December 8, 2005 - 12:10 UTC - Tags: ADAM SSL certificates AD LDS
If you set connectionProtection to "Secure" on the membership provider in your web.config you may get an error in the event log saying "8009030e No credentials are available in the security package". This is because there is no suitable certificate installed on the server that ADAM can use. This blog-entry will try to help you resolve this issue.1. Obtaining a certificate
I will here explain how to obtain a server certificate on a windows 2003 server. If you allready have a certificate, import it into your "Personal store" and skip to section 2.
To create a certificate you need to install IIS and Certificate Authority. This is done through "Control Panel \ Add/Remove programs \ Add/Remove Windows Components". For information on how to install IIS refer to Microsoft or Google. To install a Certificate authority check the "Certificate services" checkbox. (IIS should be installed before or at the same time as you install the certificate services). Once the installation is complete, request a certificate using your browser (address: http://localhost/certsrv):
- Click "Request a certificate"
- Click "Advanced certificate request"
- Click "Create and submit a request to this CA"
- In the "Name"-textbox write the full dns name of the server
- Make sure "Type of certificate" is "Server authentication certificate"
- Select PCKS10 as the format
- Optionally fill in the other information
- In the "Friendly name"-textbox write the full dns name of the server
- Click the submit button
You have now created a certificate request. To create a certificate we need to process the request:
- Open "Control Panel \ Administrative Tools \ Certification Authority"
- Browse to the "Pending requests"-folder
- Locate the certificate request, right-click and select "All tasks \ issue".
The certificate has now been created and resides in the "Issued certificates"-folder. Next we need to download and install the certificate:
2. Using the certificate with the ADAM service
- Open http://localhost/certsrv
- Click "View the status of a pending certificate request"
- Click the certificate request
- Click the certificate to install it
To let our ADAM service use the certificate we need to put the certificate in the ADAM service's personal store:
3. Verifying that SSL is working
- Select "Run..." from your start menu and type mmc. This will open the managment console.
- Click "File \ Add/Remove snap-in"
- Click "Add..." and select "Certificates"
- Select "Service account"
- Select "Local computer"
- Select your ADAM instance service
- Add a new "Certificate" snap-in, but this time select "My user account" instead of "Service account"
- Click "Close" and "Ok"
- Open the "Personal"-folder under the "Certificates - Current user"-tree
- Select the certificate and copy it into the same location under "Certificates - adam instance name"
- Give the ADAM service account read permissions to the key using winhttpcertcfg (best practice) or by browsing to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys (if these permissions are not set correctly you will get an error in the event log: Schannel ID: 36870 - "A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x6.")
- Restart your ADAM instance
To verify that SSL is working with ADAM:
- Run the "ADAM Tools Command Prompt" from your ADAM program group
- Type "ldp" and hit enter
- Click "Connection \ Connect..."
- Type the DNS name of your server in the server textbox (localhost will not do here as the dns name is checked against the certificate)
- Enter the SSL port of your ADAM installation (636 or 50001 or whatever you chose during the installation of ADAM)
- Check the SSL checkbox and hit "OK"
If the installation was successful, you should get a lot of text in the right window and be able to bind using the "Connection \ bind..."-functionality.Update 18.01.2007:
If you still get the "8009030e No credentials are available in the security package" after the import, or you get an error when importing the keys into the LOCAL_MACHINE\Personal store, check that you/administrators have full access to "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". Try importing the certificates directly into both LOCAL_MACHINE\Personal and ADAM\Personal instead of copying them for the Current_user store. Thanks to Christian J., for this update.
Comments closed for this post