Windows Server 2016’s February 2018’s Cumulative Quality Update, bringing the OS version to 14393.2097, offers several fixes for Secure Token Servers (STSs) running Active Directory Federation Services (AD FS) and Web Application Proxies.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Federation Services Fixes
Windows Server 2016’s February 2018’s Cumulative Quality Update addresses four issues with Active Directory Federation Services (AD FS).
Web Application Proxy failed to authenticate the user
The first fix addresses an issue where an HTTP 500 error occurs when an ADFS farm has at least two servers using Windows Internal Database (WID). In this scenario, HTTP basic pre-authentication on the Web Application Proxy (WAP) server fails to authenticate some users. When the error occurs, you might also see the Microsoft Windows Web Application Proxy warning Event ID 13039 in the WAP event log. The description reads:
Web Application Proxy failed to authenticate the user. Pre-authentication is ‘ADFS For Rich Clients’. The given user is not authorized to access the given relying party. The authorization rules of either the target relying party or the WAP relying party are needed to be modified.
AD FS ignores the ‘prompt=login’ parameter
The second fix addresses issue in which AD FS can no longer ignore prompt=login during authentication. A Disabled option was added to support scenarios in which password authentication is not used. For more information, see AD FS ignores the “prompt=login” parameter during an authentication in Windows Server 2016.
‘Prompt=login’ with WIA fails
The third fix addresses an issue in AD FS where Authorized Customers (and relying parties) who select Certificate as an authentication option will fail to connect. The failure occurs when using prompt=login if Windows Integrated Authentication (WIA) is enabled and the request can do WIA.
Error code 0x03000008 occurs when using Remote Desktop
The fourth fix addresses an issue where some Remote Desktop Protocol (RDP) clients that used an absolute URI (instead of a relative URI) were blocked by the Web Application Proxy (WAP) server from connecting to the Remote Desktop Gateway. This affected RDP clients on iOS, Mac, Android, and the Windows modern RDP client app. The error is:
We couldn’t connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help. Error code: 0x03000008.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s February 2018’s Cumulative Quality Update (KB4077525) on your AD FS Servers and Web Application Proxies to resolve them.
After installing this update, servers where Credential Guard is enabled may restart unexpectedly. The error is “The system process lsass.exe terminated unexpectedly with status code -1073740791. The system will now shut down and restart.” In this case, disable Windows Defender Credential Guard. Microsoft is working on a resolution and will provide an update in an upcoming release.