rileyg98/Musings on Credprovs

## Musings on Credprovs
Had a project to build a Credential Provider and an Auth Package. Avoid it if you can. It's horrible.

Auth package setups haven't been changed majorly since the 90's. The interface is archaic.

I found the best example of a V2 CP was https://syfuhs.net/2017/10/15/creating-custom-windows-credential-providers-in-net/

Most importantly, this CP is missing the implementation of GetSerialization. Nothing goes anywhere without it.

Also in the latest Win10 kit most of the issues in the IDL are fixed. You do need to un-mangle the HANDLEs as stated though.

I've also found the best example of an Authentication Provider (albeit in Russian) is https://github.com/ikmsk10/ProxySSPAP

You will need to pass a buffer between the two. The COM callback will let you do it from .NET. I did this by marshalling a struct to pass to it.

Don't fall for trying to pass a pointer into the buffer. It does not work. I ended up using raw arrays marshalled into the struct.

https://docs.microsoft.com/en-us/dotnet/standard/native-interop/customize-struct-marshaling is a good description of this

For strings, marshal as ByValTStr - then when you're in the AP you can set up a pointer to the start of it in the buffer. It automatically null terminates the strings.

Basic C++/C rules apply to the AP. Pull the data and do what you need. I recommend doing as little as possible inside the AP. Transform it in managed code, and do the comparisons in AP.

Note: both appear to be in highly protected space, as CPs handle plaintext passwords.

With UnmanagedExports, it may be possible to write a managed code implementation of an Authentication Package. I didn't have the time to investigate this.

The name for lookup of the AP in the CP is what's defined in the AP DLL manifest, NOT the dll name.

If you want to debug LSASS (and you will, because it will crash and there's no easy way to test it except for live), install your CP and AP on a VM, reboot and get the Win10 SDK debug server running.
I'd recommend adding C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ to PATH for this
dbgsrv.exe -t tcp:port=11235,password=test is the command to run (in an admin cmd prompt)
Get your PID for LSASS from Task Manager (right click, tick PID)
To run the debugger:
windbg.exe -y “srv:c:\symbols_pub*http://msdl.microsoft.com/downloads/symbols” -premote tcp:server=172.17.199.172,port=11235,password=test -p *pid* -pd
I've added -pd to the end of this so you don't kill LSASS by detaching... Windows really doesn't like a dead LSASS and will reset you after a minute.
I'm not going into using WinDbg - this is covered at length online, but hit g to release the debugger or lsass will be stuck on a breakpoint

Don't try and debug on the same machine. It simply does not work. Use a VM. This also helps if you accidentally install a crap CP that won't let you swap providers.
First off, report false to all cred scenarios bar credui. Once you're satisfied that works, add lock. This is easier to get out of if it stops working (at least on hyper-v, you can swap to a basic session and back). CredUI doesn't do much with APs.

Note auto-sign in, you need to call the Credential Provider (not the Credential Provider Credential) to refresh. I did this by passing a reference to the CredentialProvider to the View (in the .NET impl) and accessing it from the CredentialProviderCredential to call the refresh (it's some callback or something on the Event thing?)
	Had a project to build a Credential Provider and an Auth Package. Avoid it if you can. It's horrible.

	Auth package setups haven't been changed majorly since the 90's. The interface is archaic.

	I found the best example of a V2 CP was https://syfuhs.net/2017/10/15/creating-custom-windows-credential-providers-in-net/

	Most importantly, this CP is missing the implementation of GetSerialization. Nothing goes anywhere without it.

	Also in the latest Win10 kit most of the issues in the IDL are fixed. You do need to un-mangle the HANDLEs as stated though.

	I've also found the best example of an Authentication Provider (albeit in Russian) is https://github.com/ikmsk10/ProxySSPAP

	You will need to pass a buffer between the two. The COM callback will let you do it from .NET. I did this by marshalling a struct to pass to it.

	Don't fall for trying to pass a pointer into the buffer. It does not work. I ended up using raw arrays marshalled into the struct.

	https://docs.microsoft.com/en-us/dotnet/standard/native-interop/customize-struct-marshaling is a good description of this

	For strings, marshal as ByValTStr - then when you're in the AP you can set up a pointer to the start of it in the buffer. It automatically null terminates the strings.

	Basic C++/C rules apply to the AP. Pull the data and do what you need. I recommend doing as little as possible inside the AP. Transform it in managed code, and do the comparisons in AP.

	Note: both appear to be in highly protected space, as CPs handle plaintext passwords.

	With UnmanagedExports, it may be possible to write a managed code implementation of an Authentication Package. I didn't have the time to investigate this.

	The name for lookup of the AP in the CP is what's defined in the AP DLL manifest, NOT the dll name.

	If you want to debug LSASS (and you will, because it will crash and there's no easy way to test it except for live), install your CP and AP on a VM, reboot and get the Win10 SDK debug server running.
	I'd recommend adding C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ to PATH for this
	dbgsrv.exe -t tcp:port=11235,password=test is the command to run (in an admin cmd prompt)
	Get your PID for LSASS from Task Manager (right click, tick PID)
	To run the debugger:
	windbg.exe -y “srv:c:\symbols_pubhttp://msdl.microsoft.com/downloads/symbols” -premote tcp:server=172.17.199.172,port=11235,password=test -p pid* -pd
	I've added -pd to the end of this so you don't kill LSASS by detaching... Windows really doesn't like a dead LSASS and will reset you after a minute.
	I'm not going into using WinDbg - this is covered at length online, but hit g to release the debugger or lsass will be stuck on a breakpoint

	Don't try and debug on the same machine. It simply does not work. Use a VM. This also helps if you accidentally install a crap CP that won't let you swap providers.
	First off, report false to all cred scenarios bar credui. Once you're satisfied that works, add lock. This is easier to get out of if it stops working (at least on hyper-v, you can swap to a basic session and back). CredUI doesn't do much with APs.

	Note auto-sign in, you need to call the Credential Provider (not the Credential Provider Credential) to refresh. I did this by passing a reference to the CredentialProvider to the View (in the .NET impl) and accessing it from the CredentialProviderCredential to call the refresh (it's some callback or something on the Event thing?)