The Smart Card Certificate should have one of the following conditions :·
- -The DNS domain name in the DN. If it does not, then resolution to appropriate domain will fail, and TS and domain join with smartcard will fail.
- -Smart card certificate must contain a UPN where the domain part of the UPN must resolve to the actual domain.
Else, The workaround is to supply a hint (enabled via GPO setting X509HintsNeeded in the credentials user interface for domain join.
To deploy root certificates on smart card for the currently joined domain, you can use the following command: