A snip from the article:
Smart card root certificate requirements for use when joining a domain
When using a smart card to join a domain, the smart card certificate must comply with one of the following conditions:
The smart card certificate must contain a Subject field that contains the DNS domain name within the distinguished name. If it does not contain this field, resolution to the appropriate domain will fail, causing the domain join with smart card to fail.
The smart card certificate must contain a UPN in which the domain part of the UPN must resolve to the actual domain. For example, the UPN "email@example.com" would work, but "firstname.lastname@example.org" would not work because the Kerberos client would not be able to find the appropriate domain.
The solution for both of the listed conditions is to supply a hint (enabled via the X509HintsNeeded registry setting) in the credentials prompt when joining a domain.
If the client computer is not joined to a domain, then the client will only be able to resolve the server domain by viewing the distinguished name on the certificate (as opposed to the UPN). For this scenario to work, the Subject field for the certificate must include "DC=" for domain name resolution.
To deploy root certificates on smart cards for the currently joined domain, the following command can be used:
Just a note - this has some issues unless you also deploy this hotfix.. http://support.microsoft.com/kb/957656
This is a post Vista SP1 fix..