Discussion:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this t
(too old to reply)
trnsfrmrsr
2009-06-19 02:07:01 UTC
Permalink
I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?

Thanks,

Ryan
Joe Kaplan
2009-06-19 02:43:14 UTC
Permalink
I've seen this error previously with ADAM that happened as a result of
having a certificate deployed in multiple containers but with only one of
them associated with the certificate's private key and that not being a
container that the server account had access to. For AD, that seems weird
since it should have read access to any key (or file) on the system. It may
be that the key for the cert got removed though.

I'd check the certificates mmc snap-in to see what certs are in the personal
container local machine store and see if they have a private key to start.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Post by trnsfrmrsr
I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Additional Data
8009030e No credentials are available in the security package
I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?
Thanks,
Ryan
trnsfrmrsr
2009-06-19 18:18:11 UTC
Permalink
Thanks for your response, this puts me on the correct path, I'm looking at
the local cert store (personal) and i've got not certificates. Strange thing
is that when i bring up the request certificate, I'm told i can't request any
certificates (as domain admin?).

Strangely, my 2008 DC works fine with our Microsoft certificate authority.
And has no issue requesting certs.
Post by Joe Kaplan
I've seen this error previously with ADAM that happened as a result of
having a certificate deployed in multiple containers but with only one of
them associated with the certificate's private key and that not being a
container that the server account had access to. For AD, that seems weird
since it should have read access to any key (or file) on the system. It may
be that the key for the cert got removed though.
I'd check the certificates mmc snap-in to see what certs are in the personal
container local machine store and see if they have a private key to start.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Post by trnsfrmrsr
I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Additional Data
8009030e No credentials are available in the security package
I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?
Thanks,
Ryan
trnsfrmrsr
2009-06-19 18:46:01 UTC
Permalink
So i'm trying to use the certificate enrollment tool on the read only domian
controller. When i try to request a cert the error for all the templates is:

"the permissions on the certificate template do not allow for this type of
certificate. You do not have permissions to view this type of certificate"

I'm logged into the machine as the domain admin and this is still present.
This process works fine on all the "normal" DCs
Post by trnsfrmrsr
I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Additional Data
8009030e No credentials are available in the security package
I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?
Thanks,
Ryan
Joe Kaplan
2009-06-19 22:06:40 UTC
Permalink
Unfortunately I'm not a WinCA guy at all (we use external certs for our DCs)
and I'm not an RODC guy either so I don't know any of the particulars
regarding how this is supposed to work. Maybe someone else will know.

Sorry!
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Post by trnsfrmrsr
So i'm trying to use the certificate enrollment tool on the read only domian
"the permissions on the certificate template do not allow for this type of
certificate. You do not have permissions to view this type of certificate"
I'm logged into the machine as the domain admin and this is still present.
This process works fine on all the "normal" DCs
Post by trnsfrmrsr
I"ve got a server 2008 read only domain controller (as well as a server 2008
DC). Running at server 2003 operational level. Recently i've noticed these
errors popping up in the logs.
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Additional Data
8009030e No credentials are available in the security package
I've been searching around for a while now and I can't seemt o find anything
related to this error and server 2008. Can anyone point me in the correct
direction?
Thanks,
Ryan
Ace Fekay [Microsoft Certified Trainer]
2009-06-19 23:02:24 UTC
Permalink
Post by trnsfrmrsr
So i'm trying to use the certificate enrollment tool on the read only domian
"the permissions on the certificate template do not allow for this type of
certificate. You do not have permissions to view this type of certificate"
I'm logged into the machine as the domain admin and this is still present.
This process works fine on all the "normal" DCs
I'm not sure how you've configured your CA/PKI, and there are many factors
regarding this that is too difficult and lengthy to explain in a post, and
would also require additional questions regarding if you are planning to use
autoenrollment, or if you've already configured it, GPOs, security settings
on the CA and the certificate template, etc, and please do keep in mind, I
have not worked with secure LDAP in this respect, and not sure how to assist
in this area if it doesn;t work, but the one thing I do know is that you
will need the CA to be installed on Windows Enterprise Edition (2003 or
2008) in order to have the correct certificate template (v2.0) to use for
this purpose, or rather the certificate's purpose, autoenrollment, etc. CA
on a standard box doesn't work, unfortunately.

Ace

Loading...