Workaround ADFS errors when using certificates with CNG Keys

I can describe ADFS (Active Directory Federation Services) as the de-facto standard service to extend Active Directory as an Identity provider to inside or outside the organisation in order to achieve the Single-Sign-On (SSO) experience and Security that modern systems/users needs and expects.

The first version of ADFS was an additional download of Windows 2003 R2, but started to get popular and used as a service in Windows Server 2008/2008 R2.

Microsoft Azure AD Connect with Azure AD or products offered by Okta or  Auth0 (just to name a few) started to make of ADFS federation redundant in the past 3-4 years, but a lot of functionalities have been added in the last version of ADFS with Windows  Server 2019 which made it still relevant.

In my humble opinion, ADFS is not dead yet!

Without further ado let’s deep dive into the article now.

ADFS THROWS ERROR WHEN PFX CERTIFICATES USE CNG KEYS

If you look at the official documentation of ADFS  for version older than WS 2016 any certificate used for:

  •  service communication
  • token-decryption/encryption
  • token signing
    cannot be a certificate that uses CNG (Cryptography Next Generation) keys, but should be using the legacy CSP (Cryptographic Service Provider).

This can be painful because for Service Communication your certificates will be probably be SIGNED by a CA, so if you have your certificate ready in a PFX (with the private key) and you’re ready for re-new it, you’ll probably find this error message.

ADFS Error

Workaround

A very interesting workaround that one of my colleagues mentioned to me was maybe from this blog.  The error from the ADFS wizard can be solved by importing the PFX certificate (with CNG private key) in firefox and exported in P12.  Once exported in P12 format it’s possible to import the certificate in ADFS without generating any error.

How to import a PFX certificate in Firefox and Export it as a P12 for ADFS.

  • Open Firefox
  • Options
  • Privacy & Security
  • Certificates
  • View Certificates…
  • Import (and choose the PFX certificate to import and provide the password)
  • Once imported select the certificate and click on Backup…
  • Save the certificate with *.p12 (PKCS12) format.

I hope you’ll find this information useful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.