Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Yesterday Microsoft released Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0.

This update includes five (5) hotfixes, summarised below.  The update is cumulative which means it contains all fixes and features in the previous two updates: update rollup 1 and update rollup 2.

  1. AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token.
  2. AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behaviour breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.
  3. AD FS 2.0 does not allow multiple relying party trusts to use the same signing certificate for SAML request.
    • Note that a post-installation/upgrade configuration task is required for this change to become effective.  The steps are described here.
  4. Performance of AD FS 2.0 needs improvement when HSM is used for storing private key of token signing/encryption certificate.
  5. AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm. If you accidentally disable the Congestion Avoidance Algorithm by changing the configuration, a handle leak occurs on an AD FS 2.0 federation server proxy every time that the federation server proxy processes a request. AD FS 2.0 update rollup 3 removes the setting that enables you to disable Congestion Avoidance Algorithm by changing the configuration. You can fine tune the Congestion Avoidance Algorithm by adjusting the latencyThresholdInMsec and minCongestionWindowSize settings.
Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS, Hotfix, News and tagged , , , , , , , , , . Bookmark the permalink.

3 Responses to Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

  1. Pingback: MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS 2.0 configuration | Yet another identity management blog

  2. Hien Nguyen says:

    Hello Paul, thank you for the post. I have a brand new Windows Server 2012 Server that I plan to use as an ADFS federation server. I would like to ask if I can just apply RU 3 hotfix before activating ADFS server role. Take care.

  3. Pingback: Issue with AD FS 2.0 security update MS13-066 (kb2843639) | Yet another identity management blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s