Issue with AD FS 2.0 security update MS13-066 (kb2843639)

On Tuesday August 14th, as part of regular patch releases, two patches were released for AD FS 2.0: kb2843639 and kb2843638.  The update was described in kb2843639 and MS13-066.

Installing these updates on machines not running AD FS 2.0 Update Rollup #3 breaks the federation service.  That is, there is a known issue whereby installing these updates results in federated logon/sign-in failing and the federation service generating event ID 111 in the AD FS 2.0 Admin event log.  The message body for the 111 looks like the following exception:

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.TypeLoadException: Could not load type ‘Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate’ from assembly ‘Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’.
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
   — End of inner exception stack trace —
   at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateSTS()
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateDispatchContext(Message requestMessage, String requestAction, String responseAction, String trustNamespace, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
System.TypeLoadException: Could not load type ‘Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate’ from assembly ‘Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’.
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)

On Monday August 19th MS13-066 was updated with a detailed explanation of the republish and a new update, kb2843638.  kb2843638 contains both of the fixes previously released as kb2843639 and kb2843638.  It is recommended that KB2843638 be applied manually or via Windows Update.

Here’s the text from the revised KB:

Known issues with this security update

Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed.

On August 19th 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who already installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.

In short, run Windows Update on your FS and FS-P boxes and install kb2843638.  If you can’t use Windows Update download kb2843638 and install it.

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS, Hotfix, Troubleshooting and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s