Required Updates for Active Directory Federation Services (AD FS) and Web Application Proxy (WAP)

As of October 2016, all updates to all components of Windows Server are released only via Windows Update (WU). There are no more hotfixes or individual downloads. This applies to Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2 SP1.

This page lists rollup packages of particular interest for AD FS and WAP, as well as the historic list of hotfix updates recommended for AD FS and WAP.

Updates for AD FS and WAP in Windows Server 2016

Updates for Windows Server 2016 are delivered monthly via Windows Update and are cumulative. The update package listed below is recommended for all AD FS and WAP 2016 servers and includes all previously required updates as well as the latest fixes.

KB # Description Date Released
4534271 Addresses a potential AD FS chrome failure due to support of new SameSite cookie policies by default for release 80 of Google Chrome. For more information, please refer here. January 2020
CVE-2019-1126 This security update addresses a vulnerability in Active Directory Federation Services (AD FS) which could allow an attacker to bypass the extranet lockout policy. July 2019
4489889 (OS Build 14393.2879) Addresses an issue in Active Directory Federation Services (AD FS) that causes a duplicate relying party trust to appear in the AD FS management console. This occurs when you create or view relying party trusts using the AD FS management console.

Addresses a high Active Directory Federation Services (AD FS) Web Application Proxy (WAP) latency issue (over 10,000ms) that occurs while Extranet Smart Lockout (ESL) is enabled on AD FS 2016. This security update addresses the vulnerability described in CVE-2018-16794.
March 2019
4487006 (OS Build 14393.2828) Addresses an issue that causes updates to a relying party trust to fail when using PowerShell or the Active Directory Federation Services (AD FS) management console. This issue occurs if you configure a relying party trust to use an online metadata URL that publishes more than one PassiveRequestorEndpoint. The error is, "MSIS7615: The trusted endpoints specified in a relying party trust must be unique for that relying party trust."

Addresses an issue that displays a specific error message for external complexity password changes because of Azure Password Protection policies.
February 2019
4462928 (OS Build 14393.2580) Addresses interoperation issues between Active Directory Federation Services (AD FS) Extranet Smart Lockout (ESL) and Alternate Login ID. When Alternate Login ID is enabled, calls to AD FS PowerShell cmdlets, Get-AdfsAccountActivity and Reset-AdfsAccountLockout, return "Account not found" errors. When Set-AdfsAccountActivity is called, a new entry is added instead of editing an existing one. October 2018
4343884 (OS Build 14393.2457) Addresses an Active Directory Federation Services (AD FS) issue where Multi-Factor Authentication doesn't work correctly with mobile devices that use custom culture definitions.

Addresses an issue in Windows Hello for Business that causes a significant delay (15 seconds) in new user enrollment. This issue occurs when a hardware security module is used to store an AD FS Registration Authority (RA) certificate.
August 2018
4338822 (OS Build 14393.2395) Addresses an issue in AD FS that shows a duplicate Relying Party trust in the AD FS management console when creating or viewing Relying Party Trusts from the console.

Addresses an issue in AD FS that causes Windows Hello for Business to fail. The issue occurs when there are two claim providers. PIN registration will fail with, "400 Internal Server Error: Unable to obtain device identifier."

Addresses a WAP issue related to inactive connections that never end. This leads to system resource leaks (e.g., a memory leak) and to a WAP service that is no longer responsive. Addresses an AD FS issue that prevents users from selecting a different login option. This occurs when users choose to log in using Certificate Based Authentication, but it hasn't been configured. This also occurs if users select Certificate Based Authentication and then try to select another login option. If this happens, users will be redirected to the Certificate Based Authentication page until they close the browser.
July 2018
4103720 (OS Build 14393.2273) Addresses an issue with AD FS that causes an IdP-initiated login to a SAML relying party to fail when PreventTokenReplays is enabled.

Addresses an AD FS issue that occurs when OAUTH authenticates from a device or browser application. A user password change generates a failure and requires the user to exit the app or browser to log in.

Addresses an issue where enabling Extranet Smart Lockout in UTC +1 and higher (Europe and Asia) didn't work. Additionally, it causes normal Extranet Lockout to fail with the following error: Get-AdfsAccountActivity: DateTime values that are greater than DateTime.MaxValue or smaller than DateTime.MinValue when converted to UTC can't be serialized to JSON.

Addresses an AD FS Windows Hello for business issue in which new users aren't able to provision their PIN. This occurs when no MFA provider is configured.
May 2018
4093120 (OS Build 14393.2214) Addresses an unhandled refresh token validation issue. It generates the following error: "Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidRefreshTokenException: MSIS9312: Received invalid OAuth refresh token. The refresh token was received earlier than the permitted time in the token." April 2018
4077525 (OS Build 14393.2097) Addresses issue where an HTTP 500 error occurs when an AD FS farm has at least two servers using Windows Internal Database (WID). In this scenario, HTTP basic pre-authentication on the Web Application Proxy (WAP) server fails to authenticate some users. When the error occurs, you might also see the Microsoft Windows Web Application Proxy warning Event ID 13039 in the WAP event log. The description reads, "Web Application Proxy failed to authenticate the user. Pre-authentication is 'AD FS For Rich Clients'. The given user isn't authorized to access the given relying party. The authorization rules of either the target relying party or the WAP relying party are needed to be modified."

Addresses issue in which AD FS can no longer ignore prompt=login during authentication. A Disabled option was added to support scenarios in which password authentication isn't used. For more information, see AD FS ignores the "prompt=login" parameter during an authentication in Windows Server 2016 RTM.

Addresses issue in AD FS where Authorized Customers (and relying parties) who select Certificate as an authentication option will fail to connect. The failure occurs when using prompt=login if Windows Integrated Authentication (WIA) is enabled and the request can do WIA.

Addresses issue where AD FS incorrectly displays the Home Realm Discovery (HRD) page when an identity provider (IDP) is associated with a relying party (RP) in an OAuth Group. Unless multiple IDPs are associated with the RP in the OAuth Group, the user won't be shown the HRD page. Instead, the user will go directly to the associated IDP for authentication.
February 2018
4041688 (OS Build 14393.1794) This fix addresses an issue that intermittently misdirects AD Authority requests to the wrong Identity Provider because of incorrect caching behavior. This can effect authentication features like Multi Factor Authentication.

Added the ability for Microsoft Entra Connect Health to report AD FS server health with correct fidelity (using verbose auditing) on mixed WS2012R2 and WS2016 AD FS farms.

Fixed a problem where during upgrade of 2012 R2 AD FS farm to AD FS 2016, the powershell cmdlet to raise the farm behavior level fails with a timeout when there are many relying party trusts.

Addressed an issue where AD FS causes authentication failures by modifying the wct parameter value while federating the requests to other Security Token Server (STS).
October 2017
4038801 (OS Build 14393.1737) Support added for OIDC logout using federated LDPs. This will allow "Kiosk Scenarios" where multiple users might be serially logged into a single device where there's federation with an LDP.

Fixed a WinHello issue where CEP/CES based certificates don't work with gMSA accounts.

Fixes a problem where the Windows Internal Database (WID) on Windows Server 2016 AD FS servers fails to sync some settings, such as the ApplicationGroupId columns from IdentityServerPolicy.Scopes and IdentityServerPolicy.Clients tables) due to a foreign key constraint. Such sync failures can cause different claim, claim provider and application experiences between primary to secondary AD FS servers. Also, if the WID primary role is moved to a secondary node, application groups will no longer be manageable in the AD FS management UX.

This update fixes an issues where Multi Factor Authentication doesn't work correctly with Mobile devices that use custom culture definitions
September 2017
4034661 (OS Build 14393.1613) Fixes a problem where the caller IP address is nog logged by 411 events in the Security Event log of AD FS 4.0 \ Windows Server 2016 RS1 AD FS servers even after enabling "success audits" and "failure audits".

This fix addresses an issue with Azure Multi Factor Authentication (MFA) when an ADFX server is configured to use an HTTP Proxy.

"Addressed an issue where presenting an expired or revoked certificate to the AD FS Proxy server doesn't return an error to the user."
August 2017
4034658 (OS Build 14393.1593) Fix for 2016 AD FS server in order to support MFA certificate enrollment for Windows Hello For Business for on-premises deployments August 2017
4025334 (OS Build 14393.1532) Addressed an issue where the PkeyAuth token handler could fail an authentication if the pkeyauth request contains incorrect data. The authentication should still continue without performing device authentication July 2017
4022723 (OS Build 14393.1378) [Web Application Proxy] Value of DisableHttpOnlyCookieProtection configuration property isn't picked up by WAP 2016 in 2012R2/2016 mixed deployment

[Web Application Proxy] Unable to obtain user access token from AD FS in EAS Pre-auth scenarios.

AD FS 2016 : WSFED sign-out leads to an exception
June 2017
3213986 Cumulative Update for Windows Server 2016 for x64-based Systems (KB3213986) January 2017

Updates for AD FS and WAP in Windows Server 2012 R2

Below is the list of hotfixes and update rollups that have been released for Active Directory Federation Services (AD FS) in Windows Server 2012 R2.

KB # Description Date Released
4534309 Addresses a potential AD FS chrome failure due to support of new SameSite cookie policies by default for release 80 of Google Chrome. For more information, please refer here. January 2020
4507448 This security update addresses a vulnerability in Active Directory Federation Services (AD FS) which could allow an attacker to bypass the extranet lockout policy. July 2019
4041685 Addressed an AD FS issue where MSISConext cookies in request headers can eventually overflow the headers size limit and cause failure to authenticate with HTTP status code 400 "Bad Request - Header Too Long".

Fixed a problem where AD FS can no longer ignore "prompt=login" during authentication. A "Disabled" option was added to restore scenarios where non-password authentication is used.
October 2017 Preview of Update Rollup
4019217 Work Folders clients using token broker do not work when using a Server 2012 R2 AD FS Server May 2017 Preview Update Rollup
4015550 Fixed an issue with AD FS not authenticating External users and AD FS WAP randomly failing to forward request April 2017 Update Rollup
4015547 Fixed an issue with AD FS not authenticating External users and AD FS WAP randomly failing to forward request April 2017 Security Update
4012216 MS17-019 This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an AD FS server, allowing the attacker to read sensitive information about the target system. March 2017 Update Rollup
3179574 Fixed issue with AD FS extranet password update. August 2016 Update Rollup
3172614 Introduced prompt=login support, fixed issue with the AD FS management console and AlwaysRequireAuthentication setting. July 2016 Update Rollup
Active Directory Federation Services (AD FS) 3.0 can't connect to Lightweight Directory Access Protocol (LDAP) attribute stores that are configured to use Secure Sockets Layer (SSL) port 636 or 3269 in connection string. June 2016 Update Rollup
3148533 MFA fallback authentication fails through AD FS Proxy in Windows Server 2012 R2 May 2016
3134787 AD FS logs don't contain client IP address for account lockout scenarios in Windows Server 2012 R2 February 2016
3134222 MS16-020: Security update for Active Directory Federation Services to address denial of service: February 9, 2016 February 2016
3105881 Can't access applications when device authentication is enabled in Windows Server 2012 R2-based AD FS server October 2015
3092003 Page loads repeatedly and authentication fails when users use MFA in Windows Server 2012 R2 AD FS August 2015
3080778 AD FS doesn't call OnError when MFA adapter throws an exception in Windows Server 2012 R2 July 2015
3075610 Trust relationships are lost on secondary AD FS server after you add or remove claims provider in Windows Server 2012 R2 July 2015
3070080 Home Realm Discovering not working correctly for Non-claims Aware Relying Party Trust June 2015
3052122 Update adds support for compound ID claims in AD FS tokens in Windows Server 2012 R2 May 2015
3045711 MS15-040: Vulnerability in Active Directory Federation Services could allow information disclosure April 2015
3042127 "HTTP 400 - Bad Request" error when you open a shared mailbox through WAP in Windows Server 2012 R2 March 2015
3042121 AD FS token replay protection for Web Application Proxy authentication tokens in Windows Server 2012 R2 March 2015
3035025 Hotfix for update password feature so that users aren't required to use registered device in Windows Server 2012 R2 January 2015
3033917 AD FS can't process SAML response in Windows Server 2012 R2 January 2015
3025080 Operation fails when you try to save an Office file through Web Application Proxy in Windows Server 2012 R2 January 2015
3025078 You aren't prompted for username again when you use an incorrect username to log on to Windows Server 2012 R2 January 2015
3020813 You're prompted for authentication when you run a web application in Windows Server 2012 R2 AD FS January 2015
3020773 Time-out failures after initial deployment of Device Registration service in Windows Server 2012 R2 January 2015
3018886 You're prompted for a username and password two times when you access Windows Server 2012 R2 AD FS server from intranet January 2015
3013769 Windows Server 2012 R2 Update Roll-up December 2014
3000850 Windows Server 2012 R2 Update Roll-up November 2014
2975719 Windows Server 2012 R2 Update Roll-up August 2014
2967917 Windows Server 2012 R2 Update Roll-up July 2014
2962409 Windows Server 2012 R2 Update Roll-up June 2014
2955164 Windows Server 2012 R2 Update Roll-up May 2014
2919355 Windows Server 2012 R2 Update Roll-up April 2014

Updates for AD FS in Windows Server 2012 (AD FS 2.1) and AD FS 2.0

Below is the list of hotfixes and update rollups that have been released for AD FS 2.0 and 2.1.

KB # Description Date Released Applies To:
3197878 Authentication through proxy fails in Windows Server 2012 (this is the general release of hotfix 3094446) November 2016 Quality Rollup AD FS 2.1
3197869 Authentication through proxy fails in Windows Server 2008 R2 SP1 (this is the general release of hotfix 3094446) November 2016 Quality Rollup AD FS 2.0
3094446 Authentication through proxy fails in Windows Server 2012 or Windows Server 2008 R2 SP1 September 2015 AD FS 2.0 and 2.1
3070078 AD FS 2.1 throws an exception when you authenticate against an encryption certificate in Windows Server 2012 July 2015 AD FS 2.1
3062577 MS15-062: Vulnerability in Active Directory Federation Services could allow elevation of privilege June 2015 AD FS 2.0 / 2.1
3003381 MS14-077: Vulnerability in Active Directory Federation Services could allow information disclosure: April 14, 2015 November 2014 AD FS 2.0 / 2.1
2987843 Memory usage of AD FS federation server keeps increasing when many users log on a web application in Windows Server 2012 July 2014 AD FS 2.1
2957619 The relying party trust in AD FS is stopped when a request is made to AD FS for a delegated token May 2014 AD FS 2.1
2926658 AD FS SQL farm deployment fails if you do not have SQL permissions October 2014 AD FS 2.1
2896713 or 2989956 Update is available to fix several issues after you install security update 2843638 on an AD FS server November 2013

September 2014
AD FS 2.0 / 2.1
2877424 Update enables you to use one certificate for multiple Relying Party Trusts in an AD FS 2.1 farm October 2013 AD FS 2.1
2873168 FIX: An error occurs when you use a third-party CSP and HSM and then configure a claims provider trust in Update Rollup 3 for AD FS 2.0 on Windows Server 2008 R2 Service Pack 1 September 2013 AD FS 2.0
A comma in the subject name of an encryption certificate causes an exception in Windows Server 2008 R2 SP1 August 2013 AD FS 2.0
2843639 [Security] Vulnerability in Active Directory Federation Services Could Allow Information Disclosure November 2013 AD FS 2.1
2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013 August 2013 AD FS 2.0
2827748 Federationmetadata.xml file doesn't contain the MEX endpoint information for the WS-Trust and WS-Federation endpoints in Windows Server 2012 May 2013 AD FS 2.1
2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 March 2013 AD FS 2.0