I had Windows 2003 domain controllers (DCs) and XP and Vista clients. I had enabled the cryptographic logon (CLO) using the common access card (CAC) smart card and was successful and working fine. Then I upgraded my domain to Windows 2008 R2 DCs and Windows 7 clients and now the CLO is having an issue. The error says: "The system could not log you on. You cannot use a smart card to log on because smart card log on is not supported for your user account.” I have a test account using CAC UPN and I enabled smart card is required for interactive logon meaning it is locked down for smart card only. Rebooted the DC and the client, but the error persists. I also followed the Guidelines for enabling smart card logon with third-party certification authorities http://support.microsoft.com/kb/281245 suggested by Joson Zhou, MSFT Moderator. Any help is highly appreciated.

Hello Pat, a) Where can I find the EKU in my smart card? b) This eror is before the prompt for my PIN. V/r, Dalailama

Hi Pat, The EKU are Smart Card Logon, Client Authentication and Secure Email. v/r, DalaiLama

Hi Morten, I added the DC cert and it worked. Thanks. v/r, DalaiLama

Glad you got it sorted :)

Hi, Please let me know the steps do this.