Search code examples
windowssecuritycredentialscredui

Win32: CredUIConfirmCredentials behaves unexpectedly


I'm using CredUIConfirmCredentials in combination with CredUIPromptForCredentials.

I set the EXPECT_CONFIRMATION, and when the credentials are first provided by the user the call to CredUIConfirmCredentials returns NO_ERROR as expected.

However, on all subsequent calls to CredUIConfirmCredentials, with the same credentials, ERROR_INVALID_PARAMETER is returned. This is described by the SDK docs as:

An attempt to confirm a waiting credential failed because the credential contained invalid or inconsistent data.

which is rather confusing as they are exactly the same credentials that were successfully saved originally.

The same result is returned if you enter a different password for the same username. What is even more confusing is that the new credentials are actually persisted - which seems to indicate that the return value is actually indicating that the persisted credentials were overwritten - not that there was a error. Am I missing something, or is the documentation incorrect?


Background

You can use Window's credential system to store credentials for your own application. You tell Windows you want to prompt for "generic" credentials for some "target":

pseudo-code:

CredUIPromptForCredentials("My Application", ref username, ref password);

will then cause Windows to display a dialog box:

alt text

It is then your job to check the credentials the user has entered. If they are valid, you tell Windows this by calling ConfirmCredentials. This is to ensure that only valid credentials are saved:

CredUIConfirmCredentials("My Application", true);

Once the credentials have been confirmed as valid, Windows will save them in the secure store, which you can see through the Control Panel:

alt text

Keywords: credui, CredUIConfirmCredentials


Solution

  • i found the answer: by design

    CredUIConfirmCredentials will return an error "when there's nothing to do". This means:

    • if the credentials are the same as what's already in the credential store
    • the user didn't check the Rembember my password check box
    • you didn't set the CREDUI_FLAGS_EXPECT_CONFIRMATION flag

    The fact that CredUIConfirmCredentials fails when the credentials are the same as what's already in the store documented on MSDN. (i know it's documented because i added to the documentation page.)