Managing User Credentials

Credentials are authenticated logon data, such as a password and user name, that identifies a security principal. Associating a principal's authentication data with a unique logon identifier eliminates the need to reenter this data each time the principal accesses a new machine on the network. These credentials are available only to applications that run in kernel mode or that run in-process with the Local Security Authority (LSA). Because authentication packages and security packages are loaded by the LSA, they have access to this information.

After a logon session has been created, your authentication package can associate credentials, such as a user name and password, with that session. To do so, call AddCredential.

Your authentication package can enumerate the credentials associated with a logon session by calling GetCredentials, and it can delete credentials from a logon session by calling DeleteCredential.

SSP/AP security packages may call the UpdateCredentials function to notify other authentication packages when a principal's credentials have changed.

Note  The LSA credential management functions, AddCredential, GetCredentials, and DeleteCredential, are used only by older authentication packages, such as MSV1_0. Newer packages, such as Kerberos, do not use them.

Send comments about this topic to Microsoft

Build date: 4/6/2010