I can describe ADFS (Active Directory Federation Services) as the de-facto standard service to extend Active Directory as an Identity provider to inside or outside the organisation in order to achieve the Single-Sign-On (SSO) experience and Security that modern systems/users needs and expects.
The first version of ADFS was an additional download of Windows 2003 R2, but started to get popular and used as a service in Windows Server 2008/2008 R2.
Microsoft Azure AD Connect with Azure AD or products offered by Okta or Auth0 (just to name a few) started to make of ADFS federation redundant in the past 3-4 years, but a lot of functionalities have been added in the last version of ADFS with Windows Server 2019 which made it still relevant.
In my humble opinion, ADFS is not dead yet!
Without further ado let’s deep dive into the article now.
ADFS THROWS ERROR WHEN PFX CERTIFICATES USE CNG KEYS
If you look at the official documentation of ADFS for version older than WS 2016 any certificate used for:
- service communication
- token-decryption/encryption
- token signing
cannot be a certificate that uses CNG (Cryptography Next Generation) keys, but should be using the legacy CSP (Cryptographic Service Provider).
This can be painful because for Service Communication your certificates will be probably be SIGNED by a CA, so if you have your certificate ready in a PFX (with the private key) and you’re ready for re-new it, you’ll probably find this error message.
ADFS Error
1 |
The certificate with the specified thumbprint {thumbprint} has a Cryptographic Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider. |
Workaround
A very interesting workaround that one of my colleagues mentioned to me was maybe from this blog. The error from the ADFS wizard can be solved by importing the PFX certificate (with CNG private key) in firefox and exported in P12. Once exported in P12 format it’s possible to import the certificate in ADFS without generating any error.
How to import a PFX certificate in Firefox and Export it as a P12 for ADFS.
- Open Firefox
- Options
- Privacy & Security
- Certificates
- View Certificates…
- Import (and choose the PFX certificate to import and provide the password)
- Once imported select the certificate and click on Backup…
- Save the certificate with *.p12 (PKCS12) format.
I hope you’ll find this information useful.
Thank you – this got me out of a hole and is invaluable knowledge for the future. As if ADFS SSL renewal isn’t complicated enough without this rearing its head!
Hi Jeff, Sorry for the delay in the response. Happy to know that you found this article useful.