Hi I need to verify in my WPF application if the user log in to his computer via password or via smart-card. Both login options are available in my company clients but my application need to open only in the smart-card login. All the clients are windows 7 OS.
I look at some sites: http://technet.microsoft.com/en-us/library/ff404285(v=ws.10).aspx http://www.codeproject.com/Articles/240655/Using-a-Smart-Card-Certificate-with-NET-Security-i
and I'm thinking I need to get the enhanced key usage (EKU) attribute field. If the EKU is empty => then the user was loged via password and not via smartcard.
I only need this simple check, I do not care for creating/validations on certificates atc.
Windows doesn't record what certificate was used to logon so you can't check the EKU, nor does Windows record what type of credentials were used so there isn't a simple solution. I have a a couple of suggestions:
Option 1: Use Authentication Mechanism Assurance to add an extra group membership to the user’s access token when they log on with a smart card, and set up your app to require that group membership. This requires a domain at to Windows Server 2008 R2 functional level.
Option 2: Implement a credential manager and use the NPLogonNotify callback to check for KERB_INTERACTIVE_LOGON with a KERB_LOGON_SUBMIT_TYPE of KerbSmartCardLogon, then record that somewhere for your app to check.
来源:https://stackoverflow.com/questions/10706746/verify-windows-log-in-via-smart-card