Smartcard logon - where to find more details on "the requested operation is not supported"?

I have written a custom credential provider and a key storage provider to do a custom logon for windows where I use my smartphone instead of a card reader. The certificate is delivered to my key storage provider via bluetooth and lsass.exe calls the SignHash-function of my key storage provider. I sign the hash with the private key on the smartphone and return it to the key storage provider, so the signature can be returned to lsass.exe.

I see a kerberos ticket request in my domain controllers event log, but in the client event log I see "the requested operation is not supported" with an error code of 0x80090029 (NTE_NOT_SUPPORTED). The extended keyusage of the certificate includes clientAuth and smartcardlogon. So I think it should work.

I do not know what is going wrong without more information. Is there any possibility to get windows to spit out a little bit more information?

EDIT

I added a little more logging and in the ReportResult-function of my credential provider I see that the substatus for the login error is c0000321 (STATUS_SMARTCARD_SUBSYSTEM_FAILURE). Unfortunately this doesn't help me much.