One of the FICAM priorities for this year is to continue to drive the adoption of FICAM Approved Credentials, which include PIV Cards (HSPD-12 Credentials) for Government to Government usage.
Microsoft recently published an update to their PKI/AD document set that provides a :
[...] follow-up document to the original HSPD-12 Logical Access Authentication and Active Directory Domains document [...] The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart cards with Windows Server® 2008 R2 Active Directory, Windows 7 and Office 2010. Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges
Both the original and the updated document can be found at the Microsoft Download site @ http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427
Once enabled for PIV login, it is important to track the usage of PIV Cards in the Enterprise for reporting usage metrics. To that end, a starting point may be to take a look at the following piece of data found in Windows Auditing (Thanks to Alik and J.D. for this pointer):
"... use Windows Auditing events to track which logons are using username/password vs smart cards. Windows logs an event 672 (4768 in W2K8/R2) when an user logs on using Kerberos (i.e., gets a TGT), and in the Pre-Authentication Type part of the event you can see if the user was authenticated using a smart card (i.e., using PKINIT)"
More information regarding the above can be found at the Microsoft blog post on "Determining Whether a User Logged on Using A Smart Card"
What mechanisms (Open Source Tools, Scripts, COTS Solutions, etc.) are folks putting into place that would enable the automated monitoring and generation of usage metrics around Smart Card usage? Willing to share lessons learned?
UPDATE (6/18/12)
- Microsoft Technet: Find out if a Smart Card was used for logon using two ways to gather data
- Centralized data collection
- Client-side approach
- Powershell Script that reads UserTile information to provide logon Method of the currently logged on user
:- by Anil John
