Aha, found it.
MSKB article 892424 has one important sentence:
On a Windows Server 2003-based domain controller, if the "Smart card is required for interactive logon" policy setting is enabled, the domain controller generates a random password for the user.
So I was unable to logon after disabling the check box because my password was set to some random value instead of my old password.
After resetting it, both password logon and smart card logon works.
We had the same issue and resolved it by re-issuing the domain controller certificates with the required KDC EKU. Our domain controller certificates now have four EKU's: Client, Server, KDC, and Smart Card. We also had to tweak the SAN's for our domain controller certificates.
If you don't want to do that, you may want to experiment with disabling the "Require strict KDC validation" setting on the client to see if it helps. This does seem to be a not too well documented change in behavior from Windows 7, or at least it is not consistent with how the setting is documented in the group policy settings spreadsheet/documentation.
https://technet.microsoft.com/en-us/library/hh831747.aspx
"Strict KDC validation is a more restrictive set of criteria which ensures all of the following are met:
The domain controller has the private key for the certificate provided.
For domain-joined systems, the certification authority (CA) that issued the KDC’s certificate is in the NTAuth store.
For non-domain-joined systems, the root CA of the KDC’s certificate is in the Third-Party Root CA or Smart Card Trusted Roots store.
KDC’s certificate has the KDC EKU.
KDC certificate’s DNSName field of the subjectAltName (SAN) extension matches the DNS name of the domain.
For non-domain-joined smart card sign on, strict KDC validation is required.
To disable this default behavior, disable the Group Policy setting Require strict KDC validation."
More information:
What's New in Kerberos Authentication
https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx
Strict KDC Validation default changes
"For non-domain-joined smart card sign on, strict KDC validation is required.
"To disable this default behavior, disable the Group Policy setting Require strict KDC validation."
Best Answer
Try following Steps :
Hope this help you..