GetCredentialKey function

Gets the credential key of the user logon credential.


SEC_ENTRY GetCredentialKey(
  _In_     PVOID           ProviderHandle,
  _In_opt_ PLUID           LogonId,
  _In_opt_ PVOID           AuthBuffer,
  _In_     ULONG           AuthBufferSize,
  _In_     ULONG           Reserved,
  _Out_    PUNICODE_STRING CredentialKey


ProviderHandle [in]

Identity provider handle.

LogonId [in, optional]

If AuthBuffer is NULL, the LogonId parameter contains the logon ID of the logon session whose logon authority is the identity provider pointed to by the ProviderHandle parameter. The function uses the LogonId parameter to locate the user logon credential.

AuthBuffer [in, optional]

If LogonId is NULL, AuthBuffer provides the credential needed to authenticate the user to the online service and to compute the credential key. The credential key should be the same as one that would be returned given a logon ID of the logon session of the same user. This parameter is passed to the function when LSA disconnects a user. The AuthBuffer parameter is a SEC_WINNT_AUTH_IDENTITY_EX2 buffer. The buffer will not be encrypted because LSA will decrypt the buffer before passing it to the provider. If LogonId is not NULL, AuthBuffer must be NULL.

AuthBufferSize [in]

The size, in bytes, of the AuthBuffer buffer.

Reserved [in]

This parameter is reserved and must be set to zero.

CredentialKey [out]

A string buffer that represents the credential key. The string buffer must be allocated by the function by using the AllocateLsaHeap function.

Return value

If the function succeeds, the function returns SEC_E_OK.

If the function fails, the function may return one of the following error codes.

Return valueDescription

A parameter is not valid. LogonId and AuthBuffer are both NULL or both non-NULL, or AuthBuffer contains a SEC_WINNT_AUTH_IDENTITY_EX2 structure that is not valid.


The credential type in AuthBuffer is not recognized.


Other provider-specific errors.



Either the LogonId or the AuthBuffer parameter must be non-NULL, but both cannot be NULL or both cannot be provided on the same call to this function.


Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]