Determining Whether a Smart Card Was Used for a Windows Logon

Q: How can I find out if a smart card was used to log on to Windows? Are there specific Windows event-log entries I can scan for?

A: The Security Event log in a Windows domain controller (DC) provides entries that you can use to detect smart card logons. In the log, you must scan for successful Account Logon events that have the ID 672. These entries signal a successful Kerberos authentication ticket grant. Event 672 records who requested the Kerberos ticket, the client's IP address, and the type of authentication credentials in the Pre-Authentication Type field. When a smart card was used, the Pre-Authentication Type field shows the value of 14, 15, 16, or 17. Under the hood, these values refer to PKINIT protocol messages. PKINIT is the Kerberos protocol extension that Windows uses for enabling smart card logons. It stands for "Public Key Cryptography for Initial Authentication." For the detailed syntax of event 672, see the TechNet support page for this event.