hello, i have a 2008 terminal server which is a member of an AD domain. i am trying to setup access via smartcards. logon works great, however, i need the session to disconnect when a smartcard is removed. i have set the 'Interactive logon: Smart card removal behavior' policy locally using the local computer group policy mmc. there are no conflicting AD group policies. i get the expected behavior maybe 20% percent of the time, the rest of the time removing a smart card has no effect. i have tried multiple readers and cards. the client computers i have tested with are xp sp3, and a thin client running rdesktop on top of thinstation (open source thinclient linux os). both clients exhibit same behavior. i can not reproduce the unexpected behavior, it seems to just work occasionally, and fail most of the time. i can not find any events, errors or otherwise, relating to smartcard removal in event viewer. the 'Smart Card' and 'Smart Card Removal Policy' services are started and set to automatic. ANY help would be greatly appreciated. thanks for your time, chris

Chris, Sorry for taking so long to get back to you on this. You mentioned that you have the services started and set to Automatic - is that on the client, or on the server (or both?) Can you give us more detail on the client?David Beach - Microsoft Online Community Support

Hi Chris - a little more information from one of our smart card experts internally: It sounds like you have the policy and removal service configured properly, so, from an OS perspective, I think you are on the right track. The problem may be introduced when you involve the hardware and driver from the card reader manufacturer. It is the responsibility of the reader driver to notify the OS that the card has been removed. If that notification does not occur, the removal service has no way of knowing that the card has been removed, thus the policy cannot be enforced. I suggest looking for a driver update for the card reader or trying another card reader manufacturer. You may be able to contact the manufacturer to see if there is some logging you can turn up for their driver. This may show you whether the notification handle has been created for the service to consume. If this works some of the time, it would be interesting to see driver logging from failed and success scenarios to compare.David Beach - Microsoft Online Community Support