I have an ADSSP product version 5318 in production. When a user try to change his Windows password through the ADSSP portal it doesn't work. it display a green message that "the changing password was successful" but nothing happened on my DCs, the new password is not stored in the AD and the attributes like PwdLastSet not changed. for security reasons, we cannot enable WinRM service on our DCs. We should go with Ldap over SSL as recommanded also by ADSSP support.

Our Windows Certificates Manager has already installed and configured our DCs for Ldap over ssl. So, the majority of our DCs listen on port 636.

It seems that the ADSSP server needs also a certificate according to what ADSSP support told me. but I don't know how to generate the certificate for a service (ADSSP) from our SubCA certificate server ( it's Microsoft Certificate services). 

Please do you have step by step procedure on how to generate the certificate ? and how to install it on my ADSSP server  to allow the communication?

I want to enable the ldap over ssl in place of WinRM because the change password fonctionnality doen't work through ADSSP portal. the issue seems to be caused by a Windows patch according to ADSSP support.

Regards

Kader