ICredentialProviderCredential2 interface

Extends the ICredentialProviderCredential interface by adding a method that retrieves the security identifier (SID) of a user. The credential is associated with that user and can be grouped under the user's tile.


The ICredentialProviderCredential2 interface has these methods.

Method Description
ICredentialProviderCredential2::GetUserSid Retrieves the security identifier (SID) of the user that is associated with this credential.


This class is required for creating a V2 credential provider. V2 credential providers provide a personalized log on experience for the user. This occurs by the credential provider telling the Logon UI what sign in options are available for a user. It is recommended that new credential providers should be V2 credential providers.

In order to create an ICredentialProviderCredential2 instance, a valid SID needs to be returned by the GetUserSid function. Valid is defined by the returned SID being for one of the users currently enumerated by the Logon UI.

A useful tool for getting the available users and determining which ones you want to associate with is the ICredentialProviderUserArray object. This object contains a list of ICredentialProviderUser objects that can be queried to gain information about the users that will be enumerated. For example you could gain the user's SID or username using GetStringValue with a passed in parameter of PKEY_Identity_PrimarySid or PKEY_Identity_USerName respectively. You can even filter the results using SetProviderFilter to only display a subset of available users.

Using the ICredentialProviderUserArray is optional, but it is a convenient way to get the necessary information to make valid SID values. In order to get a list of users that will be enumerated by the Logon UI, implement the ICredentialProviderSetUserArray interface to get the ICredentialProviderUserArray object from SetUserArray. Logon UI calls SetUserArray before GetCredentialCount, so the ICredentialProviderUserArray object is ready when a credential provider is about to return credentials.

A V2 credential provider is represented by an icon displayed underneath the "Sign-in options" link. In order to provide an icon for your credential provider, define a CREDENTIAL_PROVIDER_FIELD_TYPE of CPFT_TILE_IMAGE in the credential itself. Then make sure the guidFieldType of the CREDENTIAL_PROVIDER_FIELD_DESCRIPTOR is set to CPFG_CREDENTIAL_PROVIDER_LOGO. The recommended size for an icon is 72 by 72 pixels.

Similar to specifying an icon for your credential provider, you can also specify a text string to identify your credential provider. This string appears in a pop-up window when a user hovers over the icon. To do this, define a CREDENTIAL_PROVIDER_FIELD_TYPE of CPFT_SMALL_TEXT in the credential itself. Then make sure the guidFieldType of the CREDENTIAL_PROVIDER_FIELD_DESCRIPTOR is set to CPFG_CREDENTIAL_PROVIDER_LABEL. This string should supplement the credential provider icon described above and be descriptive enough that users understand what it is. For example, the picture password provider's description is "Picture Password".

When to implement

Implement this interface to associate credential tiles with specific user tiles in the Logon UI.


Minimum supported client Windows 8 [desktop apps only]
Minimum supported server Windows Server 2012 [desktop apps only]
Target Platform Windows
Header credentialprovider.h

See Also

Credential Provider Framework Changes in Windows 8.docx

Credential Providers in Windows 10