RDP

RDS logon via Smart-Card (eToken & SSL Cert) without AD, with 3-d party CA. How?

The requirements for the CA certificate are described in detail on the technet, naturally when using AD, only this option is not possible in my case. In this regard, 2 things cause misunderstandings:
1) UPN: if for a user-member of the domain upn looks like [email protected], then what does upn look like for a user outside the domain perimeter?
2) CRL: when using a domain for smart-card logon, online access to crl is required. Q1: Is online access to crl needed for the same purpose for a computer outside the domain perimeter? Q2: Is winsrv capable of calling crl over smb? The URI does not dictate the access protocol and allows you to optionally write smb:// the path to the crl in the certificate.
Further.
Now I "hang" on the fact that mstsc picks up a certificate from a token, tries to log in but cannot - as a result, an rdp window opens with an invitation to enter a username and password. The saddest thing is that there is no trace of login attempts in the security audit log.
UPD:
although as an option to raise AD and CA, and shove the RDS server from 1c to a virtual machine, but this is a lot of trouble for the sake of 4 users 1ski. In addition, it is necessary to redo everything and, accordingly, stop the work of 1ski for a couple of days.
Besides it would be desirable to use uniform CA and the uniform certificate for OVPN and rdp-logon'a. MS CA in terms of making friends with OVPN will cause problems. In addition, if you suddenly forget to renew the administrator's access certificate on time, you will have to go to the server. far :(