I was bit by this last night when updating my ADFS certs. Undoubtedly, several of you already know this information, but I thought I would share in case there are others who did not know. I went by a doc on MSDN for certificate requirements for ADFS that made no mention about this issue. The documentation located at https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx for certificate requirements does not address an issue whereby certificates with Private Keys signed by Cryptographic Next Generation (CNG) algorithms are not supported. I ran into this when updating my certificates on AD FS 2012 R2. I cannot find anything on the page relating to this.
However, after further searching, once I ran into this problem, there is another doc dated May 23, 2014 located here: https://technet.microsoft.com/en-us/library/dn554247.aspx?f=255&MSPPError=-2147217396#BKMK1 that does make the statement that CNG is not support, but it is older that the doc referenced above. The doc referenced above in the link was updated June 25, 2015 and would appear to be the latest information. I have submitted a request to have the latest doc updated to state this as well. But FYI, if you are renewing certificates for AD FS, make sure that you do not get a CNG cert from your vendor of choice. Even though the OS supports CNG, ADFS does not. Brian Britt Team Lead | Senior Systems Analyst Vanderbilt University Security Operations | VUIT Identity Operations Team | Central Directory Services Office: (615) 322-4676 Lync: (615) 875-9858