Important Announcement: AD FS 2.0 and MS13-066
Update (8/19/13):
We have republished MS13-066 with a corrected version of the hotfixes that contributed to this problem. If you had held off on installing the update, it should be safe to install on all of your ADFS servers now.
The updated security bulletin is here: https://technet.microsoft.com/en-us/security/bulletin/MS13-066
Thanks everyone for your patience with this one. If anyone is still having trouble after installing the re-released update, please call us and open a support case so that our engineers can get you working again!
===============================================================
Hi everyone, Adam and JR here with an important announcement.
We’re tracking an important issue in support where some customers who have installed security update MS13-066 on their AD FS 2.0 servers are experiencing authentication outages. This is due to a dependency within the security update on certain versions of the AD FS 2.0 binaries. Customers who are already running ADFS 2.0 RU3 before installing the update should not experience any issues.
We have temporarily suspended further downloads of this security update until we have resolved this issue for all ADFS 2.0 customers.
Our Security and AD FS product team are working together to resolve this with their highest priority. We’ll have more news for you soon in a follow-up post. In the meantime, here is what we can tell you right now.
What to Watch For
If you have installed KB 2843638 or KB 2843639 on your AD FS server, you may notice the following symptoms:
- Federated sign-in fails for clients.
- Event ID 111 in the AD FS 2.0/Admin event log:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeLoadException: Could not load
type ‘Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateSTS()
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateDispatchContext(Message requestMessage, String requestAction, String responseAction, String
trustNamespace, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
What to do if the problem occurs:
- Uninstall the hotfixes from your AD FS servers.
- Reboot any system where the hotfixes were
removed. - Check back here for further updates.
We’ll update this blog post with more information as it becomes available, including links to any followup posts about this problem.
Comments
Anonymous
August 15, 2013
Thank you for a article. Luckily we haven't installed it yet :-)Anonymous
August 16, 2013
Steps 1 and 2 partially restored the service but web access for Office365 is not working. Some users reported that installing CU3 for ADFS fixed the problem but I already uninstalled KB2843638 and KB2843639 so I'm not sure what its going to do for me.Anonymous
August 16, 2013
Thanks for the article, I have a change tomorrow at 4a for AD and ADFS servers...very timelyAnonymous
August 16, 2013
@Veli-MattiV, So far in all of the cases we've seen with this issue, removing the security updates and restarting the server corrected the problem behavior. If you already had RU3 installed prior to installing the update, you shouldn't have run into a problem at all. Basically, the security update will cause failures unless RU3 is installed prior to installing the security update. You may want to make sure to check your proxies because the updates would have applied there as well. If you've uninstalled the updates from all AD FS servers (including proxies) and rebooted, and you're still having trouble, please open a support case with us so we can investigate further into why that's happening and whether there's something else that may be in play in your environment.Anonymous
August 18, 2013
Are there any other KB article numbers that may correspond? I am looking at an ADFS server that has Event 111 issues but does not appear to have either of the named updates installed. Symptoms are exactly as described above, were either or both possibly rolled into a cumulative update?Anonymous
July 29, 2014
This is a collection of the top Microsoft Support solutions for the most common issues experienced whenAnonymous
December 31, 2014
This is a collection of the top Microsoft Support solutions for the most common issues experienced whenAnonymous
April 28, 2015
This is a collection of the top Microsoft Support solutions for the most common issues experienced whenAnonymous
May 15, 2015
This is a collection of the top Microsoft Support solutions for the most common issues experienced when