPAddConnection3	Connects a local device to a network resource and lets you specify the type of connection and the window that will own any messages or dialog boxes.
NPCancelConnection	Disconnects a network connection.
NPCloseEnum	Closes an enumeration.
NPDeviceMode	Sets the parent window of a device. This window owns any dialog boxes that originate from the device.
NPDirectoryNotify	Notifies the network provider of certain directory operations.
NPEnumResource	Enumerates network resources or existing connections.
NPFormatNetworkName	Formats the network name in a provider-specific format.
NPGetCaps	Queries a provider for supported capabilities. Returns the capabilities supported by the provider.
NPGetConnection	Retrieves information about a network connection.
NPGetConnection3	Retrieves information about a network connection, even if it is currently disconnected.
NPGetConnectionPerformance	Retrieves performance information about a network connection.
NPGetDirectoryType	Retrieves a value that indicates whether a special icon should be displayed for a directory.
NPGetPropertyText	Adds buttons to a property dialog box for a network resource.
NPGetResourceInformation	Retrieves information about a network resource.
NPGetResourceParent	Retrieves the parent of the specified network resource.
NPGetUniversalName	Retrieves the universal name.
NPGetUser	Retrieves the user name of the current user.
NPOpenEnum	Opens an enumeration of network resources or existing connections.
NPPropertyDialog	Handles the event that occurs when a user clicks a button added by using NPGetPropertyText.
NPSearchDialog	Performs a network-specific search.

 

Support Functions

The following function is implemented by the operating system and can be called by network providers.

Function	Description
WNetSetLastError	Sets extended error information.

 

Connection Notification Functions

The following functions are implemented by applications that need to receive notification from the Multiple Provider Router (MPR) when a network resource is connected or disconnected. For more information about how to write an application that receives such notifications, see Receiving Connection Notifications.

Function	Description
AddConnectNotify	Called before and after each add connection operation (WNetAddConnection, WNetAddConnection2, and WNetAddConnection3).
CancelConnectNotify	Called before and after each cancel connection operation (WNetCancelConnection or WNetCancelConnection2).

 

LSA Logon Functions

The following Local Security Authority (LSA) authentication functions authenticate and log on users, and they provide logon session information.

Function	Description
LsaCallAuthenticationPackage	Requests a package-specific service from an authentication package.
LsaConnectUntrusted	Establishes an untrusted connection to the LSA.
LsaDeregisterLogonProcess	Disconnects from the LSA and frees resources allocated to the caller's context.
LsaEnumerateLogonSessions	Retrieves locally unique identifiers (LUIDs) for existing logon sessions.
LsaFreeReturnBuffer	Frees memory allocated for a buffer returned to a caller.
LsaGetLogonSessionData	Retrieves information about a specified logon session.
LsaLogonUser	Authenticates user logon data against stored credentials. If successful, it creates a new logon session and returns a user token.
LsaLookupAuthenticationPackage	Obtains the unique identifier of an authentication package.
LsaQueryDomainInformationPolicy	Retrieves domain information from the Policy object.
LsaQueryForestTrustInformation	Retrieves forest trust information for the specified LSA TrustedDomain object.
LsaRegisterLogonProcess	Establishes a trusted connection to the LSA.
LsaSetDomainInformationPolicy	Sets domain information for the Policy object.
LsaSetForestTrustInformation	Sets the forest trust information for a specified LSA TrustedDomain object.

 

Functions Implemented by Authentication Packages

Custom authentication packages must implement these functions, which are called by the Local Security Authority (LSA). These functions are implemented by the MSV1_0 and Kerberos authentication packages provided by Microsoft.

Function	Description
LsaApCallPackage	Called when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage by an application that is using a trusted connection. This function provides a way for logon applications to communicate directly with authentication packages.
LsaApCallPackagePassthrough	Called when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage for a pass-through logon request.
LsaApCallPackageUntrusted	Called when the authentication package's identifier has been specified in a call to LsaCallAuthenticationPackage by an application using an untrusted connection. This function is used for communicating with processes that do not have the SeTcbPrivilege privilege.
LsaApInitializePackage	Called during system initialization to permit the authentication package to perform initialization tasks.
LsaApLogonTerminated	Called when a logon session ends to permit the authentication package to free any resources allocated for the logon session.
LsaApLogonUser	Called when the authentication package has been specified in a call to LsaLogonUser. This function authenticates a security principal's logon data.
LsaApLogonUserEx	Identical to LsaApLogonUser except that it returns the workstation name for audit purposes. An authentication package can implement LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2. It does not need to implement them all.
LsaApLogonUserEx2	Identical to LsaApLogonUserEx except that it returns the security principal's primary and supplemental credentials. An authentication package can implement LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2. It does not need to implement them all.

 

LSA Functions Called by Authentication Packages

The following Local Security Authority (LSA) functions can be called from a custom authentication package. When the LSA calls LsaApInitializePackage to initialize the package, it passes a table of support functions.

Function	Description
AddCredential	Associates credentials, such as user name and password, with a logon session.
AllocateClientBuffer	Allocates a buffer within the calling client's process.
AllocateLsaHeap	Allocates buffers that must be returned from the authentication package to the LSA.
CopyFromClientBuffer	Copies the contents of a buffer in the client's address space into a local buffer.
CopyToClientBuffer	Copies the contents of a local buffer into the client's address space.
CreateLogonSession	Used by authentication packages to create a logon session.
DeleteCredential	Removes credentials previously cached by AddCredential.
DeleteLogonSession	Frees extraneous logon sessions created while authenticating a security principal.
FreeClientBuffer	Frees client buffers previously allocated with the AllocateClientBuffer function.
FreeLsaHeap	Frees buffers previously allocated by using the AllocateLsaHeap function.
GetCredentials	Retrieves credentials previously cached by AddCredential.

 

Subauthentication Functions

The following subauthentication functions can be called by Microsoft-provided authentication packages to provide additional, user-created logon authentication.

Function	Description
Msv1_0SubAuthenticationFilter	Performs user logon authentication that is specific to domain controllers.
Msv1_0SubAuthenticationRoutine	Performs client/server-specific authentication.

 

Credentials Management Functions

The following topics provide reference information for the credentials management functions.

Topic	Description
Credentials Management UI Functions	Details functions used for credentials management UI.
Low-level Credentials Management Functions	Details functions used for low-level credentials management.
Credential Management Notification Functions	Details functions that are implemented by credential managers to receive notifications when authentication information changes.

 

Credentials Management UI Functions

The following are credentials management UI functions.

Function	Description
CredUICmdLinePromptForCredentials	Prompt for and accept user credentials information from a user working in a command-line program.
CredUIConfirmCredentials	Confirm the validity of credentials returned by CredUIPromptForCredentials or CredUICmdLinePromptForCredentials.
CredUIParseUserName	Extract the domain and user account name from a fully qualified user name.
CredUIPromptForCredentials	Display a dialog box that accepts credentials information from a user.
CredUIPromptForWindowsCredentials	Creates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
CredUIReadSSOCredW	Retrieves the user name for a single logon credential.
CredUIStoreSSOCredW	Stores a single logon credential.

 

Low-level Credentials Management Functions

The following are low-level credentials management functions.

Function	Description
CredDelete	Delete a credential from a user's credentials set.
CredEnumerate	List the credentials in a user's credentials set.
CredFindBestCredential	Searches the Credentials Management (CredMan) database for the set of generic credentials that are associated with the current logon session and that best match the specified target resource.
CredFree	Free the memory used for a buffer returned by any of the credentials management functions.
CredGetSessionTypes	Retrieve the maximum persistence supported by the current logon session.
CredGetTargetInfo	Retrieve all known target name information for a named resource.
CredIsProtected	Specifies whether the specified credentials are encrypted by a previous call to the CredProtect function.
CredMarshalCredential	Transform a credential into a text string.
CredPackAuthenticationBuffer	Converts a string user name and password into an authentication buffer.
CredProtect	Encrypts the specified credentials so that only the current security context can decrypt them.
CredRead	Read a credential from a user's credentials set.
CredReadDomainCredentials	Read the domain credentials from a user's credentials set.
CredRename	Rename a credential from a user's credentials set.
CredUnmarshalCredential	Transform a marshaled credential string back into its nonmarshaled form.
CredUnPackAuthenticationBuffer	Converts an authentication buffer returned by a call to the CredUIPromptForWindowsCredentials function into a string user name and password.
CredUnprotect	Decrypts credentials that were previously encrypted by using the CredProtect function.
CredWrite	Create a new credential or modify an existing credential in a user's credentials set.
CredWriteDomainCredentials	Write domain credentials to a user's credentials set.

 

Credential Management Notification Functions

The following functions are implemented by credential managers to receive notifications when authentication information changes.

Function	Description
NPLogonNotify	Notifies the credential manager of a logon event.
NPPasswordChangeNotify	Notifies a credential manager provider when the password of an account changes.

 

Smart Card Functions

The Smart Card SDK provides the following functions.

Function	Description
GetOpenCardName	Replaced by SCardUIDlgSelectCard, which displays the smart card Select Card dialog box.
SCardAccessStartedEvent	Gets an event handle when the starting of a smart card resource manager is signaled.
SCardAddReaderToGroup	Adds a reader to a reader group.
SCardBeginTransaction	Starts a transaction.
SCardCancel	Terminates all outstanding actions within a context.
SCardCancelTransaction	Reserved for future use.
SCardConnect	Establishes a connection between the calling application and a smart card.
SCardControl	Gets direct control of the reader after SCardConnect is called.
SCardDisconnect	Terminates a connection between the calling application and a smart card.
SCardEndTransaction	Completes a transaction.
SCardEstablishContext	Establishes a resource manager context for accessing the smart card database.
SCardForgetCardType	Removes a previously defined smart card from the smart card subsystem.
SCardForgetReader	Removes a previously defined reader from the smart card subsystem.
SCardForgetReaderGroup	Removes a previously defined reader group from the smart card subsystem.
SCardFreeMemory	Releases memory allocated by resource manager.
SCardGetAttrib	Gets the current reader's attributes from a given reader, driver, or smart card.
SCardGetCardTypeProviderName	Gets the provider name given a card name and provider type.
SCardGetProviderId	Gets the identifier (GUID) of the primary service provider for a smart card.
SCardGetStatusChange	Blocks execution until status of the readers changes.
SCardGetTransmitCount	Retrieves the number of transmit operations that have completed since the specified card reader was inserted.
SCardIntroduceCardType	Introduces a new smart card to the smart card subsystem.
SCardIntroduceReader	Introduces a new reader to the smart card subsystem.
SCardIntroduceReaderGroup	Introduces a new reader group to the smart card subsystem.
SCardIsValidContext	Verifies a smart card context handle.
SCardListCards	Provides a list of smart cards already introduced to the subsystem.
SCardListInterfaces	Provides a list of interfaces supplied by a given smart card.
SCardListReaderGroups	Provides a list of reader groups already introduced to the subsystem.
SCardListReaders	Provides a list of readers already introduced to the subsystem.
SCardLocateCards	Locates the cards that match a given ATR string.
SCardLocateCardsByATR	Locates the cards that match a given ATR string.
SCardReadCache	Retrieves the value portion of a name-value pair from the global cache maintained by the Smart Card Resource Manager.
SCardReconnect	Reestablishes an existing connection from the calling application to the smart card.
SCardReleaseContext	Closes an established resource manager context.
SCardReleaseStartedEvent	Decrements the reference count for a handle acquired by using the SCardAccessStartedEvent function.
SCardRemoveReaderFromGroup	Removes a reader from an existing reader group.
SCardSetAttrib	Sets a given reader attribute.
SCardSetCardTypeProviderName	Sets the provider name for a card name and provider type.
SCardStatus	Gets the current state of a reader.
SCardTransmit	Sends a service request to a smart card.
SCardUIDlgSelectCard	Displays the smart card Select Card dialog box.
SCardWriteCache	Writes a name-value pair from a smart card to the global cache maintained by the Smart Card Resource Manager.

 

SASL Functions

The Simple Authentication and Security Layer (SASL) provides the following functions.

Functions	Description
SaslAcceptSecurityContext	Wraps a standard call to the SSPI AcceptSecurityContext (General) function and includes creation of SASL server cookies.
SaslEnumerateProfiles	Lists the packages that provide a SASL interface.
SaslGetContextOption	Retrieves the specified property of the specified SASL context.
SaslGetProfilePackage	Returns the package information for the specified package.
SaslIdentifyPackage	Returns the negotiate prefix that matches the specified SASL negotiation buffer.
SaslInitializeSecurityContext	Wraps a standard call to the SSPI InitializeSecurityContext (General) function and processes SASL server cookies from the server.
SaslSetContextOption	Sets the value of the specified property for the specified SASL context.

 

Send comments about this topic to Microsoft

Build date: 6/26/2009