Windows 7: Exploring Credential Manager and Windows Vault

Last week, our friends Paul Thurrott and Rafael Rivera explored one of the untold mysteries (according to them) of Windows 7 - Windows Vault

I have been using this feature for quite some time since the beta release, even before Paul and Rafael might have discovered it. Let me explain what this Windows Vault is and how to use it. Before that, let us take a minute to read what Microsoft had replied Mary-Jo Foley regarding Windows Vault

"Windows 7 includes a feature called 'credential manager.' This is similar to technology in past versions of Windows in that it stores your frequently used passwords so you can easily access and manage; however, in Windows 7 we've added the ability to back up or restore this information. The default storage vault for the credential manager information is the 'Windows Vault.'"

As Microsoft says, the Windows Vault stores user credentials for servers, wesbites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, twitter credentials, gmail credentials etc., so that they automatically log in via browsers. But it is not so.

Windows Vault stores credentials that Windows can log in the users automatically, which means that any Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.

Unless the applications interact with Credential Manager, I dont think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow communicate with the credential manager and request the credentials for that resource from the default storage vault.

Let us take an application for example: Google Talk

Google Talk does not use (Windows) Credential Manager to store or retrieve user credentials. Below are the steps if Google Talk wants to make use of the (Windows) Credential Manager

1) Google Talk requests the Credential Manager with the resource
2) Credential Manager looks into its default vault for the appropriate credentials(for that resource)
3) If there is any credential associated, the vault returns it to the Credential Manager
4) Credential Manager returns it back to Google Talk
5) Google Talk signs in with the returned credentials

I have seen few Microsoft applications making use of this feature already in Windows 7

  • Windows Live Messenger
  • Microsoft Word 2007
  • Microsoft Outlook 2007
  • Windows Explorer(when accessing network resources)

You have to remember that all these applications are accessing a resource using the Credential Manager, which can be a website or a server. In my case, I accessed my company resource through Microsoft Word which required username and password. When I stored my credentials for my company resource (usually the URL endpoint), Microsoft Word picked it up and prompted me with the username and password boxes filled in with those credentials!

Similarly, I added my network computer and the proper credentials to access it into the vault and Windows Explorer picked it up whenever I connected to that network computer! And similarly, when I accessed other network resources with credentials, Windows Explorer added those to the vault.

Since Windows Vault stores your credentials, you as a user should be able to access your vault and manage all of your credentials.

You can also backup and restore your vault, which is quite handy.

After this, Windows switches to a secure desktop where you could provide a password for your backup. You will be prompted for the password when you restore this vault in the other computer. The backup and restore feature worked really well for me.

Adding Credentials to the Vault

Most of the time its going to be Windows applications that interact with the Credential Manager and not the user. However, if you do want to manage your credentials, you are allowed to do so.

Let us take an example of adding a Windows Credentials. I am going to add credentials to connect to one of my network PC - GALAXY. Initially, the credentials without being in the vault, when I connect to my PC, I get this prompt

Let us add the credentials

Notice that I am writing my PC Name as my resource. After adding the credentials, I can see it in my vault

Here is the prompt I get now whenever I connect to my network PC - GALAXY

It remembers the credentials once I choose the option to remember

I tried adding my company credentials and tested with Microsoft Word 2007 and Microsoft Outlook 2007 and they all worked perfect!

Whats missing?

Well, there is no documentation online by Microsoft mentioning the uses of this credential manager for Windows 7, but given the fact that Windows 7 is still in its beta stage, I couldn't complain. In my opinion, Microsoft will come out with some documentation once Windows 7 RC is released.

I have not tested adding a certificate-based credentials as I don't have any Windows applications that gets authenticated using a certificate. Currently in Windows 7 build 7000, I get this when I choose to add a certificate-based credential

But, in the Windows 7 build 7048, Microsoft has given a clue how this feature will be used. Below is what I get when I choose to add a certificate-based credential in Windows 7 build 7048

Now, thats interesting. Adding a certificate that is used with the smart card. Visit here to know more about enrolling for a smart card certificate. If you have a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus other uses of the smart card cryptography, you can very well test this feature in the Windows 7 build 7048!

What about developers?

Searching MSDN, I found a sample - Credential Management with the .NET Framework 2.0. The sample application interacts with the Credential Manager and allows you to manage your credentials in the default vault. It worked perfectly in Windows 7 build 7000.

The Credential Manager is nothing new for Windows 7 and is present since Windows XP. The documentation is available in MSDN for quite a long time since Windows XP.

May be next time Rafael and Paul should consider digging more into the feature before concluding that its something new to Windows 7 and undocumented by Microsoft. Windows applications, especially Microsoft products, make use of this Credential Manager a lot.

Credential Manager & Windows Vault are nothing new and have just got a new shiny user interface in Windows 7

Report a problem with article
Next Article

Twitter getting ready to serve local news to users?

Previous Article

Range of 'Hero' style games announced, given release dates

37 Comments - Add comment