Can you outline the whole logon process to TS with the smartcard? I have done a large amount of certificate work, and have seen implementations fail because the original cert system developer was sloppy about how (or where) they actually install the cert. There are multiple cert storage locations on a system, and not all are addressable (or writeable) by non-Administrators. My first guess is that the certificate is trying to initially install, or only install, into the "My" store for the local machine; if the cert is located in the System "My" (aka "Personal") store, it can be used by other processes/users on the system. The side-effect is that non-Administrators get read-only permission to the store. The "My" store typically holds certificates that are trusted for an entire machine, eg stuff from Verisign, Microsoft Root Authority, One thing you can do to verify what is happening is logon to the host as the local Administrator, run mmc.exe, add the Certificates snap-in for "Computer" and then again for "My user account". Then drill down through the treeviews and see if those previously-installed certs are somewhere in there. You also might try logging on with a boosted-Administrator user you mentioned and see what is in their cert store. If you see certs where you should not see certs, then what probably happened was a (smartcard?) developer was a member of the Administrators local group on his/her machine when they setup the software. It's easy to get things to compile when you're an Administrator. ;) Of course that breaks on a TS/MF system (or even a locked-down desktop) because you don't want everyone to be an Administrators member. The certificate stores are *not* simply analogous to Registry keys. If you actually find the Registry keys/values that deal with certs and change them, you will probably break something you did not want to break.... The only way to work with certificates and their stores is through the CryptoAPI. Your first option with the CryptoAPI is to assign the job of "certificate administrator" to someone in your organization, and make them responsible for exporting the certs/keys from the card into files that will import into the TS box, then have that person logon as Administrator and import them. Your second option is to create a small app or subsystem that addresses the CryptoAPI to import the keys properly at logon time, or pre-adds them to the TS box silently before the user connects. Contact me off-list if you want to get into developing something automated for your organization. If this is not what is happening at all, I have another idea or 3, but you'll have to post what the entire logon procedure looks like. ---orig From: "Dannhorn, Michael IZ/HZA-ICS" <dannhmch@xxxxxxxxxx> Hi, We installed a product which needs to work the users certificate in its profile. Certificates were hold on SmardCards. Logon via SmartCard works. The certificate files are located in '%userprofile%\application data\microsoft\my\...'. When the user has local administrative rights certificates are registered (copied) in the users profile and our application could work. Without local administrative rights certificates would not be registered and the application fails to work. When we 'register certificates' with the SmartCard Utility the certificates copied locally and the application could work. ******************************************************** This Week's Sponsor - 99Point9.Com Emergent Online EOL Universal Printer 4.0 Has arrived! http://www.99point9.com/public/products/ ********************************************************* Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm