We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


LDAPS over SSL - Schannel Event 36872 - "No suitable default server credential exists on this system."

Medium Priority
Last Modified: 2012-05-06
I'm trying to use LDAPS over SSL and running into an Schannel event 36872 which gives the following Warning message in the event log.

"No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this."

I also get the Schannel Informational message (Event ID 36867):

"Creating an SSL client credential."

When I try to use ldp.exe to connect on port 636 to my domain controller, I receive the following message:

d = ldap_sslinit("servername.domain.org", 636, 1);
Error <0x51> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to servername.domain.org.

I have been through every article dealing with Schannel and LDAPS that Google can find and tried just about everything to get this to work, and I still can't figure out what the issue is.

Anyone ideas would be much appreciated.
Watch Question

I assume you have configured a Server Authentication certification for the domain controller that you're attempting to connect to?  

Make sure that the cert you've installed contains the private key, and that the NETWORK SERVICE account has Read perms to the private key. Also make sure that the certificate is installed in the Local Computer Personal store, and not the Personal store corresponding to a user account such as administrator.


Thanks.  I am sure that the cert contains a private key, but how do I make sure that the NETWORK SERVICE account can access the private key?

The cert is in the Local Computer store also.
Is this a 2008 box? Right-click on the cert in the Certificates MMC and click All Tasks-->Manage Private Keys.


I fixed it by re-issuing the cert
Question PAQ'd, 500 points refunded, and stored in the solution database.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.