ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported”

ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported”

  • Comments 4
  • Likes

Want to allow ADFS to be installed correctly?  Our trusty Canadian PFE Gregg O’Brien shows us a recent issue he  resolved at a customer’s site and how he quickly brought balance back to the force….


Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, “The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.”

ADFS Configuration Wizard Failed With CNG Private Key Error

This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.

To resolve the issue, use a certificate that does not use the CNG suite.

If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.

Duplicating Web Server Certificate Template

Then make sure that the appropriate CSP is chosen:

Selecting Specific CSP In Custom Certificate

Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.

Allowing Custom Certificate Template To Be Issued

Allowing Custom Certificate Template To Be Issued

Once it’s exported you can import it into the wizard and complete the configuration.

If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.


Posted by Rhoderick Milne, newbie MSPFE Editor


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • After struggling with this issue for four days I would suggest you to include a note, not to just this article to technet or a kb too. The issue I was able to solve is about fedutil in windows server 2012, it was a little complex since the utility just pops an error window "Invalid provider Type Specified" and the Application log just references something about SQM dll. After some googling I got to this site blogs.msdn.com/.../invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx but there was nothing to fix the issue, at least I couldn't figure it out until I got to this other site www.apollojack.com/.../invalid-provider-type-specified.html and BAM! there it is, request the certificate as legacy, when generating the custom request through the local certificates console. To close I just decided to further investigate about CNG and got to this article. So I hope this helps other having a hard time with Fedutil in Windows Server 2012.

  • Thanks! This helped - the 2012 interface didn't look like some of you pictures but I figured it out.

  • I thought I was going crazy when this error kept popping up. I am usually not the best at fixing things, so it wouldn't have surprised me if I was the problem. I am so glad I found this tutorial. The images were very helpful as well as the text. www.celestix.com

  • Thanks! It works perfectly!!