Folks,I am setting up smart card logon in a development environment. The certs on the smart cards are provisioned by a seperate organization, and I have followed MS guidance on integrating third-party certs. Specifically, certificates (both user and domain controller) are issued by an intermediate CA. One of my domain controllers has a DC cert. The other does not. These 2 DCs have been broken out into their own Sites. All machines being tested are in the IP range corresponding the the Site managed by the DC with the DC cert.I am able to successfully RDP into my DC with a smart card.However, if I try to RDP into any other machine in the domain with smart card authentication, it fails.Checking the System Event Log on the DC with the domain cert, I observe the following error message:<snip>The certificate that is used for authentication does not have an issuance policy descriptor corresponding to OID 2.16.840.1.101.3.2.1.5.4 in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is 3221226021.</snip>Checking the System Event Log on the target machine that I am attempting to Smart Card Logon into, I observe this message:<snip>The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator.</snip>I've tried all sorts of things, from setting the DNS _kerberos records on DC2 to higher (lower number), installing updated CRLs on every machine, ensuring the NTAuthStore is correctly populated on all machines, ensuring that CA certs for the root and sub are on every machine, etc. But I am still facing this issue.May help to know that the root CRL expired a few days ago (but I have been updating all the CRLs on every host). Also, these machines are all in a dev environment that does not have access to outside resources, so OCSP, etc, is not available.Any help/experience is most welcome!Thanks,Chris