Windows Server 2012 ADFS Configuration Wizard Fails with Error "The certificates with the CNG private key are not supported"

 

Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, "The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider."

This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.

To resolve the issue, use a certificate that does not use the CNG suite.

If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.

 

 

 

 

 

 

 

 

 

 

Then make sure that the appropriate CSP is chosen:

Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.

Once it�s exported you can import it into the wizard and complete the configuration.

If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.