Smartcard Authentication stopped working on IIS 7.5 - everybody gets 401

Everything was fine when we left on Friday. After the weekend, all users get 401 trying to authenticate to the web site. Our Web Server is IIS 7.5 in Windows Server 2008 R2. The site's SSL Settings are Require SSL and client certificate required. The Web Server level Authentication options are set to disabled except for Active Directory Client Certificate Authentication which is enabled. At the site level, Authentication options are all set to "Disabled." the Authentication Rules have a single entry which is to allow a specified user group, webUser.

Using Configuration Editor, I set up manyToOneCertificateMappings for each user using their CN and issuer from their smartcard, the DoD CAC. They map to a local user who is a member of the webUser group.

When a user goes to the site, they get "401 - Unauthorized: Access is denied due to invalid credentials." "You do not have permission to view this directory or page using the credentials that you supplied."

In the event log, I found errors but they stretch back long before we had trouble. This one confuses me because the NetLogon service is running. Failure Information: Failure Reason: The NetLogon component is not active. Status: 0xc0000192 Sub Status: 0x80090325

I tried raising the privilege of the local user account to admin but no change. I confirmed that the certificates get checked using OCSD and tested with good and revoked certs. All certs are still valid.

Although everybody got workstations updates pushed over the weekend, nobody changed the server. I imagine that the root cause is something expired.

How can I tell if the certificate matching to the local user account is the problem or if the local user account is the problem?

It was not an error with IIS or certificates. I fixed it by editing the Group Policy for Computer Configuration. Under Local Policies, I added the "Allow log on locally" right to the authenticated users built-in security principal.

So the authentication has three basic layers. The client browser sends a certificate to the IIS. IIS looks up the manyToOneCertificateMappings for a match to the certificate fields. Using the local user credentials in the manyToOneCertificateMappings table, IIS logs the user in. This last step had the failure because the user was not allowed to log in locally.

I did not realize that the "Allow log on locally" right applied to web connections. I thought it was only for logging onto the console. Now, I need to find the so-and-so that made that Group Policy change...