Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

Yesterday Microsoft released Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0.

The update includes hotfixes and updates that fix seven (7) product issues and add four (4) new capabilities to the product. Summarised, the changes are:

  • Issue 1 (kb2254265): The “500” error code is returned when you send an HTTP SOAP request to the “/adfs/services/trust/mex” endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008
  • Issue 2 (kb2272757): An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008
  • Issue 3: The “400” error code is returned when sending an authentication request to AD FS 2.0 federation server proxy through Windows integrated authentication endpoint (Nego 2)
  • Issue 4: Decrease in performance occurs on AD FS 2.0 federation server when a user who is authenticating has a large number of group memberships.
  • Issue 5: Failure to join an AD FS 2.0 federation server to an existing SQL-based federation server farm when the AD FS 2.0 administrator that tries the join operation does not have administrator rights to the SQL Server database.
  • Issue 6: AD FS 2.0 Federation Service cannot create or verify SAML tokens when the private keys of an AD FS 2.0 token-signing certificate and/or token decryption certificate are stored by using third-party cryptographic service providers (CSP), for example hardware security mode (HSM).
  • New capability 1: Multiple Issuer Support
  • New capability 2: Client Access Policy Support
  • New capability 3: Congestion Control Algorithm
  • New capability 4: Additional AD FS 2.0 performance counters

Those of you working on Office 365 projects might find this new capability of particular interest:

Multiple Issuer Support. Previously, Microsoft Office 365 customers who require single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users’ user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de) are required to deploy a separate instance of AD FS 2.0 Federation Service for each suffix. After you install this Update Rollup on all the AD FS 2.0 federation servers in the farm and follow the instructions of using this feature with Office 365, new claim rules will be set to dynamically generate token issuer IDs based on the UPN suffixes of the Office 365 users. As a result, you do not have to set up multiple instances of AD FS 2.0 federation server to support SSO for multiple top level domains in Office 365.

For more information about the instructions, visit the following Microsoft website: General information about how to set up a trust by adding or converting a domain for SSO

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS, News and tagged , , , , , . Bookmark the permalink.

One Response to Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

  1. Pingback: Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 | Yet another identity management blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s