PingOne: AD Connect does not have sufficient privileges to access private key for signing. (Err013)

PingOne: AD Connect does not have sufficient privileges to access private key for signing. (Err013)

Published: 09/19/2013

You will receive this error when attempting to single sign-on (SSO) to an application, including the PingOne dock, if the Microsoft Internet Information Service (IIS) server does not have permission to access the HTTPS bound certificate.  To resolve this problem ensure that the IIS_IUSRS group has the required access permissions.  This is accomplished using the Certificates snap-in within the Microsoft Management Console (mmc).  The following steps describe how to add the necessary access privileges:

  1. On the IIS server machine, go to the Start menu and click the "Run..." option (Windows 2008) or click the Run icon (Windows 2012), type in "mmc" and press return.  This will open the Microsoft Management Console.
  2. Open the File menu, then select the Add/Remove Snap-in option.  In the list of available Snap-ins, select "Certificates", then click the Add button.
  3. On the following screen select the "Computer account" radio button, then click Next.
  4. On the next screen, keep the "Local computer" option selected, then click the "Finish" button, and finally click OK to complete the Add Snap-in process.  
  5. In the MMC console click on the "+" to expand the Certificates tree, then expand the Personal folder, then click on the inner-most Certificates folder to display the list of installed certificates
  6. In the main content pane, right-click on the signing certificate used by AD Connect to bring up a list of options.

  7. Select "All Tasks", then "Manage Private Keys".  This will list the access permissions for this certificate.  Verify whether or not there's a group listed called "IIS_IUSRS" - this local built-in group needs to be given full control permissions to access the certificate.  If IIS_IUSRS is not listed, add the group using the "Add..." button and typing in IIS_IUSRS, then click the "Check Name" button to find the group (it may be necessary to prefix the group name with the host name of the local machine, ex. host\IIS_IUSRS - to make sure the correct group on the correct server is located.  You can also specify the host by clicking "Locations..." (provide network credentials if requested), then select the local machine at the top of the list.  Once the group is found it is displayed in the content pane.  Click OK to accept the group.

  8. Next, look at the permissions for this group.  Make sure that the Full Control and Read blocks are checked.  Then click OK.

  9. Once full access permissions for IIS_IUSRS has been configured, restart the ADConnect service and test SSO.  The insufficient privileges error should now be eliminated. If you encounter further errors, please refer to this KB for additional troubleshooting.

ADConnect , 
KB or other URL: