You will receive this error when attempting to single sign-on (SSO) to an application, including the PingOne dock, if the Microsoft Internet Information Service (IIS) server does not have permission to access the HTTPS bound certificate. To resolve this problem ensure that the IIS_IUSRS group has the required access permissions. This is accomplished using the Certificates snap-in within the Microsoft Management Console (mmc). The following steps describe how to add the necessary access privileges:
In the main content pane, right-click on the signing certificate used by AD Connect to bring up a list of options.
Select "All Tasks", then "Manage Private Keys". This will list the access permissions for this certificate. Verify whether or not there's a group listed called "IIS_IUSRS" - this local built-in group needs to be given full control permissions to access the certificate. If IIS_IUSRS is not listed, add the group using the "Add..." button and typing in IIS_IUSRS, then click the "Check Name" button to find the group (it may be necessary to prefix the group name with the host name of the local machine, ex. host\IIS_IUSRS - to make sure the correct group on the correct server is located. You can also specify the host by clicking "Locations..." (provide network credentials if requested), then select the local machine at the top of the list. Once the group is found it is displayed in the content pane. Click OK to accept the group.
Next, look at the permissions for this group. Make sure that the Full Control and Read blocks are checked. Then click OK.
Once full access permissions for IIS_IUSRS has been configured, restart the ADConnect service and test SSO. The insufficient privileges error should now be eliminated. If you encounter further errors, please refer to this KB for additional troubleshooting.