Event ID 16944 - Certificate OID error on Domain Controllers during a successful smartcard logon

We're getting event ID 16944 events logged on our DC's every time a user logs on with a smartcard that was issued by a 3rd party CA.
We're not seeing any other issues and the smartcard logon succeeds but we are concerned about *why* we are seeing this event.

This is an informative event only (i.e. not an error) and is typically seen when the smartcard certificate contains an OID that is external to Active Directory which means the DC cannot resolve it to anything printable.

The event itself however simply means that if your intentions were to use this OID for granting access to resources based on Authentication Mechanism Assurance (AMA) then that will not be possible without taking further steps.

The full event is: "The certificate that is used for authentication does not have an issuance policy descriptor corresponding to <OID> in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is 3221226021. "

The error message 3221226021 means STATUS_NOT_FOUND (you can either look through the published Windows SDK's for this or else download the excellent error code application Errol from the Windows Marketplace and use it for lookup if you're using a Windows Phone).

To import the OID referenced into your Active Directory as Certificate Policies (*IF* your intentions are to grant access to resources via that OID and your security requirements warrant it) you can run the Certutil command once per each language ID that you want to import it for (the example below is for English and Swedish).

Example:
Certutil –f –oid <external OID referred to in event 16944> ”Contoso Medium Assurance” 1033 3
Certutil –f –oid <external OID referred to in event 16944> ”Contoso Medium Assurance” 1053 3

Once this is in place you'll most likely start seeing the informative event 16945 instead of 16944 - this simply means that while you now have imported an OID so that it is recognized and can be displayed by the operating system, it still isn't linked to any security group.
The 16945 event is also informative only and doesn't impede smartcard logon functionality by itself.

If you also wish to associate the new external OID with a security group to leverage AMA then you can follow  ”Step 2: Link Certificate Policies to Groups”  on http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx#BKMK_Step2 (using the PowerShell scripts on that page).

Further details:

Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx

ms-PKI-Enterprise-Oid class
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682540(v=vs.85).aspx

Enforce Smartcard on Access Check in Windows 2008 R2
http://blogs.technet.com/b/instan/archive/2010/01/15/enforce-smartcard-on-access-check-functionality-in-windows-2008-r2.aspx

Language Identifers
http://technet.microsoft.com/en-us/library/cc179219.aspx