Introduction
This article describes an update that fixes the following issues. For Active Directory Federation Services (AD FS) servers that are running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For AD FS servers that are running Windows Server 2012, the issues occur after you have security update 2843639 installed. 2843638 and 2843639 are described in Security Bulletin MS13-066.
Issue 1
When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.
Generally, a large SSO token is caused by a user being a member of many groups.
Issue 2
Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.
Issue 3
If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.
Issue 4
When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.
Issue 5
For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.
Resolution
We have released a hotfix package to resolve this issue.
Notes
-
After this hotfix is installed, you must use either forms-based authentication or Windows Integrated Authentication.
-
After this hotfix is installed, AD FS 2.0 no longer supports passive HTTP basic authentication. If you use this authentication, you now will see that the request goes into a redirect loop and eventually fails. We recommend that you migrate the environment to forms-based authentication before you install this hotfix.
-
If you install this hotfix on STS servers, you must also install the hotfix on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
To apply this update, you must be running one of the following operating systems:
-
Windows Server 2008 Service Pack 2
-
Windows Server 2008 R2 Service Pack 1
-
Windows Server 2012
Registry information
To apply this update, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this update.
Update replacement information
This update does not replace a previously released update.
The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information
For all supported x86-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identitymodel.dll |
6.1.7601.22179 |
1,093,632 |
04-Dec-2012 |
06:42 |
x86 |
|
Microsoft.identityserver.service.dll |
6.1.7601.22485 |
671,744 |
22-Oct-2013 |
03:52 |
x86 |
|
Microsoft.identityserver.service.mof |
Not applicable |
4,606 |
09-Sep-2011 |
11:40 |
Not applicable |
|
Uninstallwmiprovider.mof |
Not applicable |
1,012 |
09-Sep-2011 |
11:40 |
Not applicable |
|
Microsoft.identityserver.dll |
6.1.7601.22485 |
790,528 |
22-Oct-2013 |
03:52 |
x86 |
For all supported x64-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identitymodel.dll |
6.1.7601.22179 |
1,093,632 |
04-Dec-2012 |
06:43 |
x86 |
|
Microsoft.identityserver.service.dll |
6.1.7601.22485 |
671,744 |
22-Oct-2013 |
03:51 |
x86 |
|
Microsoft.identityserver.service.mof |
Not applicable |
4,606 |
15-Nov-2011 |
15:15 |
Not applicable |
|
Uninstallwmiprovider.mof |
Not applicable |
1,012 |
15-Nov-2011 |
15:15 |
Not applicable |
|
Microsoft.identityserver.dll |
6.1.7601.22485 |
790,528 |
22-Oct-2013 |
03:51 |
x86 |
Windows Server 2008 R2 file information
Notes
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.1.760
1.22xxxWindows Server 2008 R2
SP1
LDR
-
LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x64-based versions of Windows Server 2008 R2
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identitymodel.dll |
6.1.7601.22485 |
1,093,632 |
21-Oct-2013 |
09:35 |
x86 |
|
Microsoft.identityserver.service.dll |
6.1.7601.22485 |
671,744 |
21-Oct-2013 |
08:45 |
x86 |
|
Microsoft.identityserver.service.mof |
Not applicable |
4,606 |
09-Jul-2013 |
06:32 |
Not applicable |
|
Uninstallwmiprovider.mof |
Not applicable |
1,012 |
09-Jul-2013 |
06:32 |
Not applicable |
|
Microsoft.identityserver.dll |
6.1.7601.22485 |
790,528 |
21-Oct-2013 |
08:45 |
x86 |
Windows Server 2012 file information
Notes
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.2.920 0.17xxx
Windows Server 2012
RTM
GDR
6.2.920 0.21xxx
Windows Server 2012
RTM
LDR
-
LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x64-based versions of Windows Server 2012
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.identityserver.service.dll |
6.2.9200.17066 |
660,992 |
01-Aug-2014 |
02:45 |
x86 |
|
Microsoft.identityserver.service.dll |
6.2.9200.21186 |
660,480 |
01-Aug-2014 |
02:02 |
x86 |
|
Microsoft.identityserver.dll |
6.2.9200.17066 |
876,032 |
01-Aug-2014 |
02:45 |
x86 |
|
Microsoft.identityserver.dll |
6.2.9200.21186 |
876,032 |
01-Aug-2014 |
02:02 |
x86 |
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013
