Want to allow ADFS to be installed correctly? Our trusty Canadian PFE Gregg O’Brien shows us a recent issue he resolved at a customer’s site and how he quickly brought balance back to the force….
Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, “The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.”
This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.
To resolve the issue, use a certificate that does not use the CNG suite.
If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.
Then make sure that the appropriate CSP is chosen:
Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.
Once it’s exported you can import it into the wizard and complete the configuration.
If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.
Posted by Rhoderick Milne, newbie MSPFE Editor