HowTo: Determine if a user has logged on via smart card

Hi All

More smartcard related stuff...

A somewhat common question for those moving to smartcard logons.

How does one determine if the user logged on via smartcard?

The DC a user authenticates to will post an event in the Security Event Log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 8/29/2006
Time: 8:37:01 PM
User: NT AUTHORITY\SYSTEM
Computer: 2k3entspat
Description:
Authentication Ticket Request:
User Name: Administrator
Supplied Realm Name: SpatsDomain.MSFT
User ID: SpatsDomain\administrator
Service Name: krbtgt
Service ID: SpatsDomain\krbtgt
Ticket Options: 0x40810010
Result Code: -
Ticket Encryption Type: 0x17
Pre-Authentication Type: 15 --> 15 == pkinit
Client Address: 192.168.0.100
Certificate Issuer Name: SpatsDomain Root CA
Certificate Serial Number: 610A435F00000000001B
Certificate Thumbprint: BB50F6C4CE3D8E7126932AE605CC834EAC51ED92

 

 

 

The client will also have a user environment variable (viewable via "set" command ) and it should look like:

 

SMARTCARD=Schlumberger Cyberflex Access e-gate 32K;SNB Login Reader

which is:
SMARTCARD=cardType;readerName

 

Note: If you are testing this via a logon script you *must* have disable the “run logon scripts synchronously” policy.

 

 

NOTE : these may not be 100% accurate 100% of the time.. test, test ,test

 

 

keyword: determine smart card smartcard logon

 

spatdsg