Spat's WebLog (Steve Patrick)

When things go wrong...

HowTo: Determine if a user has logged on via smart card

HowTo: Determine if a user has logged on via smart card

Rate This
  • Comments 5

Hi All

More smartcard related stuff...

A somewhat common question for those moving to smartcard logons.

How does one determine if the user logged on via smartcard?

The DC a user authenticates to will post an event in the Security Event Log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date:  8/29/2006
Time:  8:37:01 PM
User:  NT AUTHORITY\SYSTEM
Computer: 2k3entspat
Description:
Authentication Ticket Request:
  User Name:  Administrator
  Supplied Realm Name: SpatsDomain.MSFT
  User ID:   SpatsDomain\administrator
  Service
Name:  krbtgt
  Service ID:  SpatsDomain\krbtgt
  Ticket Options:  0x40810010
  Result Code:  -
  Ticket Encryption Type: 0x17
  Pre-Authentication Type: 15 --> 15 == pkinit
  Client Address:  192.168.0.100
  Certificate Issuer Name: SpatsDomain Root CA
  Certificate Serial Number: 610A435F00000000001B
  Certificate Thumbprint: BB50F6C4CE3D8E7126932AE605CC834EAC51ED92

 

 

 

The client will also have a user environment variable  (viewable via "set" command ) and it should look  like:

 

SMARTCARD=Schlumberger Cyberflex Access e-gate 32K;SNB Login Reader

which is:
SMARTCARD=cardType;readerName

 

Note: If you are testing this via a logon script you *must* have disable the “run logon scripts synchronously” policy.

 

 

NOTE : these may not be 100% accurate 100% of the time.. test, test ,test

 

 

keyword:  determine smart card smartcard logon

 

spatdsg

 

Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post
  • Do happen to know how to determine if a smart card was used through a Win32 api?  And any other details about the process...

    I.E. using LsaGetLogonSessionData you can inspect the SECURITY_LOGON_SESSION_DATA's AuthenticationPackage property to determine which package authenticated the user; but how do you determine if a smart card was used?

    Any help would be much appreciated...

    Cheers,

    Robert
  • I dont think there is an API to pull this info from the logon info, because I am pretty sure it is not stored in the logon info. The way its pulled for the env var mentioned is via winlogon ( actually in MSGINA which handled the logon it knows this ) The other item I mentioned - the audit, is via the server handling the kerb requests and it obviously knows the fact that we used PKINIT.

    Sounds like you want a way to tell from a users token - how it was logged on?
  • Hi Steve,

    Is it possible to know from a user's token?

    Moreover the environment variable being set (SMARTCARD) is it documented`?

    so that I can be sure that the behaviour wont change after a subsequent Windows update?

    Thanks

  • Looks like the environment variable is set on XP but not on Vista. Can anyone else confirm this?

    Thanks,

    mlcc2000

  • Even on XP-SP3 in my case there is no defined env-var SMARTCARD :-(

Page 1 of 1 (5 items)