After installing Windows Server Update 2843638 (2.0) and 2843639 (2.1).
When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.
Generally, a large SSO token is caused by a user being a member of many groups.
Assume that you deploy AD FS as an identity provider for a federation provider. Or, assume that you deploy AD FS as a Security Token Service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when they try to perform authentication.
If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.
When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.
For customized AD FS 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.