Tag Archive: LDAPS

If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS


  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller

LDAP over SSL (LDAPS) Certificate (MS TechNet)

When exporting the certificate:

  • When prompted, select “Yes, export the private key”
  • Select the “Personal Information Exchange – PKCS #12(.pfx)” format
  • Do not select “Include all certificates in the certificate path” or “Delete the private key if the export is successful”
  • Select “Export all extended properties”


To automate,
a) make a script to create the A records on the DNS
b) request a certificate with the DNS names, approve (at the CA level), load in the default computer\my store

c) export (reg export) the certificate (registry), change the registry path to replace \SystemCertificates\My\Certificates by \Cryptography\Services\NTDS\SystemCertificates\My\Certificates\

Details are here:

The simplest way is using the MMC certificates. However is it only available for the GUI-based Windows servers. If you are using Core-based Servers, you cannot use the MMC. Or if you prefer, it is also possible using the command line:

Note: To request a SSL certificate on w2k8-w2k8r2, it is recommended to use the default CA template: Kerberos Authentication (typically for Domain controllers – but it requires FW rule TCP 445 from Issuing CA to Domain controllers. We suppose here below, the kerberosauthentication template is published by your enterprise PKI and you enable the Subject Alternative Names too.

Procedure using certreq:

1) from the server: create a request.inf file that contains

;----------------- request.inf -----------------
Signature="$Windows NT$
Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

CertificateTemplate = KerberosAuthentication
; Omit section below if CA is an enterprise CA
OID= ; Server Authentication
;----------------- end of request.inf -----------------

2) prepare the request:

certreq -new request.inf request.req

3) You must request the certificate using the SYSTEM account on local computer

psexec -s -i cmd.exe

certreq -submit -config “MyissuingCA.mydomain.com\MYCANAME” request.req certnew.cer

and you are prompted to save it locally

4) Install the certificate:

certreq -accept certnew.cer

5) You can test LDAPS using ldp.exe tool

6) This lists the certificates in computer,personal store:  certutil -store My

check certificate store: certutil -verifyStore My

repair certificate: certuil -repairstore My <CertNum>

This lists the templates available to the current computer: certutil -templates > d:\output.txt

I also collected web resources:

Certificate templates overview: http://technet.microsoft.com/en-us/library/cc730826%28WS.10%29.aspx

FW ports for AD CS: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Troubleshooting Certificate enrollment: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

ADCS FAQ: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx

Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain: http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

LDAP over SSL (LDAPS) Certificate: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Event ID 1220 — LDAP over SSL (LDAPS): http://social.technet.microsoft.com/wiki/contents/articles/2979.event-id-1220-ldap-over-ssl-ldaps.aspx

Troubleshooting LDAP Over SSL: http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

How to enable LDAP over SSL with a third-party certification authority: using certreq utility: http://support.microsoft.com/kb/321051