We have a member server running the remote loader in the same domain as
the DC.

We are trying to set the password in AD ONLY from the subscriber channel.

As I understand the documentation, the requirements for this are:
1 - SSL must be enabled enabled between the member server and the DC.
2 - Negotiate should be used. (It is)

As a note, we also have SSL from the IDM Engine to the RL enabled and
working.

When we do not set "Use SSL for encryption", we get an error:
Message = Could not set password via platform call. Err=5 (access denied)

We are told, we are not allowed on the on the DC, that SSL is enabled
between the member server and the DC.

However, when we tell the driver to use "Use SSL for encryption"
DirXML Log Event -------------------
Driver: \GEICOIDV-LAB\com\geico\services\idm\DriverSet\ADGeico
Channel: Subscriber
Status: Retry
Message: Code(-9006) The driver returned a "retry" status
indicating that the operation should be retried later. Detail from
driver: Code(-9006) The driver returned a
"retry" status indicating that the operation should be retried later.
Detail from driver: <message>unable to connect to Active Directory</message>
<ldap-err ldap-rc="81" ldap-rc-name="LDAP_SERVER_DOWN">
<client-err ldap-rc="81" ldap-rc-name="LDAP_SERVER_DOWN">Server
Down</client-err>

Any Ideas where to look ?

Thanks
-jim