LDAP over Secure Sockets Layer (SSL) will be unavailable at this time

I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?

Thanks,

Ryan

I've seen this error previously with ADAM that happened as a result of
having a certificate deployed in multiple containers but with only one of
them associated with the certificate's private key and that not being a
container that the server account had access to. For AD, that seems weird
since it should have read access to any key (or file) on the system. It may
be that the key for the cert got removed though.

I'd check the certificates mmc snap-in to see what certs are in the personal
container local machine store and see if they have a private key to start.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"trnsfrmrsr" <trnsfrmrsr@discussions.microsoft.com> wrote in message
news:7DEB4AF8-7E0D-4FA6-BBE7-2AA47BB18027@microsoft.com...
> I"ve got a server 2008 read only domain controller (as well as a server
> 2008
> DC). Running at server 2003 operational level. Recently i've noticed these
> errors popping up in the logs.
>
> LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
> because the server was unable to obtain a certificate.
>
> Additional Data
> Error value:
> 8009030e No credentials are available in the security package
>
> I've been searching around for a while now and I can't seemt o find
> anything
> related to this error and server 2008. Can anyone point me in the correct
> direction?
>
> Thanks,
>
> Ryan

Thanks for your response, this puts me on the correct path, I'm looking at
the local cert store (personal) and i've got not certificates. Strange thing
is that when i bring up the request certificate, I'm told i can't request any
certificates (as domain admin?).

Strangely, my 2008 DC works fine with our Microsoft certificate authority.
And has no issue requesting certs.


"Joe Kaplan" wrote:

> I've seen this error previously with ADAM that happened as a result of
> having a certificate deployed in multiple containers but with only one of
> them associated with the certificate's private key and that not being a
> container that the server account had access to. For AD, that seems weird
> since it should have read access to any key (or file) on the system. It may
> be that the key for the cert got removed though.
>
> I'd check the certificates mmc snap-in to see what certs are in the personal
> container local machine store and see if they have a private key to start.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "trnsfrmrsr" <trnsfrmrsr@discussions.microsoft.com> wrote in message
> news:7DEB4AF8-7E0D-4FA6-BBE7-2AA47BB18027@microsoft.com...
> > I"ve got a server 2008 read only domain controller (as well as a server
> > 2008
> > DC). Running at server 2003 operational level. Recently i've noticed these
> > errors popping up in the logs.
> >
> > LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
> > because the server was unable to obtain a certificate.
> >
> > Additional Data
> > Error value:
> > 8009030e No credentials are available in the security package
> >
> > I've been searching around for a while now and I can't seemt o find
> > anything
> > related to this error and server 2008. Can anyone point me in the correct
> > direction?
> >
> > Thanks,
> >
> > Ryan
>
>

So i'm trying to use the certificate enrollment tool on the read only domian
controller. When i try to request a cert the error for all the templates is:

"the permissions on the certificate template do not allow for this type of
certificate. You do not have permissions to view this type of certificate"

I'm logged into the machine as the domain admin and this is still present.
This process works fine on all the "normal" DCs



"trnsfrmrsr" wrote:

> I"ve got a server 2008 read only domain controller (as well as a server 2008
> DC). Running at server 2003 operational level. Recently i've noticed these
> errors popping up in the logs.
>
> LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
> because the server was unable to obtain a certificate.
>
> Additional Data
> Error value:
> 8009030e No credentials are available in the security package
>
> I've been searching around for a while now and I can't seemt o find anything
> related to this error and server 2008. Can anyone point me in the correct
> direction?
>
> Thanks,
>
> Ryan

Unfortunately I'm not a WinCA guy at all (we use external certs for our DCs)
and I'm not an RODC guy either so I don't know any of the particulars
regarding how this is supposed to work. Maybe someone else will know.

Sorry!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"trnsfrmrsr" <trnsfrmrsr@discussions.microsoft.com> wrote in message
news:A7D04F5A-83C0-439D-AD7C-517E08900EEB@microsoft.com...
> So i'm trying to use the certificate enrollment tool on the read only
> domian
> controller. When i try to request a cert the error for all the templates
> is:
>
> "the permissions on the certificate template do not allow for this type of
> certificate. You do not have permissions to view this type of certificate"
>
> I'm logged into the machine as the domain admin and this is still present.
> This process works fine on all the "normal" DCs
>
>
>
> "trnsfrmrsr" wrote:
>
>> I"ve got a server 2008 read only domain controller (as well as a server
>> 2008
>> DC). Running at server 2003 operational level. Recently i've noticed
>> these
>> errors popping up in the logs.
>>
>> LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
>> because the server was unable to obtain a certificate.
>>
>> Additional Data
>> Error value:
>> 8009030e No credentials are available in the security package
>>
>> I've been searching around for a while now and I can't seemt o find
>> anything
>> related to this error and server 2008. Can anyone point me in the correct
>> direction?
>>
>> Thanks,
>>
>> Ryan

"trnsfrmrsr" <trnsfrmrsr@discussions.microsoft.com> wrote in message
news:A7D04F5A-83C0-439D-AD7C-517E08900EEB@microsoft.com...
> So i'm trying to use the certificate enrollment tool on the read only
> domian
> controller. When i try to request a cert the error for all the templates
> is:
>
> "the permissions on the certificate template do not allow for this type of
> certificate. You do not have permissions to view this type of certificate"
>
> I'm logged into the machine as the domain admin and this is still present.
> This process works fine on all the "normal" DCs

I'm not sure how you've configured your CA/PKI, and there are many factors
regarding this that is too difficult and lengthy to explain in a post, and
would also require additional questions regarding if you are planning to use
autoenrollment, or if you've already configured it, GPOs, security settings
on the CA and the certificate template, etc, and please do keep in mind, I
have not worked with secure LDAP in this respect, and not sure how to assist
in this area if it doesn;t work, but the one thing I do know is that you
will need the CA to be installed on Windows Enterprise Edition (2003 or
2008) in order to have the correct certificate template (v2.0) to use for
this purpose, or rather the certificate's purpose, autoenrollment, etc. CA
on a standard box doesn't work, unfortunately.

Ace