Microsoft Windows NT provides a single sign-on experience for users by allowing network providers to take a user’s credentials at login and authenticate the user to other targets. This approach might not be sufficient in every case, for example, if a user connects to an untrusted domain or uses alternate credentials to access a specific resource. Windows XP addresses this problem through the Windows Stored User Names and Passwords component, sometimes referred to as Key Manager or Keyring. This component provides credential storage and management functionality.
The Store User Names and Passwords component provides the user with a secure roamable store for credentials. Roamable implies that if the user is part of a domain with roaming profiles the credentials can be saved as part of that roaming profile. This mechanism enables users to use the Stored User Names and Passwords feature anywhere they can access their profiles.
This component requires no configuration.
The Credential Manager uses two registry values to control per-machine policy.
The following table shows the registry values under the HKLM\System\CurrentControlSet\Control\Lsa registry key:
| Registry Value | Type | Description |
|---|---|---|
| TargetInfoCacheSize | REG_DWORD | Specifies the number of entries in the target information cache. The credential manager manages a per-logon session cache of mappings from target name to target info. The CredGetTargetInfo function obtains its information from the cache. If this value is set too small, other applications running under the logon session can flush a cache entry (by adding their own) before a cache entry can be used. If this value is set too large, an excessive amount of memory will be consumed. The default value is 1000 entries. The minimum value is 1. |
| DisableDomainCreds | REG_DWORD | Specifies whether domain credentials CRED_TYPE_DOMAIN_* may be read or written on this machine. If this value is set to 0, domain credentials function normally. If this value is set to 1, domain credentials cannot be written (a STATUS_NO_SUCH_LOGON_SESSION error message is returned to any API that attempts to write such a credential) or read (any such credential is silently ignored). |
Additional information about this component can be found in the product online Help.