Starting with what works, across multiple Issuing Subordinates. I can request via RPC the "Workstation Authentication" certificate. However, via the web ui of the same Issuing CAs when logging in with same AD credentials (domain admin) used with RPC request, the Workstation Authentication template is not listed.
Authentication of the IIS server on the Issuing CA's was only successful via negotiate, I'm uncertain why, but I am authenticating with my AD credentials over an SSL connection. Both of the subs are 2012r2.
Permissions on the Workstation Authentication certificate..
Authenticated users-Read
Domain Admins - Read,Write,Enroll
Domain Computers - Enroll
Enterprise Admins - Read, Write, Enroll