Client certificate trouble in IIS

I was recently working on a website that used client certificates to authenticate the users, and while testing the application I was surprised to find that the certificates stored on the smart cards used for authentication were not available for the user to select. I verified that the root CA's certificate was installed in the server's trusted root CA list, but still I was unable to see and select the correct client certificate when visiting the website.

During client certificate authentication the server sends a list of trusted CA's to the client, which uses that list to present client certificates. For example, the server might only trust a root CA named "Company CA", so the client will only present client certificates that are issued by "Company CA". Based on this I decided to take a look at the actual list of CA's that the server sent to the client, and I found that the particular root CA I needed was not in the list. That explained why the client certificates were missing, now I had to figure out why the root CA was missing.

After some analyze of the Windows event log I eventually found a warning that looked interesting:

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list as thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

It turned out that the server had too many certificates in the trusted root CA store, so the list was truncated. I went back to the list I got from the server and found that it contained about 170 certificates, while the actual store contained some 300+ certificates. Removing (quite) a few certificates from the store solved the problem.