MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Essentials


Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Known issues with this security update

  • You may experience any of the following known issues after you install this security update.

    Issue 1

    When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

    Generally, a large SSO token is caused by a user being a member of many groups.

    Issue 2

    Assume that you deploy Active Directory Federation Services (AD FS) as an identity provider for a federation provider. Or, assume that you deploy AD FS as a security token service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, if the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.

    Issue 3

    If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

    Issue 4

    When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

    Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

    Issue 5

    For customized AD FS 2.0 deployments, customizations added after the SignIn call in the FormsSignin.aspx.cs page code are not executed.

    To resolve these issues, install hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
  • Microsoft is aware of problems with the security updates that affect AD FS 2.0 that are described in MS13-066. These problems could cause AD FS to stop working if the previously released update rollup (Update Rollup 3 for Active Directory Federation Services 2.0, also known as update 2790338) was not installed.

    On August 19, 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Be aware that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.

Additional steps that are required to install this security update

After you install this security update, follow these steps to manually complete the installation:
  1. Make a backup copy of the customized FormsSignIn.aspx page in the following folder:

    • Make sure that you store the backup in a reliable storage location.
    • All customizations to .asp files should be reliably backed up. We recommend that you use version control to do this.
  2. In the backup folder, edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes. To do this, follow these steps:
    1. Change the following:

      <asp:TextBox runat="server" ID="UsernameTextBox">

      To the following:

      <asp:TextBox runat="server" ID="UsernameTextBox" autocomplete="off">
    2. Change the following:

      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password">

      To the following:

      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" autocomplete="off">
  3. Copy the updated FormsSignIn.aspx page to the following folder:



The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.