Smart card is required for interactive logon

Need some urgent suggestions from you all. In our Office, there are many people who need to login with their Smart Card and many who can login Without Smart Card. But there is just one guy whom we haven’t assign the card and hence we setup his account to login by entering username and password.

But the problem is that every day he comes to office, he need to call me, I need to go to AD and uncheck the box for "Smart card is required for interactive logon" so that he can work for that particular day but this process needs to be repeated again next day.

Is there are any permanent work around for this? Please give some advice.

Yep, there is a trick in Registry where you can make some change to fix this. Just open the registry editor and navigate to the following location:

Quote:

---

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

---

Here you will find an entery named ScForceOption. Just double click this entry and change its value to 0 (zero).

On a related note, has anyone had an issue where if they want to turn on "Require Smart Card" for certain privileged accounts in active directory, it works, but if you then untoggle the "Require smart card" attribute on the user object, it seems to invalidate the active directory user account password, needing a manual password change. The password last set attribute still shows the time of the previous AD password change, but it just seems that toggling "require smart card" mangles it and doesn't update the password last set attribute in AD.

We are just starting to look at using SmartCards and I am seeing the exact same thing. Can anyone point to a Microsoft doc that describes the relationship between the SmartCard and AD passwords?

Smartcard logon in part works by having a Domain Controller template based certificate in the authenticating domains local computer certificate stores. In the more straightforward scenario of an Enterprise Certificate Authority, where information regarding the installed CA is stored in the forest AD, the domain controller certificate is auto enrolled to the domain controller as a matter of course. That can make for a nice starting place for configuring smartcard logon to work in your environment.