More smartcard related stuff...
A somewhat common question for those moving to smartcard logons.
How does one determine if the user logged on via smartcard?
The DC a user authenticates to will post an event in the Security Event Log:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Time: 8:37:01 PM
User: NT AUTHORITY\SYSTEM
Authentication Ticket Request:
User Name: Administrator
Supplied Realm Name: SpatsDomain.MSFT
User ID: SpatsDomain\administrator
Service Name: krbtgt
Service ID: SpatsDomain\krbtgt
Ticket Options: 0x40810010
Result Code: -
Ticket Encryption Type: 0x17
Pre-Authentication Type: 15 --> 15 == pkinit
Client Address: 192.168.0.100
Certificate Issuer Name: SpatsDomain Root CA
Certificate Serial Number: 610A435F00000000001B
Certificate Thumbprint: BB50F6C4CE3D8E7126932AE605CC834EAC51ED92
The client will also have a user environment variable (viewable via "set" command ) and it should look like:
SMARTCARD=Schlumberger Cyberflex Access e-gate 32K;SNB Login Reader
Note: If you are testing this via a logon script you *must* have disable the “run logon scripts synchronously” policy.
NOTE : these may not be 100% accurate 100% of the time.. test, test ,test
keyword: determine smart card smartcard logon