Credential Manager

The Credential Manager is part of Authentication Services. Selecting Authentication Services in the Catalog automatically adds Credential Manager to the operating system.

When a Web site or another computer requests authentication through NTLM or Kerberos, an Update Default Credentials or Save Password check box appears in the Net UI dialog box. If the user selects the check box, the Credential Manager keeps track of the user's name, password, and related information for the authentication service in use.

The next time that service is used, the Credential Manager automatically supplies the stored credential. If it is not accepted, the user is prompted for the correct access information. If access is granted, the Credential Manager overwrites the previous credential with the new one.

Note   There is only one storage space for each authentication service. If several sites use the same authentication service but require different credentials, it is usually best not to select the Use Credential Manager check box.

Default credentials can also be entered on the Owner Identification tab of Control Panel. You can enter any combination of domain name, user name, and password. If they are all entered, they will be supplied automatically without prompting the user, just as if the Save Password check box was selected. If one or more are omitted, it is as if the Save Password check box is not selected, and the user will be prompted for the missing values.

Although the CryptProtectData function is used to encrypt most of the stored authentication data, the data's presence on the client computer, even in encrypted form, opens a potential security hole. You can therefore block use of the Credential Manager by setting the DisallowSavedNetworkPasswords key in HKEY_LOCAL_MACHINE\Comm\Security to a value of 1 (TRUE). The Use Credential Manager check box still appears, but it is disabled.

The Credential Manager has an API comprising three functions — CeCredRead, CeCredWrite, and CeCredFree — that read and write credential information to the registry. You would use these functions if you want to:

  • Design a new user interface, while keeping the ability to store credentials.
  • Store credentials for other authentication services, such as those you write yourself.

The Credential Manager functions should be called only if you override NetUI with your own mechanism for storing and retrieving credentials. You should not attempt to use the Credential Manager for its intended purpose while your program is accessing the Credential Manager API.

You can find the code that shows NETUI implementation in the %_WINCEROOT%\Public\Oak\Drivers.

See Also

Network User Interface | Cryptography | Protected Store

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.