Introduction

This article describes an update that fixes the following issues. For Active Directory Federation Services (AD FS) servers that are running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For AD FS servers that are running Windows Server 2012, the issues occur after you have security update 2843639 installed. 2843638 and 2843639 are described in Security Bulletin MS13-066. Issue 1When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.Generally, a large SSO token is caused by a user being a member of many groups. Issue 2Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.Issue 3If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.Issue 4When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.Issue 5For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.

Resolution

We have released a hotfix package to resolve this issue.Notes

  • After this hotfix is installed, you must use either forms-based authentication or Windows Integrated Authentication.

  • After this hotfix is installed, AD FS 2.0 no longer supports passive HTTP basic authentication. If you use this authentication, you now will see that the request goes into a redirect loop and eventually fails. We recommend that you migrate the environment to forms-based authentication before you install this hotfix.

  • If you install this hotfix on STS servers, you must also install the hotfix on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this update, you must be running one of the following operating systems:

  • Windows Server 2008 Service Pack 2

  • Windows Server 2008 R2 Service Pack 1

  • Windows Server 2012

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Server 2008 file information

For all supported x86-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Microsoft.identitymodel.dll

6.1.7601.22179

1,093,632

04-Dec-2012

06:42

x86

Microsoft.identityserver.service.dll

6.1.7601.22485

671,744

22-Oct-2013

03:52

x86

Microsoft.identityserver.service.mof

Not applicable

4,606

09-Sep-2011

11:40

Not applicable

Uninstallwmiprovider.mof

Not applicable

1,012

09-Sep-2011

11:40

Not applicable

Microsoft.identityserver.dll

6.1.7601.22485

790,528

22-Oct-2013

03:52

x86

For all supported x64-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Microsoft.identitymodel.dll

6.1.7601.22179

1,093,632

04-Dec-2012

06:43

x86

Microsoft.identityserver.service.dll

6.1.7601.22485

671,744

22-Oct-2013

03:51

x86

Microsoft.identityserver.service.mof

Not applicable

4,606

15-Nov-2011

15:15

Not applicable

Uninstallwmiprovider.mof

Not applicable

1,012

15-Nov-2011

15:15

Not applicable

Microsoft.identityserver.dll

6.1.7601.22485

790,528

22-Oct-2013

03:51

x86

Windows Server 2008 R2 file information

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.1.760 1.22xxx

    Windows Server 2008 R2

    SP1

    LDR

  • LDR service branches contain hotfixes in addition to widely released fixes.

For all supported x64-based versions of Windows Server 2008 R2

File name

File version

File size

Date

Time

Platform

Microsoft.identitymodel.dll

6.1.7601.22485

1,093,632

21-Oct-2013

09:35

x86

Microsoft.identityserver.service.dll

6.1.7601.22485

671,744

21-Oct-2013

08:45

x86

Microsoft.identityserver.service.mof

Not applicable

4,606

09-Jul-2013

06:32

Not applicable

Uninstallwmiprovider.mof

Not applicable

1,012

09-Jul-2013

06:32

Not applicable

Microsoft.identityserver.dll

6.1.7601.22485

790,528

21-Oct-2013

08:45

x86

Windows Server 2012 file information

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.2.920 0.17xxx

    Windows Server 2012

    RTM

    GDR

    6.2.920 0.21xxx

    Windows Server 2012

    RTM

    LDR

  • LDR service branches contain hotfixes in addition to widely released fixes.

For all supported x64-based versions of Windows Server 2012

File name

File version

File size

Date

Time

Platform

Microsoft.identityserver.service.dll

6.2.9200.17066

660,992

01-Aug-2014

02:45

x86

Microsoft.identityserver.service.dll

6.2.9200.21186

660,480

01-Aug-2014

02:02

x86

Microsoft.identityserver.dll

6.2.9200.17066

876,032

01-Aug-2014

02:45

x86

Microsoft.identityserver.dll

6.2.9200.21186

876,032

01-Aug-2014

02:02

x86

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.