Credential Providers simplified pt1

GINA is dead.... the main reason is the fact that having more than one GINA on a system was difficult. 
Yes, chaining multiple GINA DLL's was a possibility but it really required at least one of the GINA providers to be aware of the other and trying to chain 3 different GINAs was still cumbersome.

An additional factor was that the GINA had effectively became a single point of failure for the OS; if one GINA in the chain failed then all the other GINAs in the chain would fail with it.

Those are the two main limitations Credendial Providers were designed to make it easier for multiple logon providers to co-exist on the same machine without conflicts and to make sure that even if one Credential Provider fails then it only affects that particular CP and doesn't drag the whole system down with it.

Writing and installing your own CP is fairly easy (See for example), however what needs to be kept in mind is that CP's are only supposed to be used for gathering credentials and passing them on.

In short; Credential Providers are more robust and secure than GINA providers at the expense of being more limited by which operations they can and are intended to perform on the system.


Further details:

MSDN CredProv sample:

Winlogon and Credential Providers

Thoughts on Single Sign On and Credential Providers

Credential Provider Architecture

Winlogon and GINA

How [legacy GINA arctitecture] Interactive Logon Works

Gina/Ginastub/Ginahook Dll Does Not Work On Post Winxp

Comments (0)

Skip to main content