Verify windows log-in via smart card

Question

Hi I need to verify in my WPF application if the user log in to his computer via password or via smart-card. Both login options are available in my company clients but my application need to open only in the smart-card login. All the clients are windows 7 OS.

I look at some sites: http://technet.microsoft.com/en-us/library/ff404285(v=ws.10).aspx http://www.codeproject.com/Articles/240655/Using-a-Smart-Card-Certificate-with-NET-Security-i

and I'm thinking I need to get the enhanced key usage (EKU) attribute field. If the EKU is empty => then the user was loged via password and not via smartcard.

I only need this simple check, I do not care for creating/validations on certificates atc.

Answer 1

Windows doesn't record what certificate was used to logon so you can't check the EKU, nor does Windows record what type of credentials were used so there isn't a simple solution. I have a a couple of suggestions:

Option 1: Use Authentication Mechanism Assurance to add an extra group membership to the user’s access token when they log on with a smart card, and set up your app to require that group membership. This requires a domain at to Windows Server 2008 R2 functional level.

Option 2: Implement a credential manager and use the NPLogonNotify callback to check for KERB_INTERACTIVE_LOGON with a KERB_LOGON_SUBMIT_TYPE of KerbSmartCardLogon, then record that somewhere for your app to check.