LDAPS over SSL - Schannel Event 36872 - "No suitable default server credential exists on this system."

Posted on 2009-02-12
Medium Priority
Last Modified: 2012-05-06
I'm trying to use LDAPS over SSL and running into an Schannel event 36872 which gives the following Warning message in the event log.

"No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this."

I also get the Schannel Informational message (Event ID 36867):

"Creating an SSL client credential."

When I try to use ldp.exe to connect on port 636 to my domain controller, I receive the following message:

d = ldap_sslinit("servername.domain.org", 636, 1);
Error <0x51> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to servername.domain.org.

I have been through every article dealing with Schannel and LDAPS that Google can find and tried just about everything to get this to work, and I still can't figure out what the issue is.

Anyone ideas would be much appreciated.
Question by:usom
  • 2
  • 2
LVL 30

Expert Comment

ID: 23625834
I assume you have configured a Server Authentication certification for the domain controller that you're attempting to connect to?  

Make sure that the cert you've installed contains the private key, and that the NETWORK SERVICE account has Read perms to the private key. Also make sure that the certificate is installed in the Local Computer Personal store, and not the Personal store corresponding to a user account such as administrator.

Author Comment

ID: 23627408
Thanks.  I am sure that the cert contains a private key, but how do I make sure that the NETWORK SERVICE account can access the private key?

The cert is in the Local Computer store also.
LVL 30

Expert Comment

ID: 23628689
Is this a 2008 box? Right-click on the cert in the Certificates MMC and click All Tasks-->Manage Private Keys.

Author Comment

ID: 23969492
I fixed it by re-issuing the cert

Accepted Solution

ee_auto earned 0 total points
ID: 24783374
Question PAQ'd, 500 points refunded, and stored in the solution database.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question