Educause Security Discussion mailing list archives
Microsoft Vista CredProv (GINA) Changes
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
Date: Thu, 4 May 2006 09:41:13 -0400
See below - cross-posted to this list with permission... Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, Brown University Box 1885, Providence, RI 02912 Office: 401-863-7266
-----Original Message----- From: owner-windows-hied () lists Stanford EDU [mailto:owner-windows-hied () lists Stanford EDU] On Behalf Of Kramer, Matthew Sent: Tuesday, May 02, 2006 1:41 PM To: Windows-hied () lists Stanford EDU Subject: [windows-hied]: Vista CredProv (GINA) Changes Hello, As some of you may or may not know the MS GINA is going away in Windows Vista and is being replaced by the Windows Credential Provider. This causes a problem for some of us who have written custom GINA hooks that will no longer be supported in Vista. We currently use our GINA hook to provide the ability for departmental
OU administrators to specify a custom roaming profile path on a per machine basis instead of a per user basis. The thought being that the
user may be affiliated with multiple schools/departments that are part
of the same Active Directory but have independent IT departments that want to provide different functionality to the end user. For example the following scenario is not currently possible because the roaming profile path is tied to the user object: School A wants to support roaming profiles for individual users, School B wants to use a mandatory locked down profile for all users and School C doesn't want to support roaming profiles at all. Student
X maybe taking a class in all three schools, so who gets to set the profile path on the user object! To get around this the custom GINA hook we wrote allows the OU Admin to specify a roaming profile path for a user based on Group Policy instead of using the value stored within the user object. This way each school can set a loopback policy on their machines that will control how roaming profiles are supported in their environment. Unfortunately this functionality will not be exposed in the Windows Credential Provider, the profile path is no longer able to be programmatically set upon logon so the API's that are available now will no longer be exposed in Vista. We are working with MS to submit a Design Change Request (DCR) to have this functionality natively supported in Vista. To that end I would ask any University that would
be interested in having this natively supported to send me there contact information. The more schools and colleges we include with this DCR the better chance we have it actually being implemented and included in the release. If anyone has any questions please let me know. Also if you would reply directly to me I will pass along some stats to the lists on how many of us actually want this to happen. Thanks, Matt Matt Kramer Boston University Information Technology mattkr () bu edu
Current thread:
- Microsoft Vista CredProv (GINA) Changes Sadler, Connie (May 04)