I will try this, and I would prefer that login method anyway. I think the explanation is that in RDP protocols above RDP4, Network Level Authentication is the preferred method. This is of course more secure because a man-in-the-middle will only see a hash instead of plain text. Smart card login has to occur on the terminal server itself, so I guess that forces login without NLA, which is great for me. My network is small enough that I don't need to worry with man-in-the-middle anyway.
Thanks for the tip!
David