Smart card logon errors on domain controller

I am running a network with two domain controllers, both configured for smart card logon.  Both servers were working with no errors but then they started giving users errors the first 3 or 4 times they try to log in and then usually allowing them after a few attempts (some weren't so lucky though).  This error is hit or miss with users.  I am not sure where to go with troubleshooting from here, the certificates work for some users and not for others, work sometimes for certain users and not for others.  Can't recreate the error on purpose.  On both domain controllers it is giving the following error:

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          5/7/2013 3:10:21 PM
Event ID:      21
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC02.DOMAINNAME
Description:
The client certificate for the user DOMAINNAME\username is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The revocation function was unable to check revocation because the revocation server was offline.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="32768">21</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-07T19:10:21.000000000Z" />
    <EventRecordID>8491</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>NIPRDC02.axad.belvoir.army.mil</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Domain">DOMAINNAME</Data>
    <Data Name="Username">username</Data>
    <Data Name="Status">The revocation function was unable to check revocation because the revocation server was offline.
</Data>
    <Binary>18000000132009800000000000000000</Binary>
  </EventData>
</Event>