Unable to verify user's password with 'smart card is required for interactive logon'
One of our clients wishes to use Windows 2008 Active Directory where every user uses a smart-card to authenticate itself while in the office. Therefore, they enable the 'smart card is required for interactive logon' option for each user.
When performing an authentication out of the office, we need to use the user's name and password instead. We try to use the 'LogonUser' win32 API call to authenticate the user's name and password against the domain. This used to work fine for a Windows 2003
environment, but this call always fails in a 2008 environment with the 0x800903EE (SEC_E_SMARTCARD_LOGON_REQUIRED) error, no matter what options we use on the LogonUser
API.
Is it still allowed in 2008 with the 'smart card is required for interactive logon' option for a user to verify its password with the LogonUser API? Or is there another way to verify this?
March 29th, 2012 4:11am
What LogonType are you specifying when calling the LogonUser function? Have you tried any of the non-interactive logon types?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2012 6:08am
When this setting is enabled the password cannot be used for authentication in Windows.
CheersTom Houston
April 3rd, 2012 4:09pm
The setting is only restricting the "Interactive Logon" type and you can still use a password based authentication using other logon types. This is verifies in ad domain with only Windows 2008 R2 DCs and 2008 R2 functional level.
Please remember that when enabling the require smart card setting the system will set random password for that user account and you need to reset the password to a known one after you apply the setting!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2012 7:07am
The setting is only restricting the "Interactive Logon" type and you can still use a password based authentication using other logon types. This is verifies in ad domain with only Windows 2008 R2 DCs and 2008 R2 functional level.
Please remember that when enabling the require smart card setting the system will set random password for that user account and you need to reset the password to a known one after you apply the setting!
/Hasain
April 4th, 2012 2:03pm