Grant permissions to the certificate container

Because the AD LDS service runs under the Network Service account, permissions to the certificate container need to be granted.

  1. Obtain the containers file name. From a Windows command prompt, run the command:

    certutil -store MY

    Output from the command shows the certificate. If more than one certificate is listed, take note of the Key Container for the certificate that matches the one installed under AD LDS in the previous procedure. Do this by matching the Cert Hash to the Thumbprint on the installed certificate.

  2. Using Windows Explorer, navigate to: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
    On some servers, the file can be found here: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\Keys
  3. Find the file that matches the Key Container Name from certutil from the previous step. Right click on the file and select Properties > Security tab > Edit > Add.
  4. In the search box type NETWORK SERVICE, click Check Names and click OK. Only Read & Execute and Read permissions are necessary.
  5. Restart systems.
    1. Stop the LSF environment.
    2. Using Windows Services, restart the AD LDS service.
    3. Restart the LSF environment.
  6. Use the ldp.exe tool to validate that the AD LDS instance is accepting the LDAPS connection. Open ldp.exe and type the following information: ServerFQDN, SSL port. Click the checkbox for SSL and click OK.
  7. To verify that SSL is being used, find the ‘Host supports’ entry.
    You should see a line similar to this:
    Successful connection to LDAPS: