One of our clients wishes to use Windows 2008 Active Directory where every user uses a smart-card to authenticate itself while in the office. Therefore, they enable the 'smart card is required for interactive logon' option for each user. When performing an authentication out of the office, we need to use the user's name and password instead. We try to use the 'LogonUser' win32 API call to authenticate the user's name and password against the domain. This used to work fine for a Windows 2003 environment, but this call always fails in a 2008 environment with the 0x800903EE (SEC_E_SMARTCARD_LOGON_REQUIRED) error, no matter what options we use on the LogonUser API. Is it still allowed in 2008 with the 'smart card is required for interactive logon' option for a user to verify its password with the LogonUser API? Or is there another way to verify this?

What LogonType are you specifying when calling the LogonUser function? Have you tried any of the non-interactive logon types? /Hasain

When this setting is enabled the password cannot be used for authentication in Windows. CheersTom Houston

The setting is only restricting the "Interactive Logon" type and you can still use a password based authentication using other logon types. This is verifies in ad domain with only Windows 2008 R2 DCs and 2008 R2 functional level. Please remember that when enabling the require smart card setting the system will set random password for that user account and you need to reset the password to a known one after you apply the setting! /Hasain

The setting is only restricting the "Interactive Logon" type and you can still use a password based authentication using other logon types. This is verifies in ad domain with only Windows 2008 R2 DCs and 2008 R2 functional level. Please remember that when enabling the require smart card setting the system will set random password for that user account and you need to reset the password to a known one after you apply the setting! /Hasain