We have a domain where both uid/password and smartcard/PIN authentication are allowed for a large set of user objects. Does anyone know a way to distinguish which was in fact used for a particular user session -- i.e., whether the end user entered a password or used a sc? Any chance of a flag in the TGT or something like that? I had heard that while this couldn't be done in the 2003/XP space, it might be feasible in the newer systems. I'm asking because in terms of granting SSO access, it would be very useful if an application's front end could distinguish that a smart card was used for domain auth and immediately grant access without a credentials prompt from the app's local authentication engine. i.e., stronger credentials deserve greater trust across the enterprise. Right now the accounts can't be locked to require smart card access because of the many things they touch across the company. This is an enterprise PKI, with Win2003 CAs moving to W2K8R2, clients are XP machines moving to Win-7, DCs are currently still 2003. Thanks for any ideas.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/84e2766f-ab61-468e-a384-2cd7970ade17/#4bfd7f03-8bb1-4373-a5d9-1bc2d8116158Paul Adare CTO IdentIT Inc. ILM MVP