none
Using vaultcmd To Create Web Credentials RRS feed

  • Question

  • Hi,

    I am trying to create a logon script for Windows 8.1 using vaultcmd for a few users that will populate web credentials.

    The command I'm using is formatted like this:

    vaultcmd /addcreds:"Web Credentials"

    /credtype:"Windows Web Password Credential"

    /identity:email@domain.com /authenticator:password

    /resource:"https://www.website.com/" /savedBy:"Internet Explorer"

    It creates the credentials in the Credential Manager, but they do not populate when I surf to the website.

    When I save the credentials using IE11, a file for the credentials is created in the same location, and the credentials look identical to ones created by vaultcmd in the Credential Manager.

    However, when I create the credentials with IE, they populate on the site and everything works as intended.

    What might I be doing wrong?

    • Moved by Bill_Stewart Friday, March 18, 2016 6:51 PM Move to more appropriate forum
    Wednesday, February 17, 2016 3:44 PM

All replies

  • Credential schema: Windows Web Password Credential
    Resource: https://xtv.website.net/
    Identity: jsmith@domain.net
    Saved By: Internet Explorer
    Hidden: No
    Roaming: Yes
    Property (schema element id,value): (100,D5B63C4E5625D84CA48DC755C737CBA6)

    \_(ツ)_/

    Wednesday, February 17, 2016 3:57 PM
  • I'm not sure what you are trying to explain with the bold text...
    Wednesday, February 17, 2016 4:26 PM
  • Add the schema element.

    \_(ツ)_/

    Wednesday, February 17, 2016 5:22 PM
  • Like this?

    vaultcmd /addcreds:"Web Credentials"

    /credtype:"3DDC5488-98B9-4B10-A326-9487435AA3C22"

    /identity:email@domain.com /authenticator:password

    /resource:"https://www.website.com/" /savedBy:"Internet Explorer"

    If so, that is giving me the same results...

    Wednesday, February 17, 2016 7:59 PM
  • Did you figure out how to do this yet? I am having the same problem.

    I see that when I run vaultcmd /listcreds:{4BF4C442-9B8A-41A0-B380-DD4A704DDB28} it prints that web credentials saved by Internet Explorer/Edge have an additional property (100,D5B63C4E5625D84CA48DC755C737CBA6) as jrv pointed out, but I do not know how to add that property.

    Maybe there is another way to programmatically add web credentials?



    • Edited by datbohne Monday, July 18, 2016 10:18 AM
    Monday, July 18, 2016 10:18 AM
  • /credtype:<schemaname>|<schemaguid>

    Use this switch ad the required GUID.


    \_(ツ)_/

    Monday, July 18, 2016 12:28 PM
  • >vaultcmd /addcreds:"Webanmeldeinformationen" 
      /credtype:{D5B63C4E-5625-D84C-A48D-C755C737CBA6}
      /identity:email@domain.com /authenticator:password
      /resource:"https://www.website.com/"
      /savedBy:"Internet Explorer"
    
    Ungültige Identität: Element nicht gefunden.
    translates to "Invalid identity: Element not found".

    >vaultcmd /listschema
    Globale Schemas
    
    Anmeldeinformationsschema: Windows Secure Note
    Schema-GUID: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
    
    Anmeldeinformationsschema: Windows Web Password Credential
    Schema-GUID: 3CCD5499-87A8-4B10-A215-608888DD3B55
    
    Anmeldeinformationsschema: Windows Credential Picker Protector
    Schema-GUID: 154E23D0-C644-4E6F-8CE6-5069272F999F
    
    Derzeit geladene Anmeldeinformationsschemas:
    
    Tresor: Webanmeldeinformationen
    Tresor-GUID:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
    
    Anmeldeinformationsschema: Windows Web Password Credential
    Schema-GUID: 3CCD5499-87A8-4B10-A215-608888DD3B55
    
    Tresor: Windows-Anmeldeinformationen
    Tresor-GUID:77BC582B-F0A6-4E15-4E80-61736B6F3B29
    
    Anmeldeinformationsschema: Windows-Domänenzertifikat - Anmeldeinformationen
    Schema-GUID: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
    
    Anmeldeinformationsschema: Windows-Domänenkennwort - Anmeldeinformationen
    Schema-GUID: 3E0E35BE-1B77-43E7-B873-AED901B6275B
    
    Anmeldeinformationsschema: Erweiterte Windows-Anmeldeinformationen
    Schema-GUID: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
    no D5B63C4E5625D84CA48DC755C737CBA6 among them.

    I am sorry but I do not get your point. Could you please be so kind to point out one actually working example that we can take it from. Because honestly I cannot find any documentation or hints pointing to a working solution.

    Monday, July 18, 2016 10:35 PM
  • D5B63C4E5625D84CA48DC755C737CBA6

    \_(ツ)_/

    Monday, July 18, 2016 10:46 PM
  • Did you at all read my question? I guess any answer, helpful or not, will push statistics.
    • Edited by datbohne Monday, July 18, 2016 11:06 PM
    Monday, July 18, 2016 11:04 PM
  • The question was asked and answered back inFebruary.  You are asking an end user utility program question in a scriptin forum.  I was just trying to point you in the right direction.

    I do notm have your machine so I cannot test your issue.  Contact MS Support or this site if you are having issues.

    http://answers.microsoft.com

    I have no issues with Edge.  Different providers may add extended requirements. 


    \_(ツ)_/

    Monday, July 18, 2016 11:36 PM
  • >The question was asked and answered back inFebruary

    No, it was asked in February and has not been answered at all yet.

    >You are asking an end user utility program question in a scriptin forum.

    One has to either consider scripting a end-user feature or the vaultcmd command a developers tool. Same difference.

    Also, did you notice the "Moved by Bill_Stewart Friday, March 18, 2016 6:51 PM Move to more appropriate forum"? Seems to be the correct forum after all.

    Also it was not me starting the topic here, DXA-Admin, was, and he has not been criticized for that.

    > I was just trying to point you in the right direction.

    And yet you spend more time criticizing me and repeating yourself, rather then trying to be helpful or pointing out _one_ example, let alone a working one.

    >I do notm have your machine so I cannot test your issue.

    Since I am trying on several machines and obviously at least one other person has the same problem, I gather you will not need my machine to test.

    >I have no issues with Edge.

    Good for you.

    >Different providers may add extended requirements. 

    What provider are you talking about? I am running a clean Windows 10 and the provider is Microsoft. No other "provider" seems to be relevant here.

    Just FYI, I posted over at the end user forums as you asked and they pointed me to the technet forums. So I posted over at https://social.technet.microsoft.com/Forums/ie and they pointed me to the scripting forums. Now whom do I believe?

    I really do not wish to be criticizing any comment who is trying to be helpful or otherwise on topic, as I normally always try to stay on topic, because this is, what these forums are about. But this is getting ridiculous. If you cannot or do not want to help me, just do not answer at all, please.

    Yet, I really, honestly very much appreciate anyone, who would be willing to lend any tiny bit of help!




    • Edited by datbohne Wednesday, July 20, 2016 11:31 AM
    Wednesday, July 20, 2016 11:23 AM
  • The thread has now been moved to a better forum for the topic. 

    It is also not good form to tag a new question onto another users question especially when it is a different question.

    The way utilities work is not a scripting issue.  The IE folk should know how the browser works.  Unfortunately the topic is about Edge and not IE so posting in IE forum is not helpful.

    Posting in "Answers" would be a good place to start.  Of course you will have to come up with reasonable examples of what you are doing and why you think it doesn't work.  As I noted. When I use Edge and an entry is saved it is just like any other entry for Web credentials.  I see not duplicate or extra GUIDs in any credential. 

    Posting German in an English forum is also probably a bad idea.  You can post in the German language forum and may find more assistance there.

    Sorry this seems so difficult but you may need to put in some effort to track down your issue and answer,  Tagging on here is not a good way to proceed.

    German IE forum is here: https://social.technet.microsoft.com/Forums/de-de/home?forum=ie


    \_(ツ)_/


    • Edited by jrv Wednesday, July 20, 2016 11:50 AM
    Wednesday, July 20, 2016 11:46 AM
  • Hi DXA, did you find any solution to this issue? i'm stuck in your same point. i don't think that the switch /credtype:<schemaname>|<schemaguid> suggested by JRV is the right way, indeed the credtype of credential made by Explorer are always "Windows Web Password Credential" so i think that that part is already correct and there should be another option to add, something like "/property" or something like that. I mean, Explorer surely fires a vaultcmd command to write his credentials, so there must be a (hidden) way to get the right call. I found this article http://insecurety.net/?p=933 where it's shown how vaultcmd changed from Win7 to Win8, expecially about 2 options: /listproperties and /setproperties that seem right what we are looking for.

    Why Microsoft removed them? and how does explorer write his property through vaultcmd?

     
    Tuesday, January 31, 2017 10:54 AM
  • Our deployment was so small we ended up applying the changes manually in this case. I never found a solution.

    Tuesday, January 31, 2017 4:27 PM
  • Here is the Net method for retrieving credentials:

    function Get-PWVResource{
    	[CmdletBinding(DefaultParameterSetName='All')]
    	Param(
    		[Parameter(ParameterSetName='User',Mandatory=$true)]
    		[string]$resource,
    		[Parameter(ParameterSetName = 'User',Mandatory=$true)]
    		[string]$username,
    		[Parameter(ParameterSetName = 'User')]
    		[switch]$AsPsCredential
    	)
    	Begin{
    		[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
    	}
    	Process{
    		Try{
    			$pv = New-Object Windows.Security.Credentials.PasswordVault
    			if($PSBoundParameters.Keys.Count -eq 0){
    				$pv.RetrieveAll()
    			}else{
    				$res = $pv.Retrieve($resource, $username)
    				if($AsPsCredential){
    					$secStr = ConvertTo-SecureString -String $res.Password -AsPlainText -Force
    					New-Object System.Management.Automation.PSCredential($res.Username, $secStr)
    				}else{
    					$res
    				}
    			}
    		}
    		Catch{
    			Throw $_
    		}
    	}
    }




    \_(ツ)_/





    • Edited by jrv Tuesday, January 31, 2017 6:58 PM
    Tuesday, January 31, 2017 6:57 PM
  • Thanks Jrv, but how can this be used to manually store password into the vault?
    Tuesday, January 31, 2017 9:11 PM
  • Password Vault has an "add" resource command.

    https://msdn.microsoft.com/library/windows/apps/br227081


    \_(ツ)_/


    • Edited by jrv Tuesday, January 31, 2017 9:37 PM
    Tuesday, January 31, 2017 9:36 PM
  • Thank you so much jrv, bit i'm kind a newbie in Net, i didn't understand if this resource, beyond storing credential for an app i'm going to develope, can be also used to storage a credential that internet explorer reocognizes as his own.

    And, if so, how this resource writes the D5B63C4E5625D84CA48DC755C737CBA6 property.

    Thank you again, and sorry form my maybe stupid questions :)

    Tuesday, January 31, 2017 10:02 PM
  • Doesn't have to.


    \_(ツ)_/

    Tuesday, January 31, 2017 10:26 PM
  • The GUID is internally generated by Windows.

    PS >$c = $pv.Retrieve('https://www.scientificamerican.com/', 'jjones')
    PS >$c.Properties Key Value --- ----- hidden False applicationid 4e3cb6d5-2556-4cd8-a48d-c755c737cba6 application Internet Explorer PS >


    \_(ツ)_/


    • Edited by jrv Tuesday, January 31, 2017 10:36 PM
    Tuesday, January 31, 2017 10:35 PM
  • PS >#add a resource
    PS >$pw = New-Object Windows.Security.Credentials.PasswordCredential('http://giggle.com', 'jjones', 'Pass@Word')
    PS >$pv.Add($pw)
    
    PS >Get-PWVResource -resource http://giggle.com -username jjones
    
    UserName Resource          Password  Properties
    -------- --------          --------  ----------
    jjones   http://giggle.com Pass@Word {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [appli...
    
    PS >Get-PWVResource -resource http://giggle.com -username jjones | select -ExpandProperty Properties
    Key                                          Value
    ---                                          -----
    hidden                                       False
    applicationid 00000000-0000-0000-0000-000000000000
    application
    PS >


    \_(ツ)_/

    Tuesday, January 31, 2017 10:45 PM
  • I see that this post has caused more traffic than I ever anticipated.

    The thread is clearly about IE11 and Windows 8.1.

    I don't understand the bickering, so I am choosing to ignore the majority of it.

    This:

    vaultcmd /addcreds:"Web Credentials" 
    /credtype:"Windows Web Password Credential|D5B63C4E5625D84CA48DC755C737CBA6" 
    /identity:username /authenticator:password
    /resource:"https://www.foo.org" 
    /SavedBy:"Internet Explorer"

    Produces this:

    Invalid schema: Element not found.

    That is not a solution!

    I will be testing PowerShell solutions as time permits. I want to modify the script a great deal before implementation.

    I would like to point out that though leveraging .NET was not included as a possibility in the original post, I am glad it has come up due to the flexibility offered by the Windows.Security.Credentials namespace.

    Please give me a couple of weeks to post something conclusive.

    Thank you all for your input.


    • Edited by DXA-Admin Wednesday, February 1, 2017 6:20 PM
    Wednesday, February 1, 2017 6:09 PM
  • I see that this post has caused more traffic than I ever anticipated.

    The thread is clearly about IE11 and Windows 8.1.

    I don't understand the bickering, so I am choosing to ignore the majority of it.

    This:

    vaultcmd /addcreds:"Web Credentials" 
    /credtype:"Windows Web Password Credential|D5B63C4E5625D84CA48DC755C737CBA6" 
    /identity:username /authenticator:password
    /resource:"https://www.foo.org" 
    /SavedBy:"Internet Explorer"

    Produces this:

    Invalid schema: Element not found.

    That is an unacceptable solution.

    I will be testing PowerShell solutions as time permits. I want to modify the script a great deal before implementation.

    Thanks.

    This is not a script.  You need to post in the platform forum for help with system utilities.  As noted above you cannot use a GUID to add a credential.  It i generated by the system.


    \_(ツ)_/


    • Edited by jrv Wednesday, February 1, 2017 6:15 PM
    Wednesday, February 1, 2017 6:12 PM
  • Thank you so much Jrv, i think your solution is so smart!

    Only a couple of question, i understand that GUID is internally generated, but i think this means it is always different, so it will never match D5B63C4E5625D84CA48DC755C737CBA6 to make it be recognized by Internet Explorer. Is it so?

    (why in your second example the resource retuns an applicationid filled with zeros?)

    And how can i set the application  that will have access to the credential? in other words, how can i set "/credtype" and "/savedBy" vaultcmd option using add resource of password vault?

    Thanks again for your great suggests and your time :)

    Thursday, February 2, 2017 8:14 PM
  • The GUID is not a cred type.  It is just for tracking.

    We set the credential as a web credential so IE should show it as an option and register it on first use. You cannot directly set IE credentials except in the IE context.  I believe this is done for security purposes.

    Post in IE developers forum for more information.


    \_(ツ)_/


    • Edited by jrv Thursday, February 2, 2017 9:01 PM
    Thursday, February 2, 2017 9:01 PM
  • If you check the API documentation everything that can set the GUID or application values  is marked "This method is reserved for internal use and is not intended to be used in your code.".  The class is also marked as protected.  Only programs that are enabled to do so can access and alter this API.


    \_(ツ)_/

    Thursday, February 2, 2017 9:35 PM
  • So you are basically saying it is not possible to add web credentials using a script?
    Friday, December 29, 2017 6:08 PM
  • I know it's an old post but...

    You're nearly there. You just don't need to put the GUID. 

    Like so:

    vaultcmd /addcreds:"Web Credentials" 
    /credtype:"Windows Web Password Credential" 
    /identity:username /authenticator:password
    /resource:"https://www.foo.org" 
    /SavedBy:"Internet Explorer"

    That will work as intended.

    Monday, September 24, 2018 1:41 AM
  • No it does not work. IE is not recognising this added password.
    Wednesday, February 6, 2019 1:49 PM
  • vaultcmd /addcreds:{4BF4C442-9B8A-41A0-B380-DD4A704DDB28} /credtype:{3CCD5499-87A8-4B10-A215-608888DD3B55} /identity:account /authenticator:pwd  /resource:"http://www.abc.com/" /savedBy:"Internet Explorer"

    It is work!

    • Edited by vc10sp1 Wednesday, March 6, 2019 1:58 AM
    Monday, February 18, 2019 5:16 AM
  • As mentioned countless times in this thread before, this does NOT WORK.
    Monday, February 18, 2019 11:36 AM
  • Yes, using vaultcmd definitely adds the credentials to the vault but they do not auto-populate within IE11 or Edge on Windows 10.  If you explore the vault a bit using PowerShell, you can see one difference between adding credentials through the browser and using vaultcmd.  When using vaultcmd the applicationid isn't set correctly.

    [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] | Out-Null
    $vault = New-Object Windows.Security.Credentials.PasswordVault

    $vault.RetrieveAll() | Format-List

    Anything added through the browser has it's properties set to:  [applicationid, 4e3cb6d5-2556-4cd8-a48d-c755c737cba6], [application, Internet Explorer]

    vaultcmd has the properties set to the following:  [applicationid, 00000000-0000-0000-0000-000000000000], [application, Internet Explorer]

    I can only surmise that that is the reason why they don't populate in the browser.  I haven't been able to figure out yet how to set that applicationid value - if you even can.  I assume that the applicationid is a reference to Internet Explorer - just can't seem to set it.

    Tuesday, July 23, 2019 4:08 PM
  • I stumbled over the same problem these days and think I have a working solution for Windows 8.1 and up.

    As stated in some "not so friendly" comments you can use the .Net PasswordVault class to create web credentials, so I made a powershell script for this:

    # Load assembly
    [VOID][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
    
    # modify these variables for your request
    # the trailing slash is mandatory!
    $Resource = "https://www.myweb.com/"
    $UserName = "Markus"
    $Password = "P@ssw0rd"
    
    # create a PasswordVault object
    $VAULT = New-Object Windows.Security.Credentials.PasswordVault
    
    # create a Credential object
    $CREDENTIAL = New-Object Windows.Security.Credentials.PasswordCredential($Resource, $UserName, $Password)
    # set properties to mark as credential for Edge and IE
    $CREDENTIAL.Properties.set_item("application", "Internet Explorer")
    $CREDENTIAL.Properties.set_item("applicationid", (New-Object Guid("4e3cb6d5-2556-4cd8-a48d-c755c737cba6")))
    
    # add Credential to PasswordVault
    $VAULT.Add($CREDENTIAL)
    

    Now you can use the new credential information in Microsoft Edge and Internet Explorer (please restart the application if running).


    You can list all your credentials with this code:

    # Load assembly
    [VOID][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
    
    # list all credentials with password
    (New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | %{ $_.RetrievePassword(); $_ }
    
    Notes:
    - you cannot change a credential, to modify you have to delete the old and add the modified credential
    - setting properties for the Credential is documented by Microsoft as for "internal use", so it might break anytime
    - only you can see your password as it is encoded using your password hash
    - error handling is required for the sample code
    - does not work with Windows 7

    Greetings

    Markus

    Friday, August 23, 2019 6:38 AM
  • Hi, 

    This is how it work for me:
    There are two active vaults here: "Web Credentials" and "Windows Credentials"
    To see what vaults have what parameters run vaultcmd /listschema: 

    C:\Windows\system32>vaultcmd /listschema
    Global Schemas
    
    Credential schema: Windows Secure Note
    Schema guid: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
    
    Credential schema: Windows Web Password Credential
    Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
    
    Credential schema: Windows Credential Picker Protector
    Schema guid: 154E23D0-C644-4E6F-8CE6-5069272F999F
    
    Currently loaded credentials schemas:
    
    Vault: Web Credentials
    Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
    
    Credential schema: Windows Web Password Credential
    Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
    
    Vault: Windows Credentials
    Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
    
    Credential schema: Windows Domain Certificate Credential
    Schema guid: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
    
    Credential schema: Windows Domain Password Credential
    Schema guid: 3E0E35BE-1B77-43E7-B873-AED901B6275B
    
    Credential schema: Windows Extended Credential
    Schema guid: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

     Vault "Web Credentials" has Credential schema: Windows Web Password Credential with GUID: 

    3E0E35BE-1B77-43E7-B873-AED901B6275B etc. Following vaultcmd help, these examples are working:

    Examples how it works:

    Create Windows Credentials

    vaultcmd /addcreds:"Windows Credentials" /credtype:"Windows Domain Password Credential" /identity:TestCred /authenticator:Test /resource:Server /savedBy:Test
    
    Create Web Credentials:
    vaultcmd /addcreds:"Web Credentials" /credtype:"Windows Web Password Credential" /identity:TestCred /authenticator:Test /resource:Server /savedBy:Test




    Friday, October 25, 2019 2:01 PM
  • Hello Exel_Wild,

    did you read the question, the credentials are to be used in Internet Explorer and Edge?

    Your post not a solution but exactly what the original poster already tried.

    See my solution please.

    Saturday, November 9, 2019 6:44 PM