Credential Providers V2 - Add code after submit and check user's password

Question

How do I add my code after click submit button and check user password?

I add my code in GetSerialization function after successfully calling KerbInteractiveUnlockLogonPack and RetrieveNegotiateAuthPackage. But in this state first run my code and later check user password.

I want to first check user password and if that correct then run my code. How do I do?

if (_fIsLocalUser)
{
    PWSTR pwzProtectedPassword;
    hr = ProtectIfNecessaryAndCopyPassword(_rgFieldStrings[SFI_PASSWORD], _cpus, &pwzProtectedPassword);
    if (SUCCEEDED(hr))
    {
        PWSTR pszDomain;
        PWSTR pszUsername;
        hr = SplitDomainAndUsername(_pszQualifiedUserName, &pszDomain, &pszUsername);
        if (SUCCEEDED(hr))
        {
            KERB_INTERACTIVE_UNLOCK_LOGON kiul;
            hr = KerbInteractiveUnlockLogonInit(pszDomain, pszUsername, pwzProtectedPassword, _cpus, &kiul);
            if (SUCCEEDED(hr))
            {
                // We use KERB_INTERACTIVE_UNLOCK_LOGON in both unlock and logon scenarios.  It contains a
                // KERB_INTERACTIVE_LOGON to hold the creds plus a LUID that is filled in for us by Winlogon
                // as necessary.
                hr = KerbInteractiveUnlockLogonPack(kiul, &pcpcs->rgbSerialization, &pcpcs->cbSerialization);
                if (SUCCEEDED(hr))
                {
                    ULONG ulAuthPackage;
                    hr = RetrieveNegotiateAuthPackage(&ulAuthPackage);
                    if (SUCCEEDED(hr))
                    {
                        pcpcs->ulAuthenticationPackage = ulAuthPackage;
                        pcpcs->clsidCredentialProvider = CLSID_CSample;
                        // At this point the credential has created the serialized credential used for logon
                        // By setting this to CPGSR_RETURN_CREDENTIAL_FINISHED we are letting logonUI know
                        // that we have all the information we need and it should attempt to submit the
                        // serialized credential.
                        *pcpgsr = CPGSR_RETURN_CREDENTIAL_FINISHED;
                    }
                }
            }
            CoTaskMemFree(pszDomain);
            CoTaskMemFree(pszUsername);
        }
        CoTaskMemFree(pwzProtectedPassword);
    }
}

Answer 1

I have found the following line in my code to check username/password pair:

    bRet = LogonUserExA(lpszUsername, NULL, lpszPassword, LOGON32_LOGON_NETWORK, 
        LOGON32_PROVIDER_DEFAULT, NULL, NULL, NULL, NULL, NULL);

lpszUsername us the full UPN in one of forms domain\user or user@domain.
The key constant is LOGON32_LOGON_NETWORK:

This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUserEx function does not cache credentials for this logon type.

See MS Docs for details on parameters and constant values and also check the remarks section.

In your case it can looks like this:

if(LogonUserEx(_pszQualifiedUserName, NULL, _rgFieldStrings[SFI_PASSWORD],
    LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, NULL, NULL, NULL, NULL, NULL))
{
    ...
}