Important Announcement: AD FS 2.0 and MS13-066

Important Announcement: AD FS 2.0 and MS13-066

  • Comments 6
  • Likes

Update (8/19/13):

We have republished MS13-066 with a corrected version of the hotfixes that contributed to this problem.  If you had held off on installing the update, it should be safe to install on all of your ADFS servers now.

 

The updated security bulletin is here: http://technet.microsoft.com/en-us/security/bulletin/MS13-066

 

Thanks everyone for your patience with this one.  If anyone is still having trouble after installing the re-released update, please call us and open a support case so that our engineers can get you working again!

===============================================================

 

 

Hi everyone, Adam and JR here with an important announcement.

We’re tracking an important issue in support where some customers who have installed security update MS13-066 on their AD FS 2.0 servers are experiencing authentication outages.  This is due to a dependency within the security update on certain versions of the AD FS 2.0 binaries.  Customers who are already running ADFS 2.0 RU3 before installing the update should not experience any issues.

We have temporarily suspended further downloads of this security update until we have resolved this issue for all ADFS 2.0 customers. 

Our Security and AD FS product team are working together to resolve this with their highest priority.  We’ll have more news for you soon in a follow-up post.  In the meantime, here is what we can tell you right now.

 

What to Watch For

If you have installed KB 2843638 or KB 2843639 on your AD FS server, you may notice the following symptoms:

  1. Federated sign-in fails for clients.
  2. Event ID 111 in the AD FS 2.0/Admin event log:

The Federation Service encountered an error while processing the WS-Trust request. 

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue 

Additional Data 

Exception details: 

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeLoadException: Could not load
type ‘Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.


   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)

   --- End of inner exception stack trace ---

   at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)

   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)

   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateSTS()

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateDispatchContext(Message requestMessage, String requestAction, String responseAction, String
trustNamespace, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)

 

What to do if the problem occurs:

  1. Uninstall the hotfixes from your AD FS servers.
  2. Reboot any system where the hotfixes were
    removed.
  3. Check back here for further updates.

We’ll update this blog post with more information as it becomes available, including links to any followup posts about this problem.

  • Thank you for a article. Luckily we haven't installed it yet :-)

  • Steps 1 and 2 partially restored the service but web access for Office365 is not working. Some users reported that installing CU3 for ADFS fixed the problem but I already uninstalled KB2843638 and KB2843639 so I'm not sure what its going to do for me.

  • Thanks for the article, I have a change tomorrow at 4a for AD and ADFS servers...very timely

  • @Veli-MattiV,

    So far in all of the cases we've seen with this issue, removing the security updates and restarting the server corrected the problem behavior.  If you already had RU3 installed prior to installing the update, you shouldn't have run into a problem at all.  Basically, the security update will cause failures unless RU3 is installed prior to installing the security update.

    You may want to make sure to check your proxies because the updates would have applied there as well.  If you've uninstalled the updates from all AD FS servers (including proxies) and rebooted, and you're still having trouble, please open a support case with us so we can investigate further into why that's happening and whether there's something else that may be in play in your environment.

  • Are there any other KB article numbers that may correspond? I am looking at an ADFS server that has Event 111 issues but does not appear to have either of the named updates installed. Symptoms are exactly as described above, were either or both possibly rolled into a cumulative update?