RDS Gateway + Smart Card Error [ The specified user name does not exist.]

I have the following Windows Server 2008 R2 servers:

addsdc.contoso.com, AD DS Domain Controller for contoso.com

adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.

fileserver.contoso.com, RDS Session Host for Administration enabled

rdsgateway.contoso.com, RDS Gateway enabled

tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication

And the following Windows 7 PCs:

internalclient.contoso.com

externalclient.fabrikam.com

There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.

I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.

From internalclient.contoso.com, I can RDP to fileserver.contoso.comusing the smart card just fine with no certificate errors.

From externalclient.fabrikam.com, I can RDP to fileserver.contoso.comvia rdsgateway.contoso.com using a username and password just fine with no certificate errors.

From externalclient.fabrikam.com, I can RDP to fileserver.contoso.comvia rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.

BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:

     The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 

When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue - but I'm pretty sure this is a supported scenario?

The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN isUPN=johns@contoso.com which matches the UPN of the user account as it was auto-enrolled.

Does anyone have any ideas?