Forum Discussion
The salt sizes required for signing with RSAPSS do not match those used by TPM.
That’s a tricky error, and you’re right to suspect it may be tied to the environment change rather than Entra ID itself. The message about “salt sizes required for signing with RSAPSS do not match those used by TPM” typically points to a mismatch between the cryptographic provider settings on the new server and what Entra (via Azure AD Connect / Entra Connect) expects.
A few things you might want to check:
🔑 TPM / Crypto provider – Confirm that the new server’s TPM and crypto libraries are correctly initialized. In some cases, enabling/disabling FIPS-compliant algorithms or using a different CSP can trigger this mismatch.
🔄 Clean up old sync objects – Even though you don’t see old syncs in Entra ID, residual objects in Microsoft Entra Connect Health or the Admin Center can cause conflicts. Removing the old sync instance completely (and re-registering the new one) often resolves this.
🗂️ Check certificate / key store – If custom certificates or keys were used with the previous sync, make sure the new server isn’t trying to reference stale keys. A full reconfiguration of Entra Connect usually forces a new key generation.
🛠️ Fresh install vs. re-use – If you migrated settings from the old server, try doing a clean install of Entra Connect on the new one instead of restoring configs. This ensures the crypto parameters are generated fresh and align with the TPM.
If you’re still stuck, I’d recommend opening a support case with Microsoft, since RSAPSS salt size mismatches are fairly low-level crypto issues — but in most migration cases, they come down to leftover sync objects or mismatched cryptographic providers on the new server.