Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Wrapping Third Party Credential Providers

The Specops Authentication client operates as a Windows credential provider in order to enhance the user experience when using Specops products from AD-joined Windows workstations. For Specops Password Policy this means improving the user feedback during a CTRL+ALT+DEL password change. For Specops uReset and Password Reset customers, our client provides a link for the user to reset their password from the logon screen before logging into Windows. These features are offered through a process called ‘wrapping’ where we modify or enhance the experience in the default Windows logon screen.

The Specops Authentication client also supports wrapping of other third-party credential providers that may also installed on your workstations, as long as that other credential provider supports being wrapped. Examples of other credential providers include full-disk encryption products that perform Windows logon pre-boot, or security products that add multi-factor authentication to Windows logon, among others.

This article offers an overview of how to identify and wrap third party credential providers with the Specops Authentication client:

Identifying the Third Party Credential Provider

Begin by checking the last logged on credential provider via the Windows registry:

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
Value Name: LastLoggedOnProvider
Value Data: {GUID of credential provider used to log into Windows}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAuthenticationLogonUI

Check the list of all credential providers installed. Each installed credential provider will have a key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers with the key name as the provider GUID and the default value as the name of the credential provider.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAuthenticationCredential Providers

Both sample screenshots were taken from a Windows 10 machine with the Specops Authentication Client and no other third party credential providers installed. In this example the lastLoggedOnProvider value is actually the GUID corresponding to the Specops Authentication Client. The Specops client actually contains two credential providers:

Provider NameGUID
SppCredentialProvider{00002ba3-bcc4-4c7d-aec7-363f164fd178}
SppTiledCredentialProvider{4834dbc7-4a06-424d-a67f-20ddebcf08e1}

You also may see one of the GUIDs built into Windows. Here is a list of the providers that ship with Windows 10:

Provider NameGUID
Automatic Redeployment Credential Provider{01A30791-40AE-4653-AB2E-FD210019AE88}
Smartcard Reader Selection Provider{1b283861-754f-4022-ad47-a5eaaa618894}
Smartcard WinRT Provider{1ee7337f-85ac-45e2-a23c-37c753209769}
PicturePasswordLogonProvider{2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
GenericProvider{25CBB996-92ED-457e-B28C-4774084BD562}
TrustedSignal Credential Provider{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}
FIDO Credential Provider{2D8B3101-E025-480D-917C-835522C7F628}
NPProvider{3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
Secondary Authentication Factor Credential Provider{48B4E58D-2791-456C-9091-D524C6C706F2}
CngCredUICredentialProvider{600e7adb-da3e-41a4-9225-3c0399e88c0c}
PasswordProvider{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
FaceCredentialProvider{8AF662BF-65A0-4D0A-A540-A338A999D36F}
Smartcard Credential Provider{8FD7E19C-3BF7-489B-A72C-846AB3678C96}
Smartcard Pin Provider{94596c7e-3744-41ce-893e-bbf09122f76a}
Remote NGC Credential Provider{A910D941-9DA9-4656-8933-AA1EAE01F76E}
WinBio Credential Provider{BEC09223-B018-416D-A0AC-523971B639F5}
Cloud Experience Credential Provider{C5D7540A-CD51-453B-B22B-05305BA03F07}
IrisCredentialProvider{C885AA15-1764-4293-B82A-0586ADD46B35}
PINLogonProvider{cb82ea12-9f71-446d-89e1-8d0924e1256e}
NGC Credential Provider{D6886603-9D2F-4EB2-B667-1971041FA96B}
CertCredProvider{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
WLIDCredentialProvider{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
FIDO Credential Provider{F8A1793B-7873-4046-B2A7-1F318747F427}

If you have either the Specops client GUID or a built-in Windows client GUID as your LastLoggedOnProvider, then the rest of this section is likely not relevant.

If you do have a different value for LastLoggedOnProvider or a Credential Provider GUID otherwise not listed here, check the name as shown in the default value under the credential provider’s registry key. Many vendors use cryptic names for their credential providers that have nothing to do with their company, brands, or product names, if this is the case you can locate the DLL associated with the credentail provider and check the signing information on it:

  • In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTARE\Classes\CLSID
  • Beneath CLSID you will find a long list of keys with GUIDs for names. Find the key with the same name as the GUID you found in LogonUI at the beginning of this article (it might be easier to use the Find menu here):
  • Beneath that key will be an InprocServer32 key
  • InprocServer32”s (default) value will be a dll file name or path. This is the DLL that contains that credential provider.
  • Find the DLL in that value in a File Explorer Windows (if no absolute path is specified, the DLL is somewhere in your PATH environment variable, most likely c:\windows\system32).
  • Right-click Properties on the DLL and check the Details and Digital Signatures tabs to find vendor information about the DLL.
  • Google searches for the DLL name also seem to be more likely to tell you who wrote the credential provider vs. Googling the Credential Provider name or GUID.

If it is indeed a 3rd party credential provider associated with a known installed program, we will need to configure the Specops Authentication Client to wrap that provider: Wrapping Custom Credential Provider Using The Registry. Note for McAfee Full Disk Encryption customers: if no other third party credential providers are installed in addition to McAfee, no Specops configuration is necessary.

If after wrapping the third party provider you experience either a degradation in the Windows logon experience with that provider, or still do not see the Specops Password Policy detailed error message and/or Reset Password link, it may be necessary to perform additional configuration in that third party credential provider. Often the third party provider will have additional configurations to allow the Specops client to wrap, or they may say instead to have their client wrap the Specops provider. The exact details vary from vendor to vendor; you will need to reach out through that vendor’s support channel for more information.

January 26, 2021

Was this article helpful?

Related Articles