Use of SSL in ADFS

Question

I am working on moving from exchange 2007 to exchange online. I've gotten to the point of needing ADFS to work outside my domain. I've got a trusted third party cert from GD, made the appropriate setting changes in the firewall, and can verify traffic hitting the ADFS server.

The problem I am having is ADFS requires legacy configuration when generating the cert this limiting the ciphers apparently. The error codes i see in event viewer are:

"Error : An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1204"

Ive tried using openssl to import then export the cert to "unlock" all the ciphers but I cant seem to get it to work. Thank you all for reading, any suggestions would be much appreciated.

Answer 1

You've already got to know the root cause here:

• Root cause:This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.

So the solution here is:

• Solution:

  1. If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider.
  2. If you have received your certificate from a public certificate authority, you will need to contact them (GD) to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.
  3. Or use certutil.exe to import cert like below:

     certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx C:\Cert\YourCNGCertFile.pfx