If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS


  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller

LDAP over SSL (LDAPS) Certificate (MS TechNet)

When exporting the certificate:

  • When prompted, select “Yes, export the private key”
  • Select the “Personal Information Exchange – PKCS #12(.pfx)” format
  • Do not select “Include all certificates in the certificate path” or “Delete the private key if the export is successful”
  • Select “Export all extended properties”


To automate,
a) make a script to create the A records on the DNS
b) request a certificate with the DNS names, approve (at the CA level), load in the default computer\my store

c) export (reg export) the certificate (registry), change the registry path to replace \SystemCertificates\My\Certificates by \Cryptography\Services\NTDS\SystemCertificates\My\Certificates\

Details are here: