Export (0) Print
Expand All
Expand Minimize

GetCertificateFromCred function

Gets the certificate from the user credential.

Syntax


NTSTATUS GetCertificateFromCred(
  _In_   PVOID ProviderHandle,
  _In_   HANDLE ClientToken,
  _In_   PVOID SuppliedCred,
  _In_   ULONG SuppliedCredSize,
  _Out_  PVOID *CertContext
);

Parameters

ProviderHandle [in]

Identity provider handle.

ClientToken [in]

Token of the caller who is retrieving the certificate.

SuppliedCred [in]

A pointer to a SECPKG_SUPPLIED_CREDENTIAL structure that contains the credential of an online ID whose certificate is requested. The identity provider must validate the input data as if it is coming from an untrusted source.

SuppliedCredSize [in]

The size, in bytes, of the SuppliedCred buffer.

CertContext [out]

If the function succeeds, this parameter is a pointer to the returned CCERT_CONTEXT pointer. When you have finished using the certificate context, release it by calling the CertFreeCertificateContext function.

Return value

If the function succeeds, the function returns STATUS_SUCCESS.

If the function fails, the function may return one of the following NTSTATUS error codes.

Return valueDescription
STATUS_NOT_SUPPORTED

The identity provider does not recognize the credential type of the supplied credential. LSA will try the next identity provider.

STATUS_LOGON_FAILURE

The credential is incorrect.

STATUS_INVALID_PARAMETER

A parameter is not valid. The credential may be in an incorrect format and not in the defined SECPKG_SUPPLIED_CREDENTIAL structure.

STATUS_NETWORK_UNREACHABLE

The identity provider cannot contact the cloud to obtain the certificate.

STATUS_PASSWORD_EXPIRED

The account password has expired.

STATUS_ACCOUNT_LOCKED_OUT

The account has been locked out.

Others

Other provider-specific error codes.

 

Remarks

Before fetching the certificate from the cloud, the identity provider should check that there is a valid certificate for this user in the user's "MY" certificate store. If a valid certificate exists, the provider should return this certificate to avoid unnecessary network traffic.

The identity provider can also cache the certificate locally as long as it is protected from the current user.

Requirements

Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]

Header

Lsaidprov.h

 

 

Community Additions

ADD
Show:
© 2014 Microsoft