After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008 R2 CA server, the template may not show up as selectable during Enroll on Behalf Of operations such as EOBO smartcard enrollment.
Clicking 'Show all templates' you may see the following error message for the template:
The certificate template requires too many RA signatures. Only one RA signature is allowed.Multiple request agent signatures are not permitted on a certificate request.
This is because Windows 2008 R2 requires an application policy to be defined for the EoBo operation (W2k3 did not enforce this requirement).
By default there is no number of authorized signatures defined (i.e. 0 signatures are allowed for the template - when you do an EoBo you therefore technically exceed the limit by 1).
Ticking the box as above allows the EoBo operation for the smartcard to succeed as it sets the number of allowed and required signatures to 1.
Brilliant! Was struggling with this, but great stuff!!!