Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

Microsoft has released a Windows update to address a token replay attack vulnerability in Active Directory Federation Services (AD FS) as described in CVE-2023-35348. This update is installed by Windows updates released on or after July 11, 2023. By default, this update is installed disabled. To enable the update, you must configure the EnforceNonceInJWT setting.

More information

This update introduces a new setting to enable the validation of Nonce from the JSON Web Token (JWT) assertion during JWT user authentication.

This article describes how to enable the setting and provides details of Events logged on AD FS servers for the supported values of the setting.

EnforceNonceInJWT setting

EnforceNonceInJWT may be configured by an Administrator on an ADFS server to run in one of the following modes:

  • None (Default value): This is used to track if the EnforceNonceInJWT setting value was ever changed. This value may not be set by an Administrator. ADFS server validates the nonce only when it is present in the JWT assertion but does not enforce the presence of it.

  • Disabled: This value may be set in order to disable the fix, if there are any issues encountered with the Default value or post enabling it.

  • Enabled: Enables the EnforceNonceInJWT setting. ADFS server enforces that Nonce is present in the JWT assertion and it is also valid when certain conditions are met.

EnforceNonceInJWT modes may be changed by an administrator on an AD FS server by using the following PowerShell commands:

  • Enable EnforceNonceInJWT:

    Set-AdfsProperties -EnforceNonceInJWT Enabled

  • Disable EnforceNonceInJWT:

    Set-AdfsProperties -EnforceNonceInJWT Disabled

  • Check the status of the EnforceNonceInJWT setting:

    An administrator may run Get-AdfsProperties to check the current EnforceNonceInJWT setting. The EnforceNonceInJWT value returned will match the configured mode.

Events logged

The following events may be logged on an AD FS server after the Windows updates released on or after July 11, 2023 are installed:

Note Event 187 is logged whenever the AD FS server receives a request not containing Nonce in JWT assertion and EnforceNonceInJWT is set to either None or Disabled.

Source: AD FS  

Level: Warning 

ID: 187 

Message: AD FS server received a JWT token without nonce in the assertion and it was accepted based on the current configuration setting of EnforceNonceInJWT. However, it indicates a potential replay of the JWT token by a malicious client or the possibility that the client is not patched with latest Windows Updates. Please make sure to update the EnforceNonceInJWT setting to reject all such JWT tokens after patching the clients with latest Windows Updates. For more information on this, please see https://go.microsoft.com/fwlink/?linkid=2238156.

Note Event 188 is logged with every AD FS service start when EnforceNonceInJWT is set to either None or Disabled.

Source: AD FS  

Level: Error 

ID: 188 

Message: AD FS server is not configured to reject JWT tokens that did not have nonce in the assertion. The corresponding setting (EnforceNonceInJWT) should be enabled for security reasons after making sure that all the clients are patched with the latest Windows Updates. The event 187 indicates the instances where AD FS received such tokens and accepted due to the current setting of EnforceNonceInJWT. For more information on this, please see https://go.microsoft.com/fwlink/?linkid=2238156.

Take action

Install Windows updates released on or after July 11, 2023 on all AD FS servers of the farm. Then, enable the setting by running the following PowerShell command on the primary AD FS server of the farm:

Set-AdfsProperties -EnforceNonceInJWT Enabled

Important You may see authentication failures in certain scenarios when there are clients that are not updated and send JWT authentication requests to the AD FS server. In such cases, we recommend updating all clients by installing the Windows update released on or after July 11, 2023. Alternatively, an administrator can disable the EnforceNonceInJWT setting and monitor the AD FS servers for the logging of Event 187 to identify potential requests that could be rejected when EnforceNonceInJWT is set to Enabled. After confirming the absence of Event 187 on AD FS servers for a defined period of time, the EnforceNonceInJWT setting must be updated to Enabled.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×