We're running ADCS on a domain joined WS2008RS server. Autoenrollment has been enabled (via GPO) for both the computer and user configurations (as verified through rsop.msc). The domain controllers have enrolled in the following certificate templates: Kerberos Authentication Domain Controller Domain Controller Authentication The test user has enrolled in the Smartcard Logon template. Yet when trying to logon via smartcard on the host I receive an error like "account is not enabled for smart card login". I then proceed to check the box on my user account in AD which states "require smartcard for interactive login" and also enable the same setting on my client system (Security Options\Interactive Logon: Require smart card). My logon is still denied but states I should check with your administrator to ensure smartcards are enabled for login. I've also enabled the workstation authentication template which my test system has successfully enrolled in. Anyone been through this or have some pointers where to look? We're now digging around in a hay stack. Thanks!

Hi, Is the smart card reader recognized by the operating system? Is the correct CSP for the card installed on the computer? The following KB article is a guideline for enabling smart card logon: http://support.microsoft.com/?id=281245. Please ensure that all the requirements are met. Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the link. The workstation recognizes the smartcard and I'm able to store my smartcard logon certificate on it when requesting a certificate from http://servername/certsrv. My system is joined to the w.x.y.z domain while my user account exists in the x.y.z domain. The exact error message is: "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization." I'm the system administrator...

In the certificate template you're enrolling the smart cards in, do you have both "Smart Card Logon" and "Client Authentication" selected in Application Policies on the <Extensions> tab?

Yes, those are in place. We're on a time crunch so we've opened a ticket with Microsoft Support. I'll update this thread with their findings Thanks!

we had an issue with the DC's not getting the group policy to import our RootCA certificate into their trusted store. <sigh> Manually adding the certificate to each DC fixed the issue.