Windows Interactive Logon Architecture

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Windows interactive logon architecture

Credential provider architecture in Windows operating systems earlier than Windows Vista

Before Windows Vista, the Windows interactive logon architecture included the components shown in the following table.

Component Description

Winlogon

Provides interactive logon infrastructure.

Graphical Identification and Authentication (GINA)

Provides interactive UI rendering and credential gathering.

Local Security Authority (LSA)

Processes logon credentials.

Authentication packages

Includes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.

For more information about GINA-based interactive logon architecture, see How Interactive Logon Works (https://go.microsoft.com/fwlink/?LinkId=93339).

Credential provider architecture in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2

The following table lists the components in the current interactive logon architecture.

Component Description

Winlogon

Provides interactive logon infrastructure.

Logon UI

Provides interactive UI rendering.

Credential providers (password and smart card)

Describes credential information and serializing credentials.

LSA

Processes logon credentials.

Authentication packages

Includes NTLM and Kerberos. Communicates with server authentication packages to authenticate users.

Windows interactive logons begin when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a secure attention sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process. The logon UI then generates the tile from information received from the registered credential providers.

Typically, a user who logs on to a computer by using either a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card logon, a user's credentials are contained on the smart card's security chip. A device called a smart card reader lets the computer interact with the security chip on the smart card. During a smart card logon, a user enters a personal identification number (PIN) instead of a user name and password.

Credential providers are in-process COM objects that are used to collect credentials and run in local system context. In summary, the logon UI provides interactive UI rendering, Winlogon provides interactive logon infrastructure, and credential providers work with both of these components to help gather and process credentials.

Winlogon instructs the logon UI to display credential provider tiles after it receives a SAS event. Logon UI queries each credential provider for the number of credentials it wants to enumerate. Credential providers have the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, the logon UI displays them to the user. The user interacts with a tile to supply his or her credentials. The logon UI submits these credentials for authentication.

Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to log on by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals may develop and deploy custom authentication mechanisms for all domain users and may explicitly require users to use this custom logon mechanism.

Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.

Credential providers may be designed to support single sign-on (SSO), authenticating users to a secure network access point (by using RADIUS and other technologies) and computer logon. Credential providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).

Multiple credential providers may coexist on a computer.

Credential providers must be registered on a Windows computer and are responsible for:

  • Describing the credential information required for authentication.

  • Handling communication and logic with external authentication authorities.

  • Packaging credentials for interactive and network logon.

The Credential Provider API does not render UI. It does describe what needs to be rendered. Only the password credential provider is available in Safe Mode. The smart card credential provider is available in Safe Mode with Networking.

For more information about credential providers and their uses, see the Credential Provider Technical Reference (https://go.microsoft.com/fwlink/?LinkId=93340).

The following figure illustrates the Windows Vista logon screen flow with PIN unblock and PIN change.