DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2843639 - Last Review: November 20, 2013 - Revision: 10.0

On This Page

INTRODUCTION

Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update (http://support.microsoft.com/ph/6527)

Security solutions for IT professionals: TechNet Security Troubleshooting and Support (http://technet.microsoft.com/security/bb980617.aspx)

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center (http://support.microsoft.com/contactus/cu_sc_virsec_master)

Local support according to your country: International Support (http://support.microsoft.com/common/international.aspx)

More information

Known issues with this security update

  • You may experience any of the following known issues after you install this security update.

    Issue 1

    When a sign-on (SSO) token grows too large, the user cannot authenticate with the server.

    Generally, a large SSO token is caused by a user being a member of many groups.

    Issue 2

    Assume that you deploy Active Directory Federation Services (AD FS) as an identity provider for a federation provider. Or, assume that you deploy AD FS as a security token service (STS) that works as combined identity provider and federation provider for a token-aware application. If there is a failure in the trust relationship (for example, if the relying party trust is disabled), a user keeps seeing the sign-in page instead of an error message when the user tries to perform authentication.

    Issue 3

    If you disable the SSO option on an AD FS server, authentication requests to the AD FS server fail.

    Issue 4

    When a passive authentication request to the AD FS server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.

    Note A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.

    Issue 5

    For customized AD FS 2.0 deployments, customizations added after the SignIn call in the FormsSignin.aspx.cs page code are not executed.

    To resolve these issues, install hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    2896713  (http://support.microsoft.com/kb/2896713/ ) Update is available to fix several issues after you install security update 2843638 on an AD FS server
  • Microsoft is aware of problems with the security updates that affect AD FS 2.0 that are described in MS13-066. These problems could cause AD FS to stop working if the previously released update rollup (Update Rollup 3 for Active Directory Federation Services 2.0, also known as update 2790338) was not installed.

    On August 19, 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Be aware that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.

Additional steps that are required to install this security update

After you install this security update, follow these steps to manually complete the installation:
  1. Make a backup copy of the customized FormsSignIn.aspx page in the following folder:
     
    %systemdrive%\inetpub\adfs\ls
    
    Notes
    • Make sure that you store the backup in a reliable storage location.
    • All customizations to .asp files should be reliably backed up. We recommend that you use version control to do this.
  2. In the backup folder, edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes. To do this, follow these steps:
    1. Change the following:
       
      <asp:TextBox runat="server" ID="UsernameTextBox">  
      
      To the following:
       
      <asp:TextBox runat="server" ID="UsernameTextBox" autocomplete="off">  
      
    2. Change the following:
       
      <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password">   
      
      To the following:
       
        <asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" autocomplete="off">  
      
  3. Copy the updated FormsSignIn.aspx page to the following folder:
     
     %systemdrive%\inetpub\adfs\ls

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows Server 2008 file information

Collapse this imageExpand this image
  • The files that apply to a specific product, milestone (SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.0.6002.18xxxWindows Server 2008 SP2SP2GDR
    6.0.6002.23xxxWindows Server 2008 SP2SP2LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

For all supported x86-based versions of Windows Server 2008

Collapse this imageExpand this image
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.1.7600.17338778,24001-Jul-201322:59x86
Microsoft.identityserver.dll6.1.7601.22371786,43201-Jul-201323:02x86
Collapse this imageExpand this image

For all supported x64-based versions of Windows Server 2008

Collapse this imageExpand this image
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.2.9200.16651871,93628-Jun-201300:30x86
Microsoft.identityserver.dll6.2.9200.20760871,93628-Jun-201308:50x86
Collapse this imageExpand this image
Collapse this imageExpand this image

Windows Server 2008 R2 file information

Collapse this imageExpand this image
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.1.760 1.18 xxxWindows Server 2008 R2SP1GDR
    6.1.760 1.22 xxxWindows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

For all supported x64-based versions of Windows Server 2008 R2

Collapse this imageExpand this image
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.1.7601.18195778,24028-Jun-201313:11x86
Microsoft.identityserver.dll6.1.7601.22370786,43228-Jun-201305:20x86
Collapse this imageExpand this image
Collapse this imageExpand this image

Windows Server 2012 file information

Collapse this imageExpand this image
  • The files that apply to a specific product, milestone (RTM,SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.2.920 0.16xxxWindows Server 2012RTMGDR
    6.2.920 0.20xxxWindows Server 2012RTMLDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
Note The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

For all supported x64-based versions of Windows Server 2012

Collapse this imageExpand this image
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.identityserver.dll6.2.9200.16651871,93628-Jun-201300:30x86
Microsoft.identityserver.dll6.2.9200.20760871,93628-Jun-201308:50x86
Collapse this imageExpand this image
Collapse this imageExpand this image

Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
Keywords: 
atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB2843639
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support