I have a credential provider that does not act the way I want it to. It provides secondary authentication, but it's scope is for all interactive Windows logins host-wide, not for a specific user.
In addition to the credential provider, a credential provider filter is installed. The credential provider filter restricts the use of credential providers on the login screen to just this credential provider. However, if the credential provider filter is removed (via deletion of the key below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters), then a user can change the credential provider to any other available credential provider (including our good old friend PasswordProvider).
My intention is to enforce the use of credential provider for certain users. For instance, it's fine if this user attempts to login with another credential provider, but I'd like AD to reject this request... only allowing requests if they are called from the correct credential provider.
Is this possible? I'm hoping there is a way to configure a user object in AD to restrict the acceptable credential providers.
Thanks
Good question. As noted here and without better sources the answer appears to be no.
Quote:
Because:
That is, they are client side mechanisms.
Also a best practice is described not to completely disallow access to at least one host wide provider, so as not to cause complete lockout:
So... the recommendation appears to be not to exclude access to host wide providers. Simple solution if you want to restrict anyway: do not grant the users permission to delete the registry key.
The Protected Users Security Group does not do what you ask, but is one way of hardening the authentication process server side.