Credential Types (Compact 2013)
3/28/2014
A credential type determines the nature of the credential that is being retrieved or cached. Credential types are processed by credential type providers, which understand the semantics of each credential type and determine what has to be cached.
Credential types can be either primitive or virtual. Primitive types represent basic credential types. Virtual types map to one or more primitive types and are provided for convenience.
The credential type identifier is a DWORD. The least significant bit (LSB) of the credential type identifier is used to indicate whether the type is primitive or virtual. If the LSB is set to 0, the credential type is a primitive type. If it is set to 1, the credential type is a virtual type. The values 0x00010000 to 0xFFFFFFFF are reserved for OS primitive or virtual credential types.
In addition to predefined credential types, you can also define custom types. The configuration information for credential types is stored in the registry. For more information, see Credential Manager Registry Settings.
The following table shows the predefined primitive and virtual credential types in Windows Embedded Compact, with a description of the purpose of each.
Credential type |
Description |
---|---|
CRED_TYPE_CERTIFICATE |
This primitive type is used if you are saving a client certificate. The application should provide credential manager with the hash of the certificate in this case. |
CRED_TYPE_DOMAIN_PASSWORD |
This virtual type is used by NTLM and Kerberos SSPs. This type is supported only if NTLM or Kerberos are included in the OS design. If both NTLM and Kerberos are included in the OS design, then CRED_TYPE_DOMAIN_PASSWORD maps to CRED_TYPE_NTLM and CRED_TYPE_KERBEROS. If either NTLM or Kerberos is included in the OS design, then CRED_TYPE_DOMAIN_PASSWORD maps to wither CRED_TYPE_NTLM or CRED_TYPE_KERBEROS. |
CRED_TYPE_GENERIC |
This primitive type is used for custom credential types. |
CRED_TYPE_KERBEROS |
This primitive type is used by Kerberos. |
CRED_TYPE_NTLM |
This primitive type is used by NTLM. |
CRED_TYPE_PLAINTEXT_PASSWORD |
This primitive type is used if you are caching the password in its plaintext form. Plaintext passwords are major security risks and should be avoided whenever possible. |
Credential Type Categories
The following list shows the categories into which Credential types in Windows Embedded Compact are classified based on how the credential type is processed internally:
- Certificate Credentials
- Domain Credentials
- Generic Credentials
- Plaintext Password Credentials
Certificate Credentials
Certificate credentials are used when Secure Sockets Layer (SSL) is used to authenticate a user. In this case the application has to provide the necessary GUI to enable the user to pick a client certificate with an associated private key. It is the responsibility of the application to cache the hash of this certificate by calling CredWrite and use the hash to retrieve the actual certificate when CredRead is called. In other words, all credential manager does is cache the hash, and the application has to deal with the certificate calls.
The default credential type CRED_TYPE_CERTIFICATE is a certificate credential.
Domain Credentials
Domain credentials are used by different parts of the operating system. Typically, domain credentials are established for a user when a registered Security Service Provider (SSP), such as NTLM, authenticates logon data that is provided by the user. For example, Internet Explorer may harvest a domain credential but the actual authentication is done by the NTLM SSP. The logon credentials are cached by the operating system so that a single sign-on gives the user access to a variety of resources. Consequently, domain credentials tend to be shared between applications. Thus, network connections can occur transparently, and access to protected system objects can be granted based on the user's cached domain credentials.
Credential manager functions provide a mechanism for applications to prompt a user for domain credentials after logging on, and to have the operating system authenticate the information provided by the user.
The following list shows the default credential types that are domain credentials:
- CRED_TYPE_NTLM
- CRED_TYPE_KERBEROS
- CRED_TYPE_DOMAIN_PASSWORD
If you are not sure whether to use NTML or Kerberos SSP for authentication in your application, use the virtual credential type CRED_TYPE_DOMAIN_PASSWORD.
Generic Credentials
Generic credentials are used when credential manager does not have any information about the credential type. In this case, the credential is treated as an opaque blob. This type of credential is useful in cases where the application has a custom credential type, but there is no credential type provider that is available to process the credential type.
The default credential type CRED_TYPE_GENERIC is a generic credential.
Plaintext Password Credentials
Plaintext password credentials are used when credential manager caches the actual password. Plaintext passwords are major security risks and should be avoided whenever possible.
The default credential type CRED_TYPE_PLAINTEXT_PASSWORD is a plaintext password credential.
Credential Type Providers
A credential type provider understands the semantics of each credential type that it supports and determines what has to be cached. A credential type provider is an external DLL that supports single or multiple credential types.
There are three default credential type providers that are supported by credential manager in Windows Embedded Compact. Depending on the catalog item you choose, you get one of the three default type providers in your OS design.
The following table provides information about the type provider name, its associated sysgen and primitive credential types.
Credential type provider |
Sysgen |
Supported primitive credential types |
---|---|---|
Default |
SYSGEN_CREDMAN |
CRED_TYPE_PLAINTEXT_PASSWORD CRED_TYPE_CERTIFICATE CRED_TYPE_GENERIC |
Kerberos |
SYSGEN_KERBEROS |
CRED_TYPE_KERBEROS |
NTLM |
SYSGEN_NTLM |
CRED_TYPE_NTLM |
See Also
Reference
Credential Manager Registry Settings