Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Update is available to fix several issues after you install security update 2843638 on an AD FS server

Update is available to fix several issues after you install security update 2843638 on an AD FS server

View products that this article applies to.

Introduction

This article describes an update that fixes the following issues. For Active Directory Federation Services (AD FS) servers that are running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For AD FS servers that are running Windows Server 2012, the issues occur after you have security update 2843639 installed. 2843638 and 2843639 are described in Security Bulletin MS13-066.

Issue 1

When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

Generally, a large SSO token is caused by a user being a member of many groups.

Issue 2

Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.

Issue 3

If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

Issue 4

When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

Issue 5

For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.

↑ Back to the top

Resolution

We have released a hotfix package to resolve this issue.

Notes
  • After this hotfix is installed, you must use either forms-based authentication or Windows Integrated Authentication.
  • After this hotfix is installed, AD FS 2.0 no longer supports passive HTTP basic authentication. If you use this authentication, you now will see that the request goes into a redirect loop and eventually fails. We recommend that you migrate the environment to forms-based authentication before you install this hotfix.
  • If you install this hotfix on STS servers, you must also install the hotfix on proxy servers. We recommend that you upgrade all the STS servers before you upgrade the proxy servers so that you do not have to bring down all servers in a server farm.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this update, you must be running one of the following operating systems:
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2012

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.
File information
The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Microsoft.identitymodel.dll6.1.7601.221791,093,63204-Dec-201206:42x86
Microsoft.identityserver.service.dll6.1.7601.22485671,74422-Oct-201303:52x86
Microsoft.identityserver.service.mofNot applicable4,60609-Sep-201111:40Not applicable
Uninstallwmiprovider.mofNot applicable1,01209-Sep-201111:40Not applicable
Microsoft.identityserver.dll6.1.7601.22485790,52822-Oct-201303:52x86
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Microsoft.identitymodel.dll6.1.7601.221791,093,63204-Dec-201206:43x86
Microsoft.identityserver.service.dll6.1.7601.22485671,74422-Oct-201303:51x86
Microsoft.identityserver.service.mofNot applicable4,60615-Nov-201115:15Not applicable
Uninstallwmiprovider.mofNot applicable1,01215-Nov-201115:15Not applicable
Microsoft.identityserver.dll6.1.7601.22485790,52822-Oct-201303:51x86
Windows Server 2008 R2 file information
Notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.1.760
    1.22xxx    		Windows Server 2008 R2SP1LDR
  • LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x64-based versions of Windows Server 2008 R2
File nameFile versionFile sizeDateTimePlatform
Microsoft.identitymodel.dll6.1.7601.224851,093,63221-Oct-201309:35x86
Microsoft.identityserver.service.dll6.1.7601.22485671,74421-Oct-201308:45x86
Microsoft.identityserver.service.mofNot applicable4,60609-Jul-201306:32Not applicable
Uninstallwmiprovider.mofNot applicable1,01209-Jul-201306:32Not applicable
Microsoft.identityserver.dll6.1.7601.22485790,52821-Oct-201308:45x86
Windows Server 2012 file information
Notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.2.920 0.17xxxWindows Server 2012RTMGDR
    6.2.920 0.21xxxWindows Server 2012RTMLDR
  • LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x64-based versions of Windows Server 2012
File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.service.dll6.2.9200.17066660,99201-Aug-201402:45x86
Microsoft.identityserver.service.dll6.2.9200.21186660,48001-Aug-201402:02x86
Microsoft.identityserver.dll6.2.9200.17066876,03201-Aug-201402:45x86
Microsoft.identityserver.dll6.2.9200.21186876,03201-Aug-201402:02x86

↑ Back to the top

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbexpertiseadvanced, kbsurveynew

↑ Back to the top

Article Info
Article ID : 2896713
Revision : 1
Created on : 1/7/2017
Published on : 2/2/2015
Exists online : False
Views : 262