Services and scheduled tasks cannot log on if a smart card is not present in Windows Server 2003

In Microsoft Windows Server 2003, when you click to select the Smart card is required for interactive logon check box in the properties of all the user accounts in Active Directory Users and Computers, you expect that users who log on interactively must supply a smart card to log on. However, services and scheduled tasks that use an account to log on also cannot log on if a smart card is not present.

In this scenario, you see events that are similar to the following when you view the Security log in Event Viewer:

EVENTID: 531
Category: "LOGON/LOGOFF"
Logon Failure:
Reason: Account currently disabled
User Name: Name_Of_Service_Or_scheduled_Task
Domain: Domain
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: Computer_Name

This problem can affect client computers that are running Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.

This issue occurs because the Smart card is required for interactive logon account option applies to all logon types except the network logon type. This option does not apply only to interactive logons.

To work around this issue, click to clear the Smart card is required for interactive logon check box for the user accounts that services and scheduled tasks use to log on to the network. To do this, follow these steps:

1. Start Active Directory Users and Computers.
2. Click Users.
3. In the right pane, right-click the user account of a service or scheduled task, and then click Properties.
4. Click the Account tab, and then in the Account Options list, click to clear the Smart card is required for interactive logon check box.
5. Click Apply, and then click OK.
6. Repeat steps 3 through 5 for each user account that is used by a service or scheduled task.

Logon types include the following:

• Interactive
• Network
• Batch
• Service
• Proxy
• Unlock workstation