Credential Provider can not create WebBrowser control when invoked by CredentialUIBroker.exe(RDP) - Access Denied error RRS feed

  • Question

  • Hi,

    I have a custom credential provider that shows a WPF window with a WPF WebBrowser control.  This WebBrowser control tries to display an authentication screen from an authentication server.  This is working when the credential provider is invoked with LOGON, UNLOCK, PLAP and CHANGE PASSWORD usage scenarios.  It is also working with CREDUI usage scenarios like UAC.  However, if I try to bring up an RDP session to a remote server (using MSTSC), then when we try to create the WebBrowser control inside the WPF window, we get an Access Denied exception:

    System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
       at System.Windows.Forms.UnsafeNativeMethods.CoCreateInstance(Guid& clsid, Object punkOuter, Int32 context, Guid& iid)
       at System.Windows.Forms.WebBrowserBase.TransitionFromPassiveToLoaded()
       at System.Windows.Forms.WebBrowserBase.TransitionUpTo(AXState state)
       at System.Windows.Forms.WebBrowserBase.OnParentChanged(EventArgs e)
       at System.Windows.Forms.Control.AssignParent(Control value)
       at System.Windows.Forms.Control.ControlCollection.Add(Control value)
       at System.Windows.Forms.Integration.WinFormsAdapter.set_Child(Control value)
       at System.Windows.Forms.Integration.WindowsFormsHost.set_Child(Control value)
       at ValidateIdentifyWindow..ctor(ICredentialProviderExtensions provider, String userToValidate, String idp) 

    In this case I have used a WinForms WebBrowser control in a WindowsFormsHost, but I get the same error with a WPF WebBrowser control as well.

    The process that is causing the exception is CredentialUIBroker.exe which appears to a an out-of-proc server that RDP calls to bring up the credUI dialog and authenticate.  I have checked and the CredentialUIBroker.exe is running the currently logged in user context so it is not clear why we would get an Access Denied error.

    I have noticed the following in event viewer:

    Faulting application name: CredentialUIBroker.exe, version: 10.0.19041.1, time stamp: 0x30174b24
    Faulting module name: KERNELBASE.dll, version: 10.0.19041.421, time stamp: 0xed02c0bc
    Exception code: 0xc000041d
    Fault offset: 0x0000000000023e49
    Faulting process id: 0x884
    Faulting application start time: 0x01d66f4ef350205c
    Faulting application path: C:\Windows\System32\CredentialUIBroker.exe
    Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
    Report Id: ced9f0f9-0cc7-476c-9250-74af1bd98745
    Faulting package full name: 
    Faulting package-relative application ID: 

    Any thoughts on why the webbrowser control is not creating only when invoked by the credentialuibroker.exe?  

    Any ideas on how to fix this?



    Monday, August 10, 2020 10:13 PM