Authenticating window user using biometric system connected to LDAP server

Question

I am trying to build one intranet application. What I am trying to do is to authenticate the user using the biometric system, fingerprints to be precise. Like in some laptops or notebooks I have seen there is a fingerprint authentication system. The same thing I am trying to build but not for a particular person. The only difference is that the person's biometric information would be stored on LDAP server. So that anyone who has the right access to use that particular machine can use after getting authenticated. I am trying to get the user's biometric information using an external biometric device. I have gone through few documentations on Windows Biometric Framework. And using sensor adapter and engine adapter as plug-ins I can get the user's biometric information and also get processed and can send to the server.
The only query I am having here is:

1. First thing first am I breaking any Microsoft's policy here by achieving this?
2. If not then how can I get windows system lock and unlock after getting the response from the server whether the user is valid or not?

Has anyone ever tried this ?
Can anyone help me to get this ?
Thank you in advance.

Answer 1

If you're saying that you want to actually notify the built in windows login / authentication system (known as a system credential provider) that the user is authenticated then this is not supported by the official windows API. If this was supported anyone could create malware that simply notified the API that a user is authenticated / authorized, thereby essentially rendering all of windows security meaningless. So we should be grateful this is not officially supported.

Trying to implement something like that without official API support would definitely be against the terms of use. Since its not officially supported, you would have to resort to some awful hacks to get it to work, the implementation of which would almost certainly be considered either reverse engineering the kernel or hacking the kernel (or both) by Microsoft's legal team. Even if you believed they were wrong... would you really want to fight them (and their deep pockets)?

Let's also consider that if no official unlock API exists, then you would be required to use some kind of backdoor to achieve it. If such a thing even exists, then it would certainly be subject to being rendered useless by an MS update (which would nuke your app's login implementation).

Now that the fire and fury is out of the way, let me state that all is not lost, provided you are targeting a more recent version of windows.

You can implement your own biometric security system as you described. This is now known as a third party credential provider This would be a separate system, and Microsoft recommends that you require users setup a system credential provider as a fallback in case your third party credential system fails for any reason. If not, the user account would be impossible to recover. Again, they key difference from the first example is that your system is separate and distinct from the system credential provider (windows native lock screen).

I would like to stress though, that implementing a third party credential system is still far from trivial. You will want to read up extensively on the proper interfaces you will have to implement. I'd recommend starting here:

https://msdn.microsoft.com/en-us/library/windows/desktop/mt158211%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

There is also apparently a sample located in the Windows SDK installation directory under \Samples\Security\CredentialProvider. Also, there is a nice technical reference of credential providers located here:

https://msdn.microsoft.com/en-us/library/windows/desktop/bb648647%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Click the link that says "Credential Provider driven Windows Logon Experience" to download the tech document.