INTRODUCTION
Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:
-
IT professionals:
How to obtain help and support for this security update
Help for installing updates: Support for Microsoft UpdateSecurity solutions for IT professionals: TechNet Security Troubleshooting and SupportHelp protect your Windows-based computer from viruses and malware: Virus Solution and Security CenterLocal support according to your country: International Support
More Information
Known issues with this security update
-
You may experience any of the following known issues after you install this security update. Issue 1When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.Generally, a large SSO token is caused by a user being a member of many groups. Issue 2Assume that you deploy Active Directory Federation Services (AD FS) as an identity provider for a federation provider. Or, assume that you deploy AD FS as a security token service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, if the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.Issue 3If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.Issue 4When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.Issue 5For customized AD FS 2.0 deployments, customizations added after the SignIn call in the FormsSignin.aspx.cs page code are not executed.To resolve these issues, install hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
-
Microsoft is aware of problems with the security updates that affect AD FS 2.0 that are described in MS13-066. These problems could cause AD FS to stop working if the previously released update rollup (Update Rollup 3 for Active Directory Federation Services 2.0, also known as update 2790338) was not installed.On August 19, 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Be aware that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.
Additional steps that are required to install this security update
After you install this security update, follow these steps to manually complete the installation:
-
Make a backup copy of the customized FormsSignIn.aspx page in the following folder:%systemdrive%\inetpub\adfs\ls Notes
-
Make sure that you store the backup in a reliable storage location.
-
All customizations to .asp files should be reliably backed up. We recommend that you use version control to do this.
-
-
In the backup folder, edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes. To do this, follow these steps:
-
Change the following:<asp:TextBox runat="server" ID="UsernameTextBox"> To the following: <asp:TextBox runat="server" ID="UsernameTextBox" autocomplete="off">
-
Change the following:<asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password"> To the following: <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" autocomplete="off">
-
-
Copy the updated FormsSignIn.aspx page to the following folder: %systemdrive%\inetpub\adfs\ls
FILE INFORMATION
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
-
The files that apply to a specific product, milestone (SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.0.6002.18xxx
Windows Server 2008 SP2
SP2
GDR
6.0.6002.23xxx
Windows Server 2008 SP2
SP2
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x86-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identityserver.dll |
6.1.7600.17338 |
778,240 |
01-Jul-2013 |
22:59 |
x86 |
|
Microsoft.identityserver.dll |
6.1.7601.22371 |
786,432 |
01-Jul-2013 |
23:02 |
x86 |
For all supported x64-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identityserver.dll |
6.2.9200.16651 |
871,936 |
28-Jun-2013 |
00:30 |
x86 |
|
Microsoft.identityserver.dll |
6.2.9200.20760 |
871,936 |
28-Jun-2013 |
08:50 |
x86 |
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.1.760 1.18 xxx
Windows Server 2008 R2
SP1
GDR
6.1.760 1.22 xxx
Windows Server 2008 R2
SP1
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x64-based versions of Windows Server 2008 R2
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identityserver.dll |
6.1.7601.18195 |
778,240 |
28-Jun-2013 |
13:11 |
x86 |
|
Microsoft.identityserver.dll |
6.1.7601.22370 |
786,432 |
28-Jun-2013 |
05:20 |
x86 |
-
The files that apply to a specific product, milestone (RTM,SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.2.920 0.16xxx
Windows Server 2012
RTM
GDR
6.2.920 0.20xxx
Windows Server 2012
RTM
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x64-based versions of Windows Server 2012
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identityserver.dll |
6.2.9200.16651 |
871,936 |
28-Jun-2013 |
00:30 |
x86 |
|
Microsoft.identityserver.dll |
6.2.9200.20760 |
871,936 |
28-Jun-2013 |
08:50 |
x86 |
