Microsoft Vista CredProv (GINA) Changes

["Sadler, Connie" <Connie_Sadler () BROWN EDU>]

See below - cross-posted to this list with permission...

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Office: 401-863-7266

> -----Original Message-----
> From: owner-windows-hied () lists Stanford EDU
> [mailto:owner-windows-hied () lists Stanford EDU] On Behalf Of Kramer, 
> Matthew
> Sent: Tuesday, May 02, 2006 1:41 PM
> To: Windows-hied () lists Stanford EDU
> Subject: [windows-hied]: Vista CredProv (GINA) Changes
>
> Hello,
>
> As some of you may or may not know the MS GINA is going away in 
> Windows Vista and is being replaced by the Windows Credential 
> Provider.  This causes a problem for some of us who have written 
> custom GINA hooks that will no longer be supported in Vista.
>
> We currently use our GINA hook to provide the ability for departmental

> OU administrators to specify a custom roaming profile path on a per 
> machine basis instead of a per user basis.  The thought being that the

> user may be affiliated with multiple schools/departments that are part

> of the same Active Directory but have independent IT departments that 
> want to provide different functionality to the end user.  For example 
> the following scenario is not currently possible because the roaming 
> profile path is tied to the user object:
> School A wants to support roaming profiles for individual users, 
> School B wants to use a mandatory locked down profile for all users 
> and School C doesn't want to support roaming profiles at all.  Student

> X maybe taking a class in all three schools, so who gets to set the 
> profile path on the user object!  To get around this the custom GINA 
> hook we wrote allows the OU Admin to specify a roaming profile path 
> for a user based on Group Policy instead of using the value stored 
> within the user object.  This way each school can set a loopback 
> policy on their machines that will control how roaming profiles are 
> supported in their environment.
>
> Unfortunately this functionality will not be exposed in the Windows 
> Credential Provider,  the profile path is no longer able to be 
> programmatically set upon logon so the API's that are available now 
> will no longer be exposed in Vista.  We are working with MS to submit 
> a Design Change Request (DCR) to have this functionality natively 
> supported in Vista.  To that end I would ask any University that would

> be interested in having this natively supported to send me there 
> contact information.  The more schools and colleges we include with 
> this DCR the better chance we have it actually being implemented and 
> included in the release.
>
> If anyone has any questions please let me know.  Also if you would 
> reply directly to me I will pass along some stats to the lists on how 
> many of us actually want this to happen.
>
> Thanks,
> Matt
>
> Matt Kramer
> Boston University
> Information Technology
> mattkr () bu edu