You get the following error message in the LDAP event log:
Id : 1220 Message : LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. Additional Data Error value: 8009030e No credentials are available in the security package
It is always a certificate problem.
However, there can be multiple reasons behind the same error message,
and all the following requirement have to be met.
- The LDAPS certificate is located in the Local Computer’s Personal certificate store (programmatically known as the computer’s MY certificate store).
- A private key that matches the certificate is present in the Local Computer’s store and is correctly associated with the certificate.
- The private key must not have strong private key protection enabled.
- The Enhanced Key Usage extension includes the Server Authentication (22.214.171.124.126.96.36.199.1) object identifier (also known as OID).
- The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
- You must use the Schannel CSP to generate the key.
- The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
- The CN in the Subject field.
- DNS entry in the Subject Alternative Name extension.
This last requirement was the problem in my case.
I falsely assumed that having the DNS entry in the Subject field was sufficient.
In fact, it must be both in the subject and also in the SAN field.