KnowledgeBase: Windows Server 2012 R2-based AD FS Proxy consumes 100% CPU

As part of the May 2014 Update Rollup, Microsoft has released an update for Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies, consuming 100% CPU.

This leads to rejected logons and slow performance for colleagues trying to authenticate to the Active Directory Federation Services (AD FS) infrastructure.

   

The situation

The Active Directory team has found an issue when over 200 people try to simultaneously sign in by using an Active Directory Federation Services (AD FS) Proxy in front of a Security Token Service (STS), the AD FS proxy consumes 100% usage of the CPU.

   

The issue

In this situation, the AD FS Proxy performance is slow, and causes a delay that exceeds 10 seconds. Any servers acting as Security Token Service (STS) and in use behind the AD FS Proxy, however, experience minimal load. This leads to the STS rejecting requests or serving a mere 5 to 10 requests per second.

    

The cause

This issue occurs because the additional "stale" requests are added to the request pool when multiple clients try to sign in. Therefore, the resource usage on the AD FS Proxy is exhausted.

    

The solution

To resolve this issue, install 2955164 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014 on Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies.

You do not have to restart these servers after you apply this hotfix.

    

Concluding

I recommend any admins, running Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies to update these installations with the May 2014 Rollup update.

Related KnowledgeBase articles

2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in  
2955164 Windows RT 8.1, Windows 8.1, and Server 2012 R2 update rollup: May 2014

Further reading

KnowledgeBase: An update is available to fix several issues after you install security update 2843638 or 2843639 on Active Directory Federation Services (AD FS) servers 
MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.