MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013

INTRODUCTION

Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Known issues with this security update

  • You may experience any of the following known issues after you install this security update.



    Issue 1

    When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

    Generally, a large SSO token is caused by a user being a member of many groups.

    Issue 2

    Assume that you deploy Active Directory Federation Services (AD FS) as an identity provider for a federation provider. Or, assume that you deploy AD FS as a security token service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, if the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.

    Issue 3

    If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

    Issue 4

    When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

    Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

    Issue 5

    For customized AD FS 2.0 deployments, customizations added after the SignIn call in the FormsSignin.aspx.cs page code are not executed.

    To resolve these issues, install hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server

  • Microsoft is aware of problems with the security updates that affect AD FS 2.0 that are described in MS13-066. These problems could cause AD FS to stop working if the previously released update rollup (Update Rollup 3 for Active Directory Federation Services 2.0, also known as update 2790338) was not installed.

    On August 19, 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Be aware that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.

Additional steps that are required to install this security update

After you install this security update, follow these steps to manually complete the installation:

  1. Make a backup copy of the customized FormsSignIn.aspx page in the following folder:


    %systemdrive%\inetpub\adfs\ls
    Notes

    • Make sure that you store the backup in a reliable storage location.

    • All customizations to .asp files should be reliably backed up. We recommend that you use version control to do this.

  2. In the backup folder, edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes. To do this, follow these steps:

    1. Change the following:


      <asp:TextBox runat="server" ID="UsernameTextBox">




      To the following:


      <asp:TextBox runat="server" ID="UsernameTextBox" autocomplete="off">

    2. Change the following:


      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password">




      To the following:


      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" autocomplete="off">

  3. Copy the updated FormsSignIn.aspx page to the following folder:



    %systemdrive%\inetpub\adfs\ls

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

  • The files that apply to a specific product, milestone (SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.0.6002.18xxx

    Windows Server 2008 SP2

    SP2

    GDR

    6.0.6002.23xxx

    Windows Server 2008 SP2

    SP2

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

For all supported x86-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Microsoft.identityserver.dll

6.1.7600.17338

778,240

01-Jul-2013

22:59

x86

Microsoft.identityserver.dll

6.1.7601.22371

786,432

01-Jul-2013

23:02

x86

For all supported x64-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Microsoft.identityserver.dll

6.2.9200.16651

871,936

28-Jun-2013

00:30

x86

Microsoft.identityserver.dll

6.2.9200.20760

871,936

28-Jun-2013

08:50

x86


  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.1.760 1.18 xxx

    Windows Server 2008 R2

    SP1

    GDR

    6.1.760 1.22 xxx

    Windows Server 2008 R2

    SP1

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.



For all supported x64-based versions of Windows Server 2008 R2

File name

File version

File size

Date

Time

Platform

Microsoft.identityserver.dll

6.1.7601.18195

778,240

28-Jun-2013

13:11

x86

Microsoft.identityserver.dll

6.1.7601.22370

786,432

28-Jun-2013

05:20

x86


  • The files that apply to a specific product, milestone (RTM,SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.2.920 0.16xxx

    Windows Server 2012

    RTM

    GDR

    6.2.920 0.20xxx

    Windows Server 2012

    RTM

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.



For all supported x64-based versions of Windows Server 2012

File name

File version

File size

Date

Time

Platform

Microsoft.identityserver.dll

6.2.9200.16651

871,936

28-Jun-2013

00:30

x86

Microsoft.identityserver.dll

6.2.9200.20760

871,936

28-Jun-2013

08:50

x86


Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

×