SSL – Fixing things

When running the ADFS configuration Wizard or renewing a new service communications you will get a “The certificates with the CNG private key are not supported” error unless the certificate was created with a legacy non CNG key. There is a useful blog post here https://blogs.technet.microsoft.com/mspfe/2013/11/29/adfs-configuration-wizard-fails-with-error-the-certificates-with-the-cng-private-key-are-not-supported/ on what to do if you are using a Microsoft certificate authority.

Assuming you are using someone else’s CA the following steps can be used to get a CSR and legacy non CNG private key (Will work post sha1 sunset)

1. Run an MMC and add the local computers certificate store.

2. Expand Personal and Certificates, right click on Certificates > All tasks > Advanced > Create Custom Request.

3. Click on Next then select “Proceed without enrollment policy” and Next again.

4. Change the template to “(no template) Legacy key”

5. Expand the details drop down, click on Properties and make sure to set the correct CN, DNS names, country code etc as required. You must also set the key size to 2048 or higher and you may want to mark the key as exportable if you have other servers that need to share the same private key.

6. Click through and save the CSR and provide this to your CA.

7. When you have the certificate from the CA, import it to the personal store on this computer.

8. Run this command in PowerShell to determine the CertificateHash of the new certificate:

dir cert:\localmachine\my

Review the list of returned certs and note the Thumbprint of the new one.

9. You can now set the service to use this certificate. While the GUI will let you select the service certificate, the http.sys hosted SSL endpoint can only be updated in powershell so you might as well do both like that.

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint

Set-AdfsSslCertificate -Thumbprint thumbprint

If you have any doubt as to what the service is configured to use either before or after the change you can run the equivalent get command. e.g. Get-AdfsCertificate

(If in doubt as to which one is configured, them get-adfssslcertificate can be run as well)

When attempting to view or edit and Excel workbook in the browser you get the following error:

Curiously this error doesn’t occur when opening the same file without using SSL over a HTTP which suggests it isn’t actually the location the file is stored in which isn’t trusted but in fact the URL used to access it.

To resolve the problem follow the following steps:

1. Open the central administration site and navigate to “Application settings” and then “Manage Service Applications”

2. Once the “manage Service Applications” page has loaded locate and click on “Excel Services Application”

3. Click on “Trusted File Locations”

4. Click on “Add Trusted File Location” and type “https://” in the address field then tick the “Children trusted” box. You may also wish the change the “Allow External Data” setting to “Trusted data connection libraries and embedded if required in your worksheets.

5. Click on OK and re-try opening your excel workbook. The workbook should open correctly.

While the above settings are appropriate for most organisations you may wish to edit the default http:// path to reflect only your own access URLs instead of the whole http:// and https:// range. If you do this just remember to revisit this should you add or change any alternate access mappings.

Tag: SSL

ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported”

This workbook cannot be opened because it is not stored in an Excel Services Application trusted location when using SSL in Sharepoint 2010