I'm working on a Windows client which uses the Windows Data Protection APIs (CryptProtectData & CryptUnprotectData). These APIs encrypt & decrypt a credentials file by tying a session key to the Windows User Profile. This allows the user to securely choose to "remember" usernames & passwords. i.e. The user does not need to re-enter when the client restarts.
The credentials file is stored in the Roaming directory (C:\Users\<user>\AppData\Roaming). Assuming the Roaming Profile is enabled, if a user logs onto another machine, with the same username/password, the credentials file is automatically downloaded. CryptUnprotectData supports roaming so this means the file can be decrypted. Hence when the user starts the client, on another machine, he/she does not need to enter a username or password.
If the Roaming Profile is disabled the file cannot be decrypted. e.g. If manually copied to another machine. It is tied to the machine upon which it was encrypted & can only be decrypted on that machine.
This has worked for two releases of our client. But recently a larger customer exposed a hole with this approach.
They have a subset of users who have been provisioned with virtual environments. Every time one of these users signs in a "new" machine is provided. The Windows Roaming Profile is disabled. So to keep the users settings they are using View Persona Management.
This poses a problem for our client. The credentials file is downloaded by View Persona Management. But since the file was encrypted on "another" machine, & because roaming is disabled, it cannot be decrypted by CryptUnprotectData. From the Windows point of view this is very deliberate. But it means that every time a user logs into a VM a username/password is required by our client.
We asked the customer if they would be willing to enable the Windows Roaming Profile (since it works in conjunction with View Persona Management). But they believe this is a step backwards and are unwilling to proceed.
This seems like a common requirement. Hence my questions are:
- Does VMWare provide an alternative to the Windows Data Protection APIs in deployments where the Windows Roaming Profile is disabled?
- Are there any additional steps the customer can carry out to get CryptProtectData to work nicely with View Persona Management?
- Have VMWare an official stance on CryptProtectData & View Persona Management working together?