Verify windows log-in via smart card

2
votes

Hi I need to verify in my WPF application if the user log in to his computer via password or via smart-card. Both login options are available in my company clients but my application need to open only in the smart-card login. All the clients are windows 7 OS.

I look at some sites: http://technet.microsoft.com/en-us/library/ff404285(v=ws.10).aspx http://www.codeproject.com/Articles/240655/Using-a-Smart-Card-Certificate-with-NET-Security-i

and I'm thinking I need to get the enhanced key usage (EKU) attribute field. If the EKU is empty => then the user was loged via password and not via smartcard.

I only need this simple check, I do not care for creating/validations on certificates atc.

1
c#.netwindowssmartcard
Thanks owlstead for yore comments, I added some of my research for this issue, but I'm not sure that I'm in the right direction. For your comments about my English, I'm sorry but my Hebrew is much better than my English.Ronen Rabinovitz
Thanks for changing your question, I've modded up, I've tried to take a quick look, but as I'm a bit out of date regarding Microsoft API's. One question though, normally certificates with a different level of authentication are in different "branches" of the PKI tree. Could you not make a distinction between certificates issued by the "more secure smart card loging certificate authority"?Maarten Bodewes

1 Answers

2
votes

Windows doesn't record what certificate was used to logon so you can't check the EKU, nor does Windows record what type of credentials were used so there isn't a simple solution. I have a a couple of suggestions:

Option 1: Use Authentication Mechanism Assurance to add an extra group membership to the user’s access token when they log on with a smart card, and set up your app to require that group membership. This requires a domain at to Windows Server 2008 R2 functional level.

Option 2: Implement a credential manager and use the NPLogonNotify callback to check for KERB_INTERACTIVE_LOGON with a KERB_LOGON_SUBMIT_TYPE of KerbSmartCardLogon, then record that somewhere for your app to check.