Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013


View products that this article applies to.

INTRODUCTION

Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country:
International Support

↑ Back to the top


More Information

Known issues with this security update

  • You may experience any of the following known issues after you install this security update.



    Issue 1

    When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

    Generally, a large SSO token is caused by a user being a member of many groups.

    Issue 2

    Assume that you deploy Active Directory Federation Services (AD FS) as an identity provider for a federation provider. Or, assume that you deploy AD FS as a security token service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, if the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.

    Issue 3

    If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

    Issue 4

    When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

    Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

    Issue 5

    For customized AD FS 2.0 deployments, customizations added after the SignIn call in the FormsSignin.aspx.cs page code are not executed.

    To resolve these issues, install hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
  • Microsoft is aware of problems with the security updates that affect AD FS 2.0 that are described in MS13-066. These problems could cause AD FS to stop working if the previously released update rollup (Update Rollup 3 for Active Directory Federation Services 2.0, also known as update 2790338) was not installed.

    On August 19, 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Be aware that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.

Additional steps that are required to install this security update

After you install this security update, follow these steps to manually complete the installation:
  1. Make a backup copy of the customized FormsSignIn.aspx page in the following folder:

     
    %systemdrive%\inetpub\adfs\ls
    Notes
    • Make sure that you store the backup in a reliable storage location.
    • All customizations to .asp files should be reliably backed up. We recommend that you use version control to do this.
  2. In the backup folder, edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes. To do this, follow these steps:
    1. Change the following:

       
      <asp:TextBox runat="server" ID="UsernameTextBox">




      To the following:

       
      <asp:TextBox runat="server" ID="UsernameTextBox" autocomplete="off">
    2. Change the following:

       
      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password">




      To the following:

       
      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" autocomplete="off">
  3. Copy the updated FormsSignIn.aspx page to the following folder:


     
    %systemdrive%\inetpub\adfs\ls

↑ Back to the top


FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
Windows Server 2008 file information
  • The files that apply to a specific product, milestone (SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.0.6002.18xxxWindows Server 2008 SP2SP2GDR
    6.0.6002.23xxxWindows Server 2008 SP2SP2LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

For all supported x86-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.1.7600.17338778,24001-Jul-201322:59x86
Microsoft.identityserver.dll6.1.7601.22371786,43201-Jul-201323:02x86

For all supported x64-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.2.9200.16651871,93628-Jun-201300:30x86
Microsoft.identityserver.dll6.2.9200.20760871,93628-Jun-201308:50x86

↑ Back to the top


Windows Server 2008 R2 file information
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.1.760 1.18 xxxWindows Server 2008 R2SP1GDR
    6.1.760 1.22 xxxWindows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.



For all supported x64-based versions of Windows Server 2008 R2

File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.1.7601.18195778,24028-Jun-201313:11x86
Microsoft.identityserver.dll6.1.7601.22370786,43228-Jun-201305:20x86

↑ Back to the top


Windows Server 2012 file information
  • The files that apply to a specific product, milestone (RTM,SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    VersionProductMilestoneService branch
    6.2.920 0.16xxxWindows Server 2012RTMGDR
    6.2.920 0.20xxxWindows Server 2012RTMLDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.



For all supported x64-based versions of Windows Server 2012

File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.2.9200.16651871,93628-Jun-201300:30x86
Microsoft.identityserver.dll6.2.9200.20760871,93628-Jun-201308:50x86

↑ Back to the top


Keywords: atdownload, kbbug, kbexpertiseinter, kbfix, kblangall, kbmustloc, kbsecbulletin, kbsecreview, kbsecurity, kbsecvulnerability, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2843639
Revision : 1
Created on : 1/7/2017
Published on : 11/20/2013
Exists online : False
Views : 292