We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and on the servers in the domains.
What is necessary to get NLA with smart cards working for non-domain members?
Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA