skip to the main content area of this page
Home
Services
Products
Biometric Software
Biometric Readers
PIV Middleware
PIV Validation
Single Sign On
Phone Authentication
Resources
Company
How to determine if a user performed a PIV Card workstation logon
Windows 2008 lacks the reporting capability to easy differentiate between password and PIV card authentication. Since many organizations cannot force PIV card logon due to various business constraints, they have to rely on policies and procedures to ensure their users leverage their PIV card for workstation logon. The procedures below determine what types of authentication the user is performing.
When a user performs a domain logon from a computer that is joined to a domain, the Kerberos authentication package is utilized. This process will create logs within the Microsoft Security Event Viewer. By reviewing the Event ID associated with Kerberos, the detailed information can be used to differentiate a PIV Card logon versus username and password (Note: the following instructions are for Windows 2008.)
Step 1 - Open the Event Viewer by pressing start, and typing "Event Viewer" in the search field.
Step 2 - With the Event Viewer open, expand the Windows Logs folder and click on security.
Step 3 - In the Security Event detail window, sort on Event ID. Select the 4768 Event ID (Kerberos Authentication)
Step 4 - Find the entries with the certificate information populated. The presence of certificate information indicates the user used a PIV card to logon.
To see how this process can be automated, view the video below.
Or try it by downloading here.