Hotfix for ADFS 2.0/2.1

After installing Windows Server Update 2843638 (2.0) and 2843639 (2.1).

Known issues:

Issue 1
When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.
Generally, a large SSO token is caused by a user being a member of many groups.

Issue 2
Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.

Issue 3
If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

Issue 4
When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

Issue 5
For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.


Leave a Reply


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts