NOTICE: This project is no longer being maintained. :warning:
Git Credential Manager for Windows is no longer being maintained. The cross-platformGit Credential Manager Core (GCM Core) is the official replacement.
GCM Core is included as an optional component of Git for Windows 2.28 and will be made the default credentialhelper as of Git for Windows 2.29. GCM Core can also be manually installed from this page.
How to add Windows Credentials to Credentials Manager on Windows programmatically? How to use IF(File.Exists) statement. In C# How to get Windows Credentials from credential manager-5. How can I store secrets in my application? See more linked questions. Calculate relative time in C#.
NOTICE: Experiencing GitHub push/fetch problems?
- Windows 7 includes a Credential Manager where end users can save credentials for Web sites, applications, and servers that support the feature. The credentials are stored in Windows Vault and provide easy and quick logon to any of the saved resources.
- To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel. Select Web Credentials or Windows Credentials to access the credentials you want to manage.
- Download this app from Microsoft Store for Windows 10 Mobile, Windows Phone 8.1. See screenshots, read the latest customer reviews, and compare ratings for My Credential Manager.
- The feature is Credential Manager, and this is how I add a new credential to its store. Adding a Credential to the Credential Manager Store. To access Credential Manager, I simply open Control Panel and then single-click on Credential Manager. This launches the main dialog box as shown in Figure 1. The Credential Manager main dialog box.
GitHub will disable password-based authenticationon APIs Git Credential Manager for Windows uses to create tokens. As a result, GCMfor Windows will no longer be able to create new access tokens for GitHub.
Git Credential Manager Core (GCM Core) supports OAuth-basedauthentication with GitHub and is the replacement for GCM for Windows.
Please update to Git for Windows 2.28 and select “Git Credential Manager Core” fromthe installer when asked to “select a credential helper”, or manually install GCM Corefrom here.
As of 22 Feb 2018, GitHub has disabled support for weak encryption which means many users will suddenly find themselves unable to authenticate using a Git for Windows which (impacts versions older than v2.16.0). DO NOT PANIC, there’s a fix. Update Git for Windows to the latest (or at least v2.16.0).
The most common error users see looks like:
If, after updating Git for Windows, you are still having problems authenticating with GitHub, please read this Developer Community topic which contains additional remedial actions you can take to resolve the problem.
If you are experiencing issue when using Visual Studio, please read Unable to connect to GitHub with Visual Studio.
The Git Credential Manager for Windows (GCM) provides secure Git credential storage for Windows. It’s the successor to the Windows Credential Store for Git (git-credential-winstore), which is no longer maintained. Compared to Git’s built-in credential storage for Windows (wincred), which provides single-factor authentication support working on any HTTP enabled Git repository, GCM provides multi-factor authentication support for Azure DevOps, Team Foundation Server, GitHub, and Bitbucket.
This project includes:
- Secure password storage in the Windows Credential Store.
- Multi-factor authentication support for Azure DevOps.
- Two-factor authentication support for GitHub.
- Two-factor authentication support for Bitbucket.
- Personal Access Token generation and usage support for Azure DevOps, GitHub, and Bitbucket.
- Non-interactive mode support for Azure DevOps backed by Azure Directory.
- NTLM/Kerberos authentication for Team Foundation Server (see notes).
- Optional settings for build agent optimization.
Community
This is a community project so feel free to contribute ideas, submit bugs, fix bugs, or code new features. For detailed information on how the GCM works go to the wiki.
Download and Install
To use the GCM, you can download the latest installer. To install, double-click GCMW-{version}.exe and follow the instructions presented.
When prompted to select your terminal emulator for Git Bash you should choose the Windows’ default console window, or make sure GCM is configured to use modal dialogs. GCM cannot prompt you for credentials, at the console, in a MinTTY setup.
Manual Installation
Note for users with special installation needs, you can still extract the gcm-{version}.zip file and run install.cmd from an administrator command prompt. This allows specification of the installation options explained below.
Installation in an MSYS2 Environment
To use the GCM along with git installed with pacman in an MSYS2 environment, simply download a release zip and extract the contents directly into C:msys64usrlibgit-core (assuming your MSYS2 environment is installed in C:msys64). Then run:
How to use
You don’t. It magically works when credentials are needed. For example, when pushing to Azure DevOps, it automatically opens a window and initializes an oauth2 flow to get your token.
Build and Install from Sources
To build and install the GCM yourself, clone the sources, open the solution file in Visual Studio, and build the solution. All necessary components will be copied from the build output locations into a .Deploy folder at the root of the solution. From an elevated command prompt in the .Deploy folder issue the following command git-credential-manager install. Additional information about development and debugging are available in our documents area.
Various options are available for uniquely configured systems, like automated build systems. For systems with a non-standard placement of Git use the --path <git> parameter to supply where Git is located and thus where the GCM should be deployed to. For systems looking to avoid checking for the Microsoft .NET Framework and other similar prerequisites use the --force option. For systems looking for silent installation without any prompts, use the --passive option.
Additional Resources
Contribute
There are many ways to contribute.
- Submit bugs and help us verify fixes as they are checked in.
- Review code changes.
- Contribute bug fixes and features.
Code Contributions
For code contributions, you will need to complete a Contributor License Agreement (CLA). Briefly, this agreement testifies that you grant us permission to use the submitted change according to the terms of the project’s license, and that the work being submitted is under the appropriate copyright.
Please submit a Contributor License Agreement (CLA) before submitting a pull request. You may visit https://cla.microsoft.com to sign digitally. Alternatively, download the agreement Microsoft Contribution License Agreement.pdf, sign, scan, and email it back to cla@microsoft.com. Be sure to include your GitHub user name along with the agreement. Once we have received the signed CLA, we’ll review the request.
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
License
This project uses the MIT License.
-->Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes how credentials are formed in Windows and how the operating system manages them.
Introduction
When a user or service wants to access a computing resource, they must provide information that proves their identity. Their identity is typically in the form of their account’s user name. This might be the user name that is the Security Accounts Manager (SAM) account name or the User Principal Name (UPN). But to prove their identity, they must provide secret information, which is called the authenticator. An authenticator can take various forms depending on the authentication protocol and method. The combination of an identity and an authenticator is called an authentication credential.
The process of creating, submitting, and verifying credentials is described simply as authentication, which is implemented through various authentication protocols, such as the Kerberos protocol. Authentication establishes the identity of the user, but not necessarily the user’s permission to access or change a specific computing resource. That process is known as authorization.
Credentials are typically created or converted to a form that is required by the authentication protocols that are available on a computer. Credentials can be stored in the Local Security Authority Subsystem Service (LSASS) process memory for use by the account during a session. Credentials must also be stored on a hard disk drive in authoritative databases, such as the SAM database and in the database that is used by Active Directory Domain Services (AD DS).
For more information about storage, see Credentials storage in this topic.
Credential authenticators
The authenticator types used in the Windows operating system are as follows:
Plaintext credentials
Windows Credential Manager Api
When a user signs in to a computer running Windows and provides a user name and credentials (such as a password or PIN), the information is provided to the computer in plaintext. This plaintext password is used to authenticate the user’s identity by converting it into the form that is required by the authentication protocol. Some versions of Windows also retain an encrypted copy of this password that can be unencrypted to plaintext for use with authentication methods such as Digest authentication.
Note
Windows operating systems never store any plaintext credentials in memory or on the hard disk drive. Only reversibly encrypted credentials are stored there. When later access to the plaintext forms of the credentials is required, Windows stores the passwords in encrypted form that can only be decrypted by the operating system to provide access in authorized circumstances.
These protections, however, cannot prevent a malicious user with system-level access from illicitly extracting them in the same manner that the operating system would for legitimate use.
NT hash
The NT hash of the password is calculated by using an unsalted MD4 hash algorithm. MD4 is a cryptographic one-way function that produces a mathematical representation of a password. This hashing function is designed to always produce the same result from the same password input, and to minimize collisions where two different passwords can produce the same result. This hash is always the same length and cannot be directly decrypted to reveal the plaintext password. Because the NT hash only changes when the password changes, an NT hash is valid for authentication until a user’s password is changed.
Note
To protect against brute-force attacks on the NT hashes or online systems, users who authenticate with passwords should set strong passwords or passphrases that include characters from multiple sets and are as long as the user can easily remember.For password complexity guidelines, see the Strong passwords section in the Passwords Technical Overview.
LM hash
LAN Manager (LM) hashes are derived from the user password. Legacy support for LM hashes and the LAN Manager authentication protocol remains in the NTLM protocol suite. Default configurations in Windows and Microsoft security guidance have discouraged its use.
LM hashes inherently are more vulnerable to attacks because:
LM hashes require a password to be less than 15 characters long and they contain only ASCII characters.
LM hashes do not differentiate between uppercase and lowercase letters.
Windows logon cached password verifiers
These verifiers are not credentials because they cannot be presented to another computer for authentication, and they can only be used to locally verify a credential. They are stored in the registry on the local computer and provide credentials validation when a domain-joined computer cannot connect to AD DS during a user’s logon. These “cached logons” or more specifically, cached domain account information, can be managed using the security policy setting Interactive logon: Number of previous logons to cache (in case domain controller is not available).
Credentials storage
The following sections describe where credentials are stored in Windows operating systems. Windows credentials are composed of a combination of an account name and the authenticator. These are stored and retrieved from the following locations depending on the status of the user’s session, which might be active or inactive, and local or networked.
Security Accounts Manager database
The SAM database is stored as a file on the local hard disk drive, and it is the authoritative credential store for local accounts on each Windows computer. This database contains all the credentials that are local to that specific computer, including the built-in local Administrator account and any other local accounts for that computer.
The SAM database stores information on each account, including the user name and the NT password hash. By default, the SAM database does not store LM hashes on current versions of Windows. No password is ever stored in a SAM database—only the password hashes. The NT password hash is an unsalted MD4 hash of the account’s password. This means that if two accounts use an identical password, they will also have an identical NT password hash.
LSASS process memory
The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.
LSASS can store credentials in multiple forms, including:
Reversibly encrypted plaintext
Kerberos tickets (TGTs, service tickets)
NT hash
LM hash
If the user logs on to Windows by using a smart card, LSASS will not store a plaintext password, but it will store the corresponding NT hash value for the account and the plaintext PIN for the smart card. If the account attribute is enabled for a smart card that is required for interactive logon, a random NT hash value is automatically generated for the account instead of the original password hash. The password hash that is automatically generated when the attribute is set does not change.
If a user logs on to Windows with a password that is compatible with LM hashes, this authenticator will be present in memory.
The storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled.
The stored credentials are directly associated with the LSASS logon sessions that have been started since the last restart and have not been closed. For example, LSA sessions with stored LSA credentials are created when a user does any of the following:
Logs on to a local session or RDP session on the computer
Runs a task by using the RunAs option
Runs an active Windows service on the computer
Runs a scheduled task or batch job
Runs a task on the local computer by using a remote administration tool
LSA secrets on the hard disk drive
A Local Security Authority (LSA) secret is a secret piece of data that is accessible only to SYSTEM account processes. Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. Credentials stored as LSA secrets might include:
Account password for the computer’s AD DS account
Account passwords for Windows services that are configured on the computer
Account passwords for configured scheduled tasks
Account passwords for IIS application pools and websites
AD DS database (NTDS.DIT)
Windows Credential Manager Not Working
The Active Directory Domain Services (AD DS) database is the authoritative store of credentials for all user and computer accounts in an AD DS domain. The two types of domain controllers in AD DS that manage credentials differently are:
Writable Each writable domain controller in the domain contains a full copy of the domain’s AD DS database, including account credentials for all accounts in the domain.
Read-only Read-only domain controllers (RODCs) house a partial local replica with credentials for a select subset of the accounts in the domain. By default, RODCs do not have a copy of privileged domain accounts.
The database stores a number of attributes for each account, which includes user names types and the following:
NT hash for the current password
NT hashes for password history (if configured)
NT hash values are also retained in AD DS for previous passwords to enforce password history during password change operations. The number of password history NT hash values retained is equal to the number of passwords configured in the password history enforcement policy.
LM hashes may also be stored in the AD DS database depending on the domain controller operating system version, configuration settings, and password change frequency.
Credential Manager store
Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.
Credential Manager can obtain its information in two ways:
Explicit creation When users enter a user name and password for a target computer or domain, that information is stored and used when the users attempt to log on to an appropriate computer. If no stored information is available and users supply a user name and password, they can save the information. If the user decides to save the information, Credential Manager receives and stores it.
System population When the operating system attempts to connect to a new computer on the network, it supplies the current user name and password to the computer. If this is not sufficient to provide access, Credential Manager attempts to supply the necessary user name and password. All stored user names and passwords are examined, from most specific to least specific as appropriate to the resource, and the connection is attempted in the order of those user names and passwords. Because user names and passwords are read and applied in order, from most to least specific, no more than one user name and password can be stored for each individual target or domain.
Credential Manager uses the Credential Locker, formerly known as Windows Vault, for secure storage of user names and passwords.
Related resources