Active Directory over SSL – banishing 8009030e to the land of wind and ghosts

This is one of those solutions where you’re not 100% sure why it works but it just does. If you’re tearing your hair out trying to get LDAP to run over SSL, and seeing ‘8009030e’ , give this a go.

I have a under appreciated AD 2008 server which we use to test with IBM Web Content Manager. Recently I had to get it integrated with WebSphere Portal over SSL. I was sure when I set it up all those years ago that SSL worked, but today all I saw was a reset connection and the following error message in the Event logs:

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
 
Additional Data
Error value:
8009030e No credentials are available in the security package

After one of those Googling sessions where you end up with 30 browser tabs and you get no closer whatever you try (making a new self signed cert, trying openssl instead, resetting permissions on random registry keys and folders) I thought – why not see if the certificate works with IIS?

IIS wasn’t set up to use SSL, so following the instructions here (start from “IIS manager”) I set up a binding to the SSL port and noticed that my new self signed certificate wasn’t in the list of possible certificates in the ‘Add Site Binding’ window. Looking up a few steps – it seems like there’s a nice button labeled ‘Create a self signed certificate’. Once I bound that to IIS, SSL worked fine from a browser. And wouldn’t you know it, then the LDAP over SSL started to work! I didn’t even need to restart AD. Worth a try right?

This entry was posted in random, solution. Bookmark the permalink.

5 Responses to Active Directory over SSL – banishing 8009030e to the land of wind and ghosts

  1. Chris W. says:

    OMG.. thank you so much for publishing this. I was racking my brain for hours trying to figure out how to get rid of this stupid error and why LDAPS wouldn’t work for me. After applying this fix, I could use LDP from other servers to connect on 636 finally.

  2. Gerwin says:

    Actually, I wonder how this solution can ever work, but thanks because it helped me to progress anyway. My approach was slightly different:
    – I created a certificate through the IIS console (not self-signed, but signed by the CA on my machine) , and then imported it in AD LDS (Windows Server 2013). As opposed to earlier attempts, this time it worked.
    My previous attempts were through the Certificate Snap in and the localhost/certsrv links.

  3. Tomas says:

    Thanks for posting this. Saved me too.

  4. Carlos A says:

    The information of this post was very useful for me too. Thanks for share it

  5. Michelle says:

    I had the same luck as Gerwin, except mine is on a Windows Server 2012. Until I created the certificate through IIS and then imported it into my AD LDS instance, is only when the LDAP over SSL worked successfully for me. Thanks for the tip!

Leave a Reply

Your email address will not be published. Required fields are marked *