The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.


ADFS and AD configuration is very easy these days with Azure Virtual Machine. I configured AD on Azure VM with Windows Server 2012 R2 and now was the turn to configure ADFS 3.0.
For this I was requiring a certificate. As this was development scenario I decided to choose self-signed certificate. Therefore I opened IIS and from Server Certificate option I created a self signed certificate and provided in configuration of ADFS.
The other way of generating self signed certificate is to use below command using Visual Studio Developer Tools in admin mode and following command to create certificate.-
makecert -sky exchange -r -n "CN=CertificateName" -pe -a sha1 -len 2048 -ss My "CertificateName.cer"

When I selected this certificate on ADFS Federation Configuration Wizard then I received an error as - The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
This problem is encountered because IIS or makecert command creates newer kind of certificate which is not compatible with ADFS. Therefore we need to provide Microsoft S07ong Cryptographic Provider so as to generate compatible certificate. The way to generate compatible certificate is powershell command. First download the PowerShell command used for generation of certificate from the link - https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6#content

Then I copied this .ps1 file to c:\kunal folder. Now open powershell window as admin mode and fire below commands in Powershell to generate the certificate .pfx file which would be compatible.

 PS C:\kunal> . \New-SelfSignedCertificateEx

PS C:\kunal> New-SelfSignedCertificateEx -Subject "CN=mycert.cloudapp.net" -EKU "Server Authentication" -KeyUsage 0xa0 -StoreLocation "LocalMachine" -ProviderName "Microsoft S07ong Cryptographic Provider" -Exportable

 The generated certificate can be exported from Certificate store of local machine as described in the below link - http://sanganakauthority.blogspot.in/2012/02/install-certificate-in-local-computer.html


Use this certificate in ADFS configuration and you should be good go ahead.
 In case above way of adding the script in Powershell .\New-SelfSignedCertificateEx do not work, you can simply import using Import-Module. Run below command - 
PS C:\kunal> Import-Module  .\New-SelfSignedCertificateEx
After this run above main command to create the certificate.



Hope this helps.
Cheers...
 

Comments

Post a Comment

Popular posts from this blog

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

Image
While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication , where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token.  I was encountered with an error "The request has both SAS authentication scheme and 'Bearer' authorization  scheme.  Only one scheme should be used." Why it happened After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As  Logic app is configured as  back end , it's url already consist of SAS signature plus the request also has Authorization section and this is the problem. By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format: https://<request-endpoint-URI>sp=<permissions>sv...
Read more

Getting Started with Logic Apps - AS2

Image
What is AS2? Every enterprise requires some kind of product, service or counselling from another enterprises thus there happens a B2B(business to business) communications, some of the communication is unique whereas most of the communications are common for most of the enterprises e.g., Purchase Order. But every enterprise has there own way(format) of sending the messages, leading to difficult management when number of partners increased.  Considering this the Enterprise leaders decided to have some standards/rules defined across the communication leading to B2B protocol standards which provide guidelines for trading partners to follow when conducting business between enterprises. EDI X12, EDIFACT, TRADACOM etc. AS2 stands for Applicability Statement 2 and is a B2B messaging protocol used to transmit Electronic Data Interchange (EDI)/Business documents from one organization to another. So EDI standards define how to format data and AS2 specifies how to securely transport...
Read more

How to Debug and Trace request in Azure APIM - Portal, Postman, RequestBin

Image
Introduction  APIM is a great option to expose API's with out of box features for applying restrictions, preprocessing, postprocessing etc. You can leverage existing API's,  by importing it and it gets added as a new API with all the operations associated with it. And based on the requirements you  apply policies at the stage/level (Inbound,Backend/Outbound) and you are ready to use the API. Before it is shared, we do some testing to make sure everything is working as per the expectation and this is where Debugging and Tracing request becomes important. APIM does provide a way to Trace a call with the help of  Ocp-Apim-Trace http header. So whichever request/call is to be traced, it needs to include this in header  with the value set to true and it has dependency on another header, so that also needs to be passed i.e.  Ocp-Apim-Subscription-Key Note: The api on which Tracing is to applied , it requires the subscription key to be en...
Read more