locked
Trying to import a CSP cert turns it into CNG and thus will not operate with ADFS RRS feed

  • Question

  • I have a CSP (legacy) cert. If I import this cert into a 2008R2 server it remains a CSP cert and works with ADFS there. I have 2 2012R2 servers, if I import the exact same CSP cert on either of these servers it turns it into a CNG certificate in the cert store. I have tried using certutil to force it to use CSP to import it but I receive the error shown below.

    certutil -csp “Microsoft Strong Cryptographic Provider” -importpfx C:\Cert\cert.pfx

    The above command works in 2008R2 but fails in 2012R2 with the following error.

    CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

    If I create a CSR asking for a CSP cert I can get it to work but that leaves me in a position where I can only have a single server farm which doesn't fit my requirements. I've setup ADFS before in 2012R2 without having this issue.


    ~Preston



    • Edited by Pr0n Wednesday, January 13, 2016 9:50 PM
    Wednesday, January 13, 2016 9:46 PM

All replies

  • I am not sure what you mean by a legacy CSP. You mean "Microsoft Strong Cryptographic Provider" is a legacy CSP?

    I can't repro on my lab... Maybe you can enable the CryptoAPI logs (example here) and tell us if there is something fishy?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 18, 2016 5:53 PM
  • I am not sure what you mean by a legacy CSP. You mean "Microsoft Strong Cryptographic Provider" is a legacy CSP?

    Basically this http://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx

    ADFS does not function with a CNG certificate so I use certutil to try to force a normal CAPi2 cert to import as a normal CAPi2 cert but these server 2012R2 machines won't have it. Like I said it functions perfectly fine on a 2008 R2 system, same cert, same command and verified that when I import that cert into 2012R2 through the UI it gets converted to CNG upon import, I verified using method in the link above.

    I enabled logging and reproduced the issue. There are no errors in the log. Is there a way to make sure "Microsoft Strong Cryptographic Provider" is installed and working or to reinstall it?

    Event log results

    Information    1/21/2016 3:07:37 PM    CAPI2    11    Build Chain
    Information    1/21/2016 3:07:37 PM    CAPI2    90    X509 Objects
    Information    1/21/2016 3:07:37 PM    CAPI2    10    Build Chain
    Information    1/21/2016 3:07:37 PM    CAPI2    70    Acquire Certificate Private Key
    Information    1/21/2016 3:07:37 PM    CAPI2    90    X509 Objects
    Information    1/21/2016 3:07:37 PM    CAPI2    11    Build Chain
    Information    1/21/2016 3:07:37 PM    CAPI2    90    X509 Objects
    Information    1/21/2016 3:07:37 PM    CAPI2    10    Build Chain
    Information    1/21/2016 3:07:37 PM    CAPI2    70    Acquire Certificate Private Key
    Information    1/21/2016 3:07:37 PM    CAPI2    90    X509 Objects

    I then enabled Crypto-NCrypt operational log and got the following error on repro

    EventID: 3

    Type: Error

    Open Key operation failed.

     Cryptographic Parameters:
         Provider Name:    Microsoft Software Key Storage Provider
         Key Name:    {87F49C1B-0895-40A8-BFA7-F8205222B5DF}
     Failure Information:
         Return Code:    0x80090016


    ~Preston





    • Edited by Pr0n Thursday, January 21, 2016 10:27 PM
    Thursday, January 21, 2016 10:14 PM
  • Bump

    ~Preston

    Friday, January 29, 2016 8:05 PM
  • Is there really no way to resolve this? I tried disabling CNG service but then keys can't be imported. This happens on multiple machines with brand new windows installs.

    ~Preston

    Wednesday, February 17, 2016 9:38 PM
  • Hi Preston,

    The issuing authority is your own internal AD-integrated certificate services and this is using CNG?


    http://blog.auth360.net

    Wednesday, February 17, 2016 11:50 PM
  • Either way, it seems that .Net apps can't use cert if the keys have been generated with KSP (CNG). The official guidance is to use a certificate that has originally used the legacy CSP. Is that blocking in your case? Can't you obtain a new certificate?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 18, 2016 4:42 PM
  • So I know this is quite old, but we had the same issue. We were importing an rsa valid cert that had been exported from adfs and into crm, it was converting to a non-supported format. We ended having to submit the cert request from crm, then accept it there in IIS on the crm server, then export that cert and import into adfs. Then un-do the claims and ifd setup on crm, make sure adfs was all setup, then go back and do the claims setup again. 
    Wednesday, June 5, 2019 3:55 PM