You are prompted for authentication when you run a web application in Windows Server 2012 R2 AD FS

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

This article describes an issue that occurs when you run a web application that is in Windows Server 2012 R2 AD FS. A hotfix is available to resolve this issue. Be aware that this hotfix has a prerequisite.


When you run a web application in a Windows Server 2012 R2 AD FS environment, you are prompted unexpectedly for authentication. This issue occurs
when you use the web application proxy (WAP) to run the application. 

For example, even though you have passed Active Directory Federation Services (AD FS) authentication in a browser, you are still prompted for authentication when you try to open a SharePoint-based Microsoft Office document.


To resolve this issue, we have released a hotfix for Windows Server 2012 R2. 

Note This hotfix lets the WAP persist the edge access cookie that's based on the application. This hotfix sets the "expires" header on the edge access cookie. After AD FS authentication, the cookie is sent to the clients.

Additionally, after you install this hotfix, you can run Add-WebApplicationProxyApplicationand Set-WebApplicationProxyApplication Windows PowerShell commands together with a PersistentAccessCookieExpirationTimeSec switch in order to persist the WAP edge access cookie.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


To apply this update, you must have update 2919355 installed on a Windows Server 2012 R2-based computer.

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.