GetCertificateFromCred function

Gets the certificate from the user credential.


NTSTATUS GetCertificateFromCred(
  _In_  PVOID  ProviderHandle,
  _In_  HANDLE ClientToken,
  _In_  PVOID  SuppliedCred,
  _In_  ULONG  SuppliedCredSize,
  _Out_ PVOID  *CertContext


ProviderHandle [in]

Identity provider handle.

ClientToken [in]

Token of the caller who is retrieving the certificate.

SuppliedCred [in]

A pointer to a SECPKG_SUPPLIED_CREDENTIAL structure that contains the credential of an online ID whose certificate is requested. The identity provider must validate the input data as if it is coming from an untrusted source.

SuppliedCredSize [in]

The size, in bytes, of the SuppliedCred buffer.

CertContext [out]

If the function succeeds, this parameter is a pointer to the returned CCERT_CONTEXT pointer. When you have finished using the certificate context, release it by calling the CertFreeCertificateContext function.

Return value

If the function succeeds, the function returns STATUS_SUCCESS.

If the function fails, the function may return one of the following NTSTATUS error codes.

Return valueDescription

The identity provider does not recognize the credential type of the supplied credential. LSA will try the next identity provider.


The credential is incorrect.


A parameter is not valid. The credential may be in an incorrect format and not in the defined SECPKG_SUPPLIED_CREDENTIAL structure.


The identity provider cannot contact the cloud to obtain the certificate.


The account password has expired.


The account has been locked out.


Other provider-specific error codes.



Before fetching the certificate from the cloud, the identity provider should check that there is a valid certificate for this user in the user's "MY" certificate store. If a valid certificate exists, the provider should return this certificate to avoid unnecessary network traffic.

The identity provider can also cache the certificate locally as long as it is protected from the current user.


Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]