LDAPS over SSL - Schannel Event 36872 - "No suitable default server credential exists on this system."

Posted on 2009-02-12
Last Modified: 2012-05-06
I'm trying to use LDAPS over SSL and running into an Schannel event 36872 which gives the following Warning message in the event log.

"No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this."

I also get the Schannel Informational message (Event ID 36867):

"Creating an SSL client credential."

When I try to use ldp.exe to connect on port 636 to my domain controller, I receive the following message:

d = ldap_sslinit("", 636, 1);
Error <0x51> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to

I have been through every article dealing with Schannel and LDAPS that Google can find and tried just about everything to get this to work, and I still can't figure out what the issue is.

Anyone ideas would be much appreciated.
Question by:usom
    LVL 30

    Expert Comment

    I assume you have configured a Server Authentication certification for the domain controller that you're attempting to connect to?  

    Make sure that the cert you've installed contains the private key, and that the NETWORK SERVICE account has Read perms to the private key. Also make sure that the certificate is installed in the Local Computer Personal store, and not the Personal store corresponding to a user account such as administrator.

    Author Comment

    Thanks.  I am sure that the cert contains a private key, but how do I make sure that the NETWORK SERVICE account can access the private key?

    The cert is in the Local Computer store also.
    LVL 30

    Expert Comment

    Is this a 2008 box? Right-click on the cert in the Certificates MMC and click All Tasks-->Manage Private Keys.

    Author Comment

    I fixed it by re-issuing the cert

    Accepted Solution

    Question PAQ'd, 500 points refunded, and stored in the solution database.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now