Graphical Identification and Authorization (GINA) Changes

Let’s be honest: this section affects a very small number of people because few developers build authentication modules for Windows. The only Independent Software Vendors (ISVs) who do build authentication modules are those who want to leverage other authentication schemes not natively supported by Windows, such as biometric devices and hardware security tokens. So, if you’ve never heard of a function called WlxLoggedOutSAS, skip this section altogether! Trust us on this.

One of us (Michael) built a GINA module for Windows NT 4 for a banking customer to interface with its IBM mainframe’s Resource Access Control Facility (RACF) authentication system. It wasn’t fun. In short, a brave developer must build a custom replacement for MSGINA.DLL, which is very problematic because this DLL is tightly coupled with the operating system, and service pack changes could make custom GINAs unstable at times, requiring constant maintenance.

Windows Vista includes a new model for implementing code to support custom user authentication methods called the Credential Provider model; it’s still not fun to use, but it’s a lot easier, better designed, and more robust than the older model in previous versions of the operating system. A credential provider is an inprocess COM object that displays its own user interface on the Windows Vista logon desktop and collects credentials to be used for custom authentication.

If you want to learn more about this area, you should review “Windows Vista Credential Providers” (Microsoft 2006c) and become familiar with the ICredentialProvider interface through the available sample code (Microsoft 2006d).