Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #1 
Looking to see if I can track user certificate based logon as opposed to username/ password based logon.

Is there a logon event generated that is different on a DC for a cert logon?

Found this info, but I don't have access to a DC that has cert based logons.

Expected event ID’s                                        672 or 4768 or 4772

Info for this from here                                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=672


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 25
Reply with quote  #2 
There isn't much on cert based log files. Can you test it in a lab setting? Create a DC that accepts cert based authentication & check the logs.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #3 
Apologies moved on a little from this.

We didn't find any interesting events relating to cert logons.
Have delegate a minion to look at the SEIM logs from the DC but there are a lot of DC's.

Will be labbing this in a month and will see if I have better results then.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.