Hello,
I'm trying to set up Authentication Mechanism Assurance for users who login with smart cards by following the Technet guide (http://technet.microsoft.com/en-us/library/dd378897%28WS.10%29.aspx).
I've created the certificate based on the Smart Card Logon template and added the "Medium Assurance" Issuance Policy. I linked the "Medium Assurance" issuance policy to a group in AD (CS-SC-MediumAccessLevel in the Users OU), using the get-IssuancePolicy.ps1 script in the guide I can see that my issuance policy is indeed linked to the group.
When the test user logs on with the smart card for the first time, my Authentication Mechanism Assurance certificate gets auto-enrolled without issues. However after a logoff and logon using the smart card, using whoami / groups I can see that the user is not getting added to the group linked to the issuance policy.
Has anyone encountered such an issue? How should I proceed with troubleshooting this issue?