Want to allow ADFS to be installed correctly? Our trusty Canadian PFE Gregg O’Brien shows us a recent issue he resolved at a customer’s site and how he quickly brought balance back to the force….
Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, “The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.”
This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.
To resolve the issue, use a certificate that does not use the CNG suite.
If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.
Then make sure that the appropriate CSP is chosen:
Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.
Once it’s exported you can import it into the wizard and complete the configuration.
If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.
Posted by Rhoderick Milne, newbie MSPFE Editor
After struggling with this issue for four days I would suggest you to include a note, not to just this article to technet or a kb too. The issue I was able to solve is about fedutil in windows server 2012, it was a little complex since the utility just pops an error window "Invalid provider Type Specified" and the Application log just references something about SQM dll. After some googling I got to this site blogs.msdn.com/.../invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx but there was nothing to fix the issue, at least I couldn't figure it out until I got to this other site www.apollojack.com/.../invalid-provider-type-specified.html and BAM! there it is, request the certificate as legacy, when generating the custom request through the local certificates console. To close I just decided to further investigate about CNG and got to this article. So I hope this helps other having a hard time with Fedutil in Windows Server 2012.
Thanks! This helped - the 2012 interface didn't look like some of you pictures but I figured it out.