As someone who frequently sets up certificate authentication for third party web applications, one of the hardest things in Windows to troubleshoot is certificate authentication failures. During this process, unless IIS is involved in the particular step (checking the CRL / validating the account), getting logging is near impossible.
I have tried looking to the Security Audit Event logs for information however the Security Audit logs do not have any detailed error information indexed anywhere. The site listed below provides a great example of some Logon Failure status and sub status codes however this codes are only good for normal authentication methods. I have yet to see a good guide on troubleshooting Logon Failure Events coming from LSASS.EXE and SCHANNEL.
Windows Security Log Event ID 4625 - An account failed to log on
My sub-status code, 0x80090325, is not included in this guide.
Where can I get a list of comprehensive Failure status codes for future troubleshooting? How can I get more advanced logs for active directory mapped client certificate authentication with IIS 7/8?