You get the following error message in the LDAP event log:
Id : 1220 Message : LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. Additional Data Error value: 8009030e No credentials are available in the security package
It is always a certificate problem.
However, there can be multiple reasons behind the same error message,
and all the following requirement have to be met.
- The LDAPS certificate is located in the Local Computer‘s Personal certificate store (programmatically known as the computer’s MY certificate store).
Follow this link to see different ways to import a certificate into the Local Computer’s store
- A private key that matches the certificate is present in the Local Computer’s store and is correctly associated with the certificate.
- The private key strong protection has to be disabled.
KeyProtection = NCRYPT_UI_NO_PROTCTION_FLAG
- The Enhanced Key Usage extension includes the Server Authentication (220.127.116.11.18.104.22.168.1) object identifier (also known as OID).
[EnhancedKeyUsageExtension] OID=22.214.171.124.126.96.36.199.1 ; Server Authentication
- The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
- You must use the Schannel CSP to generate the key.
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
- The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
- The CN in the Subject field.
- DNS entry in the Subject Alternative Name extension.
This last requirement was the problem in my case.
I falsely assumed that having the DNS entry in the Subject field was sufficient.
In fact, it must be both in the subject and also in the SAN field.