Information, Technology, Security, and other stuff.
I have set up Smart Card Logon numerous times in a variety of Windows environments.
Sadly, it is still a complicated process. Mainly because there are so many moving parts.
If you're enabling it for a Microsoft Certificate Authority (CA), and you don't plan on having your certificates trusted (or visible) outside your network, it's actually fairly straightforward and Microsoft are kind enough to do most of the work for you when you install Active Directory Certificate Services (ADCS).
But, if you're using a 3rd Party CA it gets a little more ~~frustrating~~ fun to implement.
Here's a basic checklist of things to look at when Smart Card Logon isn't working. And I should add, this is by no means a complete list.
Does the Certificate on the card contain the correct configuration?
You'll need the certificate to be configured like in this Microsoft Article:
Key Usage = Digital Signature Basic Constraints [Subject Type=End Entity, Path Length Constraint=None] (Optional) Enhanced Key Usage = Client Authentication (184.108.40.206.220.127.116.11.2) (The client authentication OID) is only required if a certificate is used for SSL authentication.) Smart Card Logon (18.104.22.168.4.1.322.214.171.124) Subject Alternative Name = Other Name: Principal Name= (UPN). For example: UPN = firstname.lastname@example.org The UPN OtherName OID is : "126.96.36.199.4.1.3188.8.131.52" The UPN OtherName value: Must be ASN1-encoded UTF8 string Subject = Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.
Does the User Principal Name in the Certificate match the account you're trying to log in with?
Microsoft has a couple of great articles on setting up Smart Card Logon:
Brian Komar's book on PKI is really good as well, covering more than just setting up PKI in Windows Server 2008.
Anything I've missed? Let me know and I'll add it to the list.