In my effort to implement Smart Card logon and having followed all the propiate MS Articles about Enabling Smart card log on with a 3party CA , when i run NetMon in My XP client i got the error KDC_ERR_PADATA_TYPE_NOSUPP This error means that my client is sending wrong request to the KDC.MOre specifically instead of sending PA_PK_AS_REQ_request it sends KRB_AS_REQ. Does anyone know how to enable the client sending the right request ? The link : http://www.microsoft.com/mspress/books/WW/sampchap/4680.aspxhttp://www.microsoft.com/mspress/books/WW/sampchap/4680.aspx says : Windows 2000 supports the use of smart card authentication by using PKINIT extensions for Kerberos. This allows public/private keys to be used to authen-ticate the user when he logs on to the network in place of the standard Kerberos Authentication Service Request and Response. KRB_AS_REQ and KRB_AS_REP are replaced with the PA_PK_AS_REQ and PA_PK_AS_REP messages. PS: All Certutil Validation Tests are OK both on Server ( Mixed Enviroment WinServer 2008 and 2003) and Client ( WinXP- WIN7) . Any ideas?

have you enabled autoenrollment in the Default Domain Policy? if not, enable it first.

Thanks MSPrime for your reply. i did not have to enable autoenrollment in the Default Domain Policy , but just re -issue the DC Certificate and problem solved !