When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.
Generally, a large SSO token is caused by a user being a member of many groups.
Assume that you deploy AD FS as an identity provider for a federation provider, oras a Security Token Service (STS) that works as combined identity and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.
If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.
When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.
For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.
There is a known issue with passive HTTP basic authentication after you install this update. We recommend that you migrate the environment to forms-based authentication before you install this update.
Method 1: Windows UpdateThis update is available from Windows Update.
Method 2: Microsoft Download CenterThe following files are available for download from the Microsoft Download Center:
|All supported x64-based versions of Windows Server 2012||Download the package now.|
|All supported x64-based versions of Windows Server 2008 R2||Download the package now.|
|All supported x64-based versions of Windows Server 2008||Download the package now.|
|All supported x86-based versions of Windows Server 2008||Download the package now.|
PrerequisitesTo install this update, you must install Service Pack 1 for Windows Server 2008 R2, or Service Pack 2 for Windows Server 2008.
Registry informationTo apply this update, you do not have to make any changes to the registry.
Restart requirementYou do not have to restart the computer after you apply this update.
Update replacement informationThis update does not replace a previously released update.
For more information about security update 2843638 or 2843639, go to the following Microsoft website:
Article ID: 2989956 - Last Review: Sep 9, 2014 - Revision: 1