Windows 8 : Managing User Access and Security - Managing Stored Credentials

In Windows 8, you can use Credential Manager to store credentials that can be used to try to automatically log on users to servers, websites, and programs. Credentials are stored in a user’s profile. If you find that a user frequently has problems logging on to protected resources, such as the company intranet or an external Internet site, you can create a stored credential for each resource that the user works with.

Credential Manager supports four types of stored credentials:

• Web credential A credential for a website that includes a resource location, logon account name, and password

• Windows credential A credential that uses standard Windows authentication (NTLM or Kerberos) and includes a resource location, logon account name, and password

• Certificate-based credential A credential that includes a resource location and uses a certificate saved in the Personal store in Certificate Manager for authentication

• Generic credential A credential that uses basic or custom authentication techniques and includes a resource location, logon account name, and password

The following sections examine techniques for working with stored credentials.

Note

When you create a Microsoft account on a computer, a generic credential is created and stored for Windows Live. The Windows Live credential is what’s used to access the Microsoft Store, SkyDrive, and other Microsoft services. Normally, you shouldn’t edit or remove this credential. However, if the live credential and the stored credential somehow get out of sync, this is where you’d go to edit the email address and password used by the computer to access Microsoft services.

Adding Windows or Generic Credentials

Each user account has unique credentials. Individual credential entries are stored in the user’s profile settings and contain information needed to log on to protected resources. If you are logged on to a domain account when you create a credential, and the account has a roaming profile (instead of a local or mandatory profile), the information stored in the credential is available when you log on to any computer in the domain. Otherwise, the information in the credential is available only on the computer on which you create the entry.

Note

When your organization has computers that are in workgroups or homegroups rather than part of your domain, you’ll find that stored credentials can save everyone a lot of time. For example, if Ted uses a computer that is a member of a workgroup for his daily activities but needs to access several different servers in several different locations or domains, you can make this process easier by creating a Windows credential for each resource. Now, no matter how Ted accesses the servers, he can be authenticated automatically and without having to provide alternate credentials. For example, if Ted maps a network drive to FileServer84 and you’ve set up a credential for this server, Ted doesn’t have to select the Connect Using Different Credential option and then provide alternate credentials.

To add an entry to the currently logged-on user’s credentials, follow these steps:

1. Log on as the user whose credentials you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

   On the Credential Manager page, as shown in Figure 1, you’ll see a list of current entries by credential type (if there are any credentials).

   Note

   For simplicity, I often generalize and refer to the User Accounts heading in Control Panel. However, note that domain computers have a User Accounts heading in Control Panel, whereas computers in a workgroup or homegroup have a Users Accounts And Family Safety heading.

   

   Figure 1. Review the currently available credentials and options.

2. Tap or click Add A Windows Credential or Add A Generic Credential, as appropriate for the type of credential you are creating. Then use the options provided to configure the credential (as shown in Figure 2). The available options are as follows:

   • Internet Or Network Address The network or Internet resource for which you are configuring the credential entry. This can be a server name, such as Fileserver86; a fully qualified domain name for an Internet resource, such as www.microsoft.com; or an address containing a wildcard, such as *.microsoft.com. When you use a server name or fully qualified domain name, the entry is used for accessing a specific server or service. When you use a wildcard, the entry is used for any server in the specified domain. For example, the entry *.microsoft.com could be used to access www.microsoft.com, ftp.microsoft.com, smtp.microsoft.com, and extranet.microsoft.com.

   • User Name The user name required by the server, including any necessary domain qualifiers. To use the default domain for a resource, enter only the user name, such as Williams. For a nondefault domain, type the full domain and account name, such as technology\Williams. For an Internet service, type the full service account name, such as Williams@msn.com.

   • Password The password required by the server. One of the things most users forget is that whenever they change their password on the server or service, they must also change their password in their stored credential. If a user forgets to change the password in the stored credential, repeated attempts to log on or connect to the server or service might result in the account being locked.

   

   Figure 2. Create the credential entry by setting the necessary logon information.

3. Tap or click OK to save the credential.

Adding Certificate-Based Credentials

The Personal certificate store in the user’s profile stores certificates that have been issued to authenticate the user. Once you’ve added a certificate for the user, you can create a credential that uses the certificate to access a resource.

To add an entry for a certificate-based credential to the currently logged-on user’s stored credentials, follow these steps:

1. Log on as the user whose credentials you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

2. On the Credential Manager page, you’ll see a list of current entries by credential type (if there are any credentials).

3. Tap or click Add A Certificate-Based Credential. In the Internet Or Network Address box, enter the name of the network or Internet resource for which you are configuring the credential entry. This can be a server name, a fully qualified domain name for an Internet resource, or an address containing a wildcard.

4. Tap or click Select Certificate. In the Select Certificate dialog box, tap or click the personal certificate that you want to use for the resource, and then tap or click OK.

5. Tap or click OK again to save the credential.

Editing Credentials

You can edit credential entries at any time, but keep in mind that local entries are visible only on the computer on which they were created. This means that if you want to modify an entry, you must log on to the local workstation where the entry was created. The only exception is for users with roaming profiles. When a user has a roaming profile, credential entries can be edited from any computer where the user is logged on.

Use the following steps to edit a user’s Credentials entries:

1. Log on as the user whose Credentials entries you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

   On the Credential Manager page, you’ll see a list of current entries by credential type.

2. Tap or click the credential entry that you want to edit.

3. Tap or click Edit.

4. As necessary, specify new values for the user name and password or the certificate associated with the credential, and then tap or click Save.

Backing Up and Restoring Windows Credentials

You can back up a user’s stored credentials separately from his computer data. After you back up credentials, you can restore the credentials or transfer them to a new computer simply by restoring the backup. In most cases, you should back up the credentials to removable media.

To back up a user’s credentials, follow these steps:

1. Log on as the user whose credential entries you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

   On the Credential Manager page, you’ll see a list of current entries by credential type.

2. Tap or click Back Up Credentials.

3. On the Stored User Names And Passwords page, tap or click Browse. Use the Save Backup File As dialog box to select a save location and specify a name for the credential backup file. Credential backup files are saved with the .crd file extension. Tap or click Save.

4. Tap or click Next. Press Ctrl+Alt+Del to switch to the secure desktop. When prompted, enter and confirm a password for the credential backup file.

5. Tap or click Next, and then tap or click Finish.

To restore a user’s credentials on the same or a different computer, follow these steps:

1. Log on as the user whose credential entries you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

2. On the Credential Manager page, tap or click Restore Credentials.

3. On the Stored User Names And Passwords page, tap or click Browse. Use the Open Backup File dialog box to select the location and file in which you saved the credential backup files, and then tap or click Open.

4. Tap or click Next. Press Ctrl+Alt+Del to switch to the secure desktop. When prompted, enter the password for the credential backup file.

5. Tap or click Next, and then tap or click Finish.

Removing Credential Entries

When a user no longer needs a credential entry, you should remove it. To remove a user’s credential entry, follow these steps:

1. Log on as the user whose credential entries you want to manage. In Control Panel, tap or click User Accounts, and then tap or click Manage Windows Credentials under Credential Manager.

   On the Credential Manager page, you’ll see a list of current entries by credential type.

2. Tap or click the credential entry that you want to remove.

3. Tap or click Remove. When prompted to confirm the action, tap or click Yes.

As stated previously, local credential entries can be removed only on the computer on which they were created. When a user has a roaming profile, however, credential entries can be deleted from any computer to which the user is logged on.