Hi there, we are encountering the following problem, which we cannot explain: Active Directory Web Services, Source: ADWS, Event 1402, Warning Active Directory Web Services was unable to process the server certificate. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine. Certificate name: <SOMEHOST>.<SOMEDOMAIN>.COM The server has exactly one valid certificate with the following properties: v3-Template (2008)Server Authentication EKUSAN:DNSRSA4096 / SHA256 (No alternate signature format)Empty Subject Name (Also tested with CN)Provider = Microsoft Software Key Storage ProviderPrivate key is NOT exportable ADWS is running as SYSTEM (Default) and the private key is accessable and configured for System: Full Control. The debug-log shows: ADWSHostFactory: [5/23/2012 4:41:58 PM] [5] ProvisionCertificate: caught a CryptographicException: System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at Microsoft.ActiveDirectory.WebServices.ADWSHostFactory.ProvisionCertificate(ServiceHost host) ADWSHostFactory: [5/23/2012 4:41:58 PM] [5] ProvisionCertificate: skipping certificate provisioning There is just on other certificate with the same name, but it's a Remote Desktop Authentication-EKU one. Anyone, any ideas? Thanks, MMF

Hmm, I think I found the solution. Hooray :( http://blogs.msdn.com/b/alejacma/archive/2009/12/22/invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx CNG seems to be not supported by the ADWS-application, as it is obviously written in .NET < 3.5 SP1. Am I right, Microsoft? Or at least guessing in the right direction? ;) I reverted back to a Windows Server 2003 Template, using the RSA SChannel CSP, and - it's working :) Still - it is only working, if the RSA SChannel CSP is chosen and the certificate has a subject name == Common Name. If I enroll a KerberosAuthentication-Certificate (MS-Default, which I need for the additional domain SANs), it is not used by ADWS. Epic bug.... as it does not have a Subject Name per default. (Btw: The CNG certificate is working fine for "normal" LDAPS by ADDS) Now to mark my own answer... ;) MMF