Update is available to fix several issues after you install security update 2843638 on an AD FS server

Applies To
Windows Server 2008 Service Pack 2 Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2012 Essentials Windows Server 2012 Datacenter Windows Server 2012 Datacenter Windows Server 2012 Foundation Windows Server 2012 Foundation Windows Server 2012 Standard Windows Server 2012 Standard

Introduction

This article describes an update that fixes the following issues. For Active Directory Federation Services (AD FS) servers that are running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For AD FS servers that are running Windows Server 2012, the issues occur after you have security update 2843639 installed. 2843638 and 2843639 are described in Security Bulletin MS13-066.

Issue 1

When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

Generally, a large SSO token is caused by a user being a member of many groups.

Issue 2

Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.

Issue 3

If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

Issue 4

When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

Issue 5

For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.

Resolution

We have released a hotfix package to resolve this issue.

Notes

  • After this hotfix is installed, you must use either forms-based authentication or Windows Integrated Authentication.
  • After this hotfix is installed, AD FS 2.0 no longer supports passive HTTP basic authentication. If you use this authentication, you now will see that the request goes into a redirect loop and eventually fails. We recommend that you migrate the environment to forms-based authentication before you install this hotfix.
  • If you install this hotfix on STS servers, you must also install the hotfix on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.

      

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http:⁠//support.microsoft.com/contactus/?ws=support Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this update, you must be running one of the following operating systems:

  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2012

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Server 2008 file information

For all supported x86-based versions of Windows Server 2008

File name File version File size Date Time Platform
Microsoft.identitymodel.dll 6.1.7601.22179 1,093,632 04-Dec-2012 06:42 x86
Microsoft.identityserver.service.dll 6.1.7601.22485 671,744 22-Oct-2013 03:52 x86
Microsoft.identityserver.service.mof Not applicable 4,606 09-Sep-2011 11:40 Not applicable
Uninstallwmiprovider.mof Not applicable 1,012 09-Sep-2011 11:40 Not applicable
Microsoft.identityserver.dll 6.1.7601.22485 790,528 22-Oct-2013 03:52 x86

For all supported x64-based versions of Windows Server 2008

File name File version File size Date Time Platform
Microsoft.identitymodel.dll 6.1.7601.22179 1,093,632 04-Dec-2012 06:43 x86
Microsoft.identityserver.service.dll 6.1.7601.22485 671,744 22-Oct-2013 03:51 x86
Microsoft.identityserver.service.mof Not applicable 4,606 15-Nov-2011 15:15 Not applicable
Uninstallwmiprovider.mof Not applicable 1,012 15-Nov-2011 15:15 Not applicable
Microsoft.identityserver.dll 6.1.7601.22485 790,528 22-Oct-2013 03:51 x86

Windows Server 2008 R2 file information

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version Product Milestone Service branch
    6.1.760
    1.22xxx
    Windows Server 2008 R2 SP1 LDR
  • LDR service branches contain hotfixes in addition to widely released fixes.

For all supported x64-based versions of Windows Server 2008 R2

File name File version File size Date Time Platform
Microsoft.identitymodel.dll 6.1.7601.22485 1,093,632 21-Oct-2013 09:35 x86
Microsoft.identityserver.service.dll 6.1.7601.22485 671,744 21-Oct-2013 08:45 x86
Microsoft.identityserver.service.mof Not applicable 4,606 09-Jul-2013 06:32 Not applicable
Uninstallwmiprovider.mof Not applicable 1,012 09-Jul-2013 06:32 Not applicable
Microsoft.identityserver.dll 6.1.7601.22485 790,528 21-Oct-2013 08:45 x86

Windows Server 2012 file information

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version Product Milestone Service branch
    6.2.920 0.17xxx Windows Server 2012 RTM GDR
    6.2.920 0.21xxx Windows Server 2012 RTM LDR
  • LDR service branches contain hotfixes in addition to widely released fixes.

For all supported x64-based versions of Windows Server 2012

File name File version File size Date Time Platform
Microsoft.identityserver.service.dll 6.2.9200.17066 660,992 01-Aug-2014 02:45 x86
Microsoft.identityserver.service.dll 6.2.9200.21186 660,480 01-Aug-2014 02:02 x86
Microsoft.identityserver.dll 6.2.9200.17066 876,032 01-Aug-2014 02:45 x86
Microsoft.identityserver.dll 6.2.9200.21186 876,032 01-Aug-2014 02:02 x86

        
      

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013