Certificate Mapping - Debugging

How would I got about debugging Certificate Mapping in IIS? I have one user who gets prompted for a cert, selects the one associated to his AD account and then gets prompted for his user id and password. If I associate my cert, I can get in under his account. There must be something up with his certificate but it only happens on one domain.

I have a test domain set up and the mapping works fine.

Any ideas?