Managing Credentials
The credential provider and the credential manager are components in the Windows Biometric Framework. The provider retrieves user credentials from the secure store and responds to logon, unlock, password change, and UAC elevation requests. It also responds during a fast user switch to logon the new user. The manager maps logon credentials to biometric identities and securely stores the credentials. Mappings are typically created by third party enrollment applications during biometric enrollment, but they can also be created by the Windows biometric credential provider during logon if the enrolled user attempts to authenticate biometrically but is either not enrolled or the credentials do not match those in the secure store.
Credential Manager API Guidelines
- Credentials cannot be stored, queried, or deleted for the Guest or Built-in Administrator accounts or any non-interactive accounts such as LocalSystem, LocalService, or NetworkService.
- All functions return an HRESULT error code that may be a common error code such as E_ACCESSDENIED or an error specific to the credential manager such as WINBIO_E_UNKNOWN_ID.
- If appropriate, E_ACCESSDENIED is returned before more specific error codes such as SEC_E_LOGON_DENIED or WINBIO_E_UNKNOWN_ID are returned.
- Users whose privileges have not been elevated can set, query, or remove credentials for only their own account. Elevated callers can query credential state and remove credentials for other users.
- All functions will fail and return WINBIO_E_CRED_PROV_DISABLED:
- For all users when the credential provider is not enabled system wide.
- For domain users when the provider is not enabled for domain use.
- An event notice is generated when a credential is added or removed.
Credential Manager Samples
For more information about credential management, see the following code examples:
Related topics
Using the Windows Biometric Framework API