ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported”

Want to allow ADFS to be installed correctly?  Our trusty Canadian PFE Gregg O’Brien shows us a recent issue he  resolved at a customer’s site and how he quickly brought balance back to the force….

Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, “The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.”

ADFS Configuration Wizard Failed With CNG Private Key Error

This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.

To resolve the issue, use a certificate that does not use the CNG suite.

If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.

Duplicating Web Server Certificate Template

Then make sure that the appropriate CSP is chosen:

Selecting Specific CSP In Custom Certificate

Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.

Allowing Custom Certificate Template To Be Issued

Allowing Custom Certificate Template To Be Issued

Once it’s exported you can import it into the wizard and complete the configuration.

If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.

Posted by Rhoderick Milne, newbie MSPFE Editor

Comments (9)
  1. santoo says:

    Thanks! It works perfectly!!

  2. You should add this to the following TechNet Article:
    Because on this article, I can’t find the requirement of a specific cryptographic provider

    1. Travis Moore says:

      Martin… you are referencing an article that isn’t being updated anymore. Use this instead:

  3. Jorge Martinez Garcia says:

    After struggling with this issue for four days I would suggest you to include a note, not to just this article to technet or a kb too. The issue I was able to solve is about fedutil in windows server 2012, it was a little complex since the utility just pops an error window "Invalid provider Type Specified" and the Application log just references something about SQM dll. After some googling I got to this site…/invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx but there was nothing to fix the issue, at least I couldn't figure it out until I got to this other site…/invalid-provider-type-specified.html and BAM! there it is, request the certificate as legacy, when generating the custom request through the local certificates console. To close I just decided to further investigate about CNG and got to this article. So I hope this helps other having a hard time with Fedutil in Windows Server 2012.

  4. jim manning says:

    Thanks! This helped – the 2012 interface didn’t look like some of you pictures but I figured it out.

  5. Annie says:

    I thought I was going crazy when this error kept popping up. I am usually not the best at fixing things, so it wouldn’t have surprised me if I was the problem. I am so glad I found this tutorial. The images were very helpful as well as the text.

  6. Sachin Arora says:

    Awesome, Thanks!!

  7. Sec_Freak says:

    Microsoft, seriously? This error hit me on the very last step of the entire procedure when renewing the SSL certificate using our new bleeding edge MS PKI, when I clicked the Set Service Communications Cert.
    Thanks for the article, it fixed it! the Legacy CPS setting is on the Cryptography tab on the newer templates versions.

    1. Jeff Hochberg says:

      My sentiments EXACTLY! I can’t believe this error pops up on the last step and isn’t documented anywhere in the prerequisite checklists. Totally absurd.

Comments are closed.

Skip to main content