Compartilhar via

HowTo: Determine if a user has logged on via smart card

  • Artigo

Hi All

More smartcard related stuff...

A somewhat common question for those moving to smartcard logons.

How does one determine if the user logged on via smartcard?

The DC a user authenticates to will post an event in the Security Event Log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 8/29/2006
Time: 8:37:01 PM
User: NT AUTHORITY\SYSTEM
Computer: 2k3entspat
Description:
Authentication Ticket Request:
User Name: Administrator
Supplied Realm Name: SpatsDomain.MSFT
User ID: SpatsDomain\administrator
Service Name: krbtgt
Service ID: SpatsDomain\krbtgt
Ticket Options: 0x40810010
Result Code: -
Ticket Encryption Type: 0x17
Pre-Authentication Type: 15 --> 15 == pkinit
Client Address: 192.168.0.100
Certificate Issuer Name: SpatsDomain Root CA
Certificate Serial Number: 610A435F00000000001B
Certificate Thumbprint: BB50F6C4CE3D8E7126932AE605CC834EAC51ED92

 

 

 

The client will also have a user environment variable (viewable via "set" command ) and it should look like:

 

SMARTCARD=Schlumberger Cyberflex Access e-gate 32K;SNB Login Reader

which is:
SMARTCARD=cardType;readerName

 

Note: If you are testing this via a logon script you *must* have disable the “run logon scripts synchronously” policy.

 

 

NOTE : these may not be 100% accurate 100% of the time.. test, test ,test

 

 

keyword: determine smart card smartcard logon

 

spatdsg

Comments

  • Anonymous
    September 08, 2006
    Do happen to know how to determine if a smart card was used through a Win32 api?  And any other details about the process...

    I.E. using LsaGetLogonSessionData you can inspect the SECURITY_LOGON_SESSION_DATA's AuthenticationPackage property to determine which package authenticated the user; but how do you determine if a smart card was used?

    Any help would be much appreciated...

    Cheers,

    Robert

  • Anonymous
    September 09, 2006
    I dont think there is an API to pull this info from the logon info, because I am pretty sure it is not stored in the logon info. The way its pulled for the env var mentioned is via winlogon ( actually in MSGINA which handled the logon it knows this ) The other item I mentioned - the audit, is via the server handling the kerb requests and it obviously knows the fact that we used PKINIT.

    Sounds like you want a way to tell from a users token - how it was logged on?

  • Anonymous
    July 13, 2008
    Hi Steve, Is it possible to know from a user's token? Moreover the environment variable being set (SMARTCARD) is it documented`? so that I can be sure that the behaviour wont change after a subsequent Windows update? Thanks

  • Anonymous
    September 23, 2008
    Looks like the environment variable is set on XP but not on Vista. Can anyone else confirm this? Thanks, mlcc2000

  • Anonymous
    September 05, 2012
    Even on XP-SP3 in my case there is no defined env-var SMARTCARD :-(