When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.
Generally, a large SSO token is caused by a user being a member of many groups.
Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.
If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.
When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.
For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.
- After this hotfix is installed, you must use either forms-based authentication or Windows Integrated Authentication.
- After this hotfix is installed, AD FS 2.0 no longer supports passive HTTP basic authentication. If you use this authentication, you now will see that the request goes into a redirect loop and eventually fails. We recommend that you migrate the environment to forms-based authentication before you install this hotfix.
- If you install this hotfix on STS servers, you must also install the hotfix on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesTo apply this update, you must be running one of the following operating systems:
- Windows Server 2008 Service Pack 2
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2012
Registry informationTo apply this update, you do not have to make any changes to the registry.
Restart requirementYou do not have to restart the computer after you apply this update.
Update replacement informationThis update does not replace a previously released update.
Article ID: 2896713 - Last Review: Feb 2, 2015 - Revision: 1