Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Introduction

This article describes the hotfixes and the updates that are included in Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 Release to Web (RTW). This update rollup is available for all languages that are supported by AD FS 2.0. For more information about AD FS 2.0 RTW, go to the following Microsoft website: Important You must install Windows PowerShell 2.0 before you install this update rollup on a Windows Server 2008-based computer. If Windows PowerShell 2.0 is not installed, you cannot perform certain certificate operations for AD FS 2.0.

To install Windows PowerShell 2.0, go to the following Microsoft website:For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

More Information

Update Rollup 3 is a cumulative update package that contains all the fixes and new features that were contained in Update Rollup 1 and in Update Rollup 2. Additionally, this update fixes the following issues.

For more information about Update Rollup 1 for AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base:
2607496 Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0
For more information about Update Rollup 2 for AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base:
2681584 Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0
Issue 1
AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token. When this issue occurs, the following error is generated:
System.IdentityModel.Tokens.SecurityTokenException: ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.
After you apply AD FS 2.0 update rollup 3, AD FS 2.0 successfully issues the token in this situation.
Issue 2
AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behavior breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.
Issue 3
Some relying parties require that signature certificates are applied to the relying party for SAML requests, as signature certificates provide a critical security validation function and are defined in the SAML 2.0 specification. AD FS 2.0 is capable of allowing unique signature certificates to be applied to a relying party trust, but it only allows the same certificate to be applied to one relying party trust per AD FS 2.0 farm. This restriction prevents multiple relying parties from using the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction and allows multiple relying parties to use the same signing certificate for SAML request.

Note After applying update rollup 3, you will need to manually run a script to make the fix for this issue work. For information about how to do this, please go to the "Hotfix information" section.
Issue 4
Consider the following scenario:
  • You use a third-party hardware security module (HSM) to speed up the signing processes.
  • You use the third-party HSM and to generate and store the private keys.
  • The private keys are for AD FS 2.0 signing and for AD FS 2.0 encryption certificates.
In this situation, the performance of AD FS 2.0 is not as good as when you use Microsoft CSP. AD FS 2.0 update rollup 3 significantly improves the performance of AD FS 2.0 when HSM is used.
Issue 5
AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm. If you accidentally disable the Congestion Avoidance Algorithm by changing the configuration, a handle leak occurs on an AD FS 2.0 federation server proxy every time that the federation server proxy processes a request. AD FS 2.0 update rollup 3 removes the setting that enables you to disable Congestion Avoidance Algorithm by changing the configuration. You can fine tune the Congestion Avoidance Algorithm by adjusting the latencyThresholdInMsec and minCongestionWindowSize settings.

Resolution

Hotfix information


For issue 3, this hotfix installs a PowerShell script that is named "PostReleaseSchemaChanges.ps1" into the "%program files%\active directory federation services\sql" folder. 

If you are using Windows Internal Database (WID) as the AD FS 2.0 configuration database, then after you apply this hotfix, you must manually execute the PostReleaseSchemaChanges.ps1 PowerShell script first on the secondary federation servers in the farm, and then on the primary federation server.

If you are using a SQL Server database as the AD FS 2.0 configuration database, you must download and execute the RelaxedRequestSigningCertsv2.sql script against SQL Server database.

To execute this script, run the following cmdlet by using the Sqlcmd utility:
Sqlcmd -S <ConnectionString for SQL> -i RelaxedRequestSigningCertsv2.sql
Or, follow these steps to run the cmdlet by using SQL Server Management Studio:
  1. Connect to the SQL Server database that has the AD FS 2.0 configuration database.
  2. Create a new SQL query.
  3. Paste the contents of the RelaxedRequestSigningCertsv2.sql file into the query, and then execute the query.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
968849 How to obtain the latest service pack for Windows Server 2008

Registry information

To apply this update, you do not have to change the registry.

Restart requirement

You must restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.
File information

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Additional file information
Properties

Article ID: 2790338 - Last Review: Mar 11, 2013 - Revision: 1

Windows Server 2008 Datacenter, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Foundation, Windows Server 2008 Standard, Windows Server 2008 Standard without Hyper-V, Windows Web Server 2008, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Standard, Windows Web Server 2008 R2

Feedback