Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 is available. This article describes the hotfixes and the updates that are included in this update rollup for AD FS 2.0 Release to Web (RTW). This update rollup is available for all languages that are supported by AD FS 2.0. For more information about AD FS 2.0 RTW, visit the following Microsoft website:
Update Rollup 1 resolves the following issues:
Update Rollup 1 for AD FS 2.0includes the following new capabilities:
Installation information
Install this update rollup on both the AD FS 2.0 federation server and the AD FS 2.0 federation server proxy if you have both deployed. If you have deployed an AD FS 2.0 federation server farm or an AD FS federation server proxy farm, install this update rollup on all the AD FS 2.0 instances in the farm.
Install this update rollup on both the AD FS 2.0 federation server and the AD FS 2.0 federation server proxy if you have both deployed. If you have deployed an AD FS 2.0 federation server farm or an AD FS federation server proxy farm, install this update rollup on all the AD FS 2.0 instances in the farm.
Update Rollup 1 resolves the following issues:
- KB2254265 The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008
- KB2272757 An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008
- The "400" error code is returned when sending an authentication request to AD FS 2.0 federation server proxy through Windows integrated authentication endpoint (Nego 2)
- Decrease in performance occurs on AD FS 2.0 federation server when a user who is authenticating has a large number of group memberships.
- Failure to join an AD FS 2.0 federation server to an existing SQL-based federation server farm when the AD FS 2.0 administrator that tries the join operation does not have admininistrator rights to the SQL Server database.
- AD FS 2.0 Federation Service cannot create or verify Security Assertion Markup Language (SAML) tokens when the private keys of an AD FS 2.0 token-signing certificate and/or token decryption certificate are stored by using third-party cryptographic service providers (CSP), for example hardware security mode (HSM).
Update Rollup 1 for AD FS 2.0includes the following new capabilities:
- Multiple Issuer Support
Previously, Microsoft Office 365 customers who require single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users' user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de) are required to deploy a separate instance of AD FS 2.0 Federation Service for each suffix. After you install this Update Rollup on all the AD FS 2.0 federation servers in the farm and follow the instructions of using this feature with Office 365, new claim rules will be set to dynamically generate token issuer IDs based on the UPN suffixes of the Office 365 users. As a result, you do not have to set up multiple instances of AD FS 2.0 federation server to support SSO for multiple top level domains in Office 365.
For more information about the instructions, visit the following Microsoft website: - Client Access Policy Support
Today, Office 365 customers do not have the capability to use AD FS 2.0 to restrict extranet access across all the endpoints to corporate resources within Office 365. Some organizations may want to create policies that limit access to Office 365 services that depend on the location of the client. For example, you might want to the following capabilities:- Block all extranet clients access to Office 365
- Block all extranet clients access to Office 365, except for devices accessing Exchange Online for Exchange Active Sync
Update Rollup 1 for AD FS 2.0 enables organizations to configure these kinds of policies. If Office 365 customers who use SSO require these policies, they can now use client access policy rules to restrict access based on the location of the computer or device that is making the request. Currently, customers who use Microsoft Office Online Services cloud IDs cannot implement these restrictions.
For more information about how to use client access policy to limit access to Office 365 services that are depend on the location of the client, visit the following Microsoft website:
For more information about how to plan for and deploy AD FS 2.0 for use with SSO, visit the following Microsoft website:
- Congestion Avoidance Algorithm
This algorithm implements the logic on the AD FS 2.0 federation server proxy to reject external client authentication requests if the AD FS 2.0 federation server is overloaded. It is closely related to a similar algorithm employed for congestion control in TCP known as Additive Increase Multiplicative Decrease (AIMD). The solution works by using a congestion window represented by a pool of tokens that it leases out to each incoming request to the federation server proxy. This algorithm eases the pressure on the federation server to prevent it from becoming congested and therefore making the system not work correctly. An AD FS 2.0 administrator can adjust the congestion algorithm in the federation server proxy’s config file. Here is the line for setting the congestion algorithm in the federation server proxy’s config file which is located in the <microsoft.identityServer.proxy> section:- <congestionControl latencyThresholdInMSec="2000" minCongestionWindowSize="16" />
- Explanation of the configurable parameters in this setting:
Parameters Allowed Values Description latencyThresholdInMsec Min Value = 1000
Max Value=60000
Default value = 2000Controls the sensitivity of the congestion algorithm trigger. When the average latency time rises above the latencyThresholdInMsec value, congestion control comes into effect. minCongestionWindowSize Min Value = 1
Max Value = 10000
Default value = 16Controls the severity of the congestion algorithm. Defines the smallest number of concurrent requests from the federation server proxy to federation server if persistent congestion occurs.
- Additional AD FS 2.0 performance counters
New performance counters were introduced in AD FS 2.0 federation server proxy and AD FS 2.0 federation server to have more measurement of AD FS 2.0 performance matrices. The following table shows a list of those performance counters and when you may want to use them:Performance counter name When to use Performance Counter Location Outstanding Token Requests When you want to measure the number of outstanding WS-Trust Token Requests on federation server proxy Federation server proxy Rejected Token Requests When you want to measure the number of WS-Trust requests that were rejected because of congestion throttling on federation server proxy Federation server proxy Rejected Token Requests/sec When you want to measure the number of WS-Trust requests that were rejected because of congestion throttling per second on federation server proxy Federation server proxy Token Request Latency When you want to measure the average roundtrip time (RTT) of WS-Trust requests on federation server proxy Federation server proxy Username Token Validations Failures When you want to measure the number of failed username and password authentications on federation server Federation server Username Token Validations Failures/sec When you want to measure the number of failed username and password authentications per second on federation server Federation server