Q: How can I determine from the Windows security logs whether a user has logged on using a smart card?
October 6, 2009
A: Windows doesn't have a specific event ID to differentiate a smart card logon from a normal, password-based logon, but you can find out whether a logon used a smart card by checking the fields of a successful Kerberos logon event. That's right, a Kerberos logon event, because in Windows you can only log on using a smart card when you authenticate to the domain using the Kerberos authentication protocol.
In Windows, a successful Kerberos authentication request generates security event ID 672 on the Domain Controller (DC). To be more precise, event ID 672 signals a successful Kerberos Authentication Service Request (AS-REQ). This is the Kerberos protocol sequence where a user passes his credentials to a DC and obtains a Kerberos Ticket Granting Ticket (TGT) from a DC.
Besides recording information such as what user requested the ticket and their machine's IP address, event 672 also records the kind of credentials the user forwarded to the DC. This info is kept in the pre-authentication type (patype) field of a 672 event. Smart cards use public keys for pre-authentication and will contain a 14, 15, 16, or 17 pre-authentication type value. So if you see one of these pre-authentication type values in a 672 event on the DC, you know that the user logged on to Windows using a smart card.
In fact, these pre-authentication type values tell you that Windows used the Kerberos Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol extension for authenticating the user. See this Microsoft Knowledge Base article for more info on PKINIT.
In addition to smart card logon, PKINIT can be used for other public-key based Kerberos authentication exchanges, but so far the only Kerberos authentication flavors that use PKINIT in Windows are smart card logons.
Related Reading:
About the Author
You May Also Like