I checked all the EKU's in the certs and they have all the proper OIDs so the
templates were ok. We ended up opening a case with support and found out
that since the CA we were using was a standalone root CA and not an
enterprise CA you need to register it with the AD domain as a trusted root
server even though the IAS server had the root CA in its local machine
trusted store. We followed the following procedures to post this change:
We had tried this fix before opening the case but apparently we did not wait
long enough for the change to replicate throughout our AD forest becuase the
clients were still not authenticating 2 hours later. In frustration we
de-installed CA services and re-installed it to start from scratch so all the
original certs were no longer valid (we removed the old certs from the IAS
server). At any rate we appear to be working now and the lesson learned from
our point is sometimes you have to wait a while for a "fix" to work;-) Also
it would appear that 2003 changes the way IAS servers verifiy Root CA trust.
Simply placing the root CA into the trusted root machine store is not enough
if the server is part of an AD domain.