KnowledgeBase: An update is available to fix several issues after you install security update 2843638 or 2843639 on Active Directory Federation Services (AD FS) servers

Reading Time: 3 minutes

In August, Microsoft released MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important). Its accompanying hotfixes, were labeled KnowledgeBase article 2843638 and KnowledgeBase article 2843639.

Last month, Microsoft released a KnowledgeBase article describing an update to these patches to fix five specific issues. It is labeled KnowledgeBase article 2896713.

 

The issues

For Active Directory Federation Services (AD FS) servers running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For For Active Directory Federation Services (AD FS) servers running Windows Server 2012, the issues occur after you have security update 2843639 installed.

Issue 1

When a Single Sign-On (SSO) token grows too large, the user cannot authenticate with the server. Generally, a large Single Sign-On (SSO) token is caused by a user being a member of many groups.

Tickets vs. tokens
Although Microsoft refers to tokens in terms of Active Directory Federation Services (AD FS), they, technically, speak of SAML-based or OAuth-based tickets. These are significantly different to Kerberos-baed tokens in terms of layout and contents. We refer to tokens, though, because of the way these tickets are signed and compressed and, therefore, act as tokens. Apparently, with the same drawbacks.

Issue 2

Assume that you deploy Active Directory Federation Services (AD FS) as an Identity Provider (IdP) for a federation provider. Or, assume that you deploy For Active Directory Federation Services (AD FS) as a Security Token Service (STS) that works as combined Identity Provider (IdP) and federation provider for a token-aware application.

If there is a failure in the trust relationship (for example, the relying party trust is disabled), users keep seeing the sign-in page instead of an error message when they try to perform authentication.

Issue 3

If you disable the Single Sign-On (SSO) option on an Active Directory Federation Services (AD FS) server, authentication requests to the Active Directory Federation Services (AD FS) server fail.

Issue 4

When a passive authentication request to an Active Directory Federation Services (AD FS) server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

Note:
A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

Issue 5

For customized Active Directory Federation Services (AD FS) 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.

 

The resolution

A supported hotfix is available from Microsoft as part of KnowledgeBase article 2896713.

Note:
However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the issues described above.

Note:
This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

Note:
If you install this update on Active Directory Federation Services (AD FS) STS servers, you must also install the update on Active Directory Federation Services (AD FS) proxy servers. We recommend that you upgrade all the Active Directory Federation Services (AD FS) STS servers before you upgrade the Active Directory Federation Services (AD FS) proxy servers so that you do not have to bring down all servers in a server farm from an Active Directory Federation Services (AD FS) functionality point of view.

Note:
There is a known issue with passive HTTP basic authentication after you install this update. We recommend that you migrate the environment to forms-based authentication before you install this update.

You do not have to restart the Active Directory Federation Services (ADFS) server after you apply this update.

Prerequisites

To apply this update, you must be running one of the following operating systems:

  • Windows Server 2008 with ServicePack 2
  • Windows Server 2008 R2 with ServicePack 1
  • Windows Server 2012

 

Concluding

When you are experiencing any of the above issues, install the hotfix from KnowledgeBase article 2896713.

Related blogposts

MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important)

Related KnowledgeBase articles

2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
2843638 Description of the security update for Active Directory Federation Services 2.0
2843639 Description of the security update for Active Directory Federation Services 2.0

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.