Several issues after you install security update 2843638 or 2843639 on an AD FS server

This article describes some issues after security update 2843638 or 2843639 is installed in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. An update is available to resolve these issues. This update has a prerequisite. Check out the important information in this article before you install this update.

Symptoms

The following issues occur on Active Directory Federation Services (AD FS) servers that have security update 2843638 or 2843639 installed in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. 

Issue 1

When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

Generally, a large SSO token is caused by a user being a member of many groups.

Issue 2

Assume that you deploy AD FS as an identity provider for a federation provider, oras a Security Token Service (STS) that works as combined identity and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.

Issue 3

If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

Issue 4

When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

Issue 5

For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.

Important information before you install this update

If you install this update on STS servers, you must also install the update on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.

There is a known issue with passive HTTP basic authentication after you install this update. We recommend that you migrate the environment to forms-based authentication before you install this update.

How to obtain this update

Method 1: Windows Update

This update is available from Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center:
Operating systemUpdate
All supported x64-based versions of Windows Server 2012Download Download the package now.
All supported x64-based versions of Windows Server 2008 R2Download Download the package now.
All supported x64-based versions of Windows Server 2008Download Download the package now.
All supported x86-based versions of Windows Server 2008Download Download the package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To install this update, you must install Service Pack 1 for Windows Server 2008 R2, or Service Pack 2 for Windows Server 2008.

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

More Information

File information

For more information about security update 2843638 or 2843639, go to the following Microsoft website:For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates


Properties

Article ID: 2989956 - Last Review: Sep 9, 2014 - Revision: 1

Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 Service Pack 2, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 Foundation, Windows Web Server 2008

Feedback