Skip to Content

Track system logins historically by authentication mode?

Use case: Need to track system logins overtime for trend/sizing

Problem: Our logins are inflated by our support staff who log in as the user's enterprise alias

Workaround: No workaround to the problem as the only way for our support staff to impersonate a user is adding an enterprise alias for the account. Normal users that we want to count use WinAD as authentication method.

I reviewed audit db to see if it captures authentication method for login events 1014, but it doesn't appear this information is captured.

Any suggestions on how to capture the login counts of users who do did not log in using Enterprise?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Feb 12, 2018 at 06:04 PM

    For those of you who come across this and are interested in a better solution at tracking the authentication method used, please VOTE UP

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 02, 2018 at 12:30 PM

    I don't believe the authentication method is captured in audit.

    Couple of thoughts:

    You can see this information in real time: in the Sessions view in CMC, the user name is prefixed with the authentication method.

    Audit does capture the client's IP address, so if you have the support staffs' IP addresses you could identify their logons.

    An enterprise ID can be different than the associated AD ID. So you could create an alias for user "SmithJ" as "SmithJ_ADMIN", then look for logons from "*_ADMIN" users.

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 05, 2018 at 04:53 PM

    I don't have any auditing setup to verify but I would imagine something in the logs could be used to identify they type of user logged on. If you follow this KBA you can see the various attributes that differentiate different users in the CMS DB. I'd imagine something must appear in the audit logs or some sort of cross reference could be run to verify...


    Add comment
    10|10000 characters needed characters exceeded