Table of contents
TOC
Collapse the table of content
Expand the table of content

Required Updates for Active Directory Federation Services (AD FS) and Web Application Proxy (WAP)

Bill Mathers|Last Updated: 4/11/2017

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1

As of October 2016, all updates to all components of Windows Server are released only via Windows Update (WU). There are no more hotfixes or individual downloads. This applies to Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2 SP1.

This page lists rollup packages of particular interest for AD FS and WAP, as well as the historic list of hotfix updates recommended for AD FS and WAP.

Updates for AD FS and WAP in Windows Server 2016

Updates for Windows Server 2016 are delivered monthly via Windows Update and are cumulative. The update package listed below is recommended for all AD FS and WAP 2016 servers and includes all previously required updates as well as the latest fixes.

KB #DescriptionDate Released
3213986Cumulative Update for Windows Server 2016 for x64-based Systems (KB3213986)January 2017

Updates for AD FS and WAP in Windows Server 2012 R2

Below is the list of hotfixes and update rollups that have been released for Active Directory Federation Services (AD FS) in Windows Server 2012 R2.

KB #DescriptionDate Released
3179574Fixed issue with AD FS extranet password update.August 2016 Update Rollup
3172614Introduced prompt=login support, fixed issue with the AD FS management console and AlwaysRequireAuthentication setting.July 2016 Update Rollup
3163306Active Directory Federation Services (AD FS) 3.0 can't connect to Lightweight Directory Access Protocol (LDAP) attribute stores that are configured to use Secure Sockets Layer (SSL) port 636 or 3269 in connection string.June 2016 Update Rollup
3148533MFA fallback authentication fails through ADFS Proxy in Windows Server 2012 R2May 2016
3134787AD FS logs don't contain client IP address for account lockout scenarios in Windows Server 2012 R2February 2016
3134222MS16-020: Security update for Active Directory Federation Services to address denial of service: February 9, 2016February 2016
3105881Can't access applications when device authentication is enabled in Windows Server 2012 R2-based AD FS serverOctober 2015
3092003Page loads repeatedly and authentication fails when users use MFA in Windows Server 2012 R2 AD FSAugust 2015
3080778AD FS does not call OnError when MFA adapter throws an exception in Windows Server 2012 R2July 2015
3075610Trust relationships are lost on secondary AD FS server after you add or remove claims provider in Windows Server 2012 R2July 2015
3070080Home Realm Discovering not working correctly for Non-claims Aware Relying Party TrustJune 2015
3052122Update adds support for compound ID claims in AD FS tokens in Windows Server 2012 R2May 2015
3045711MS15-040: Vulnerability in Active Directory Federation Services could allow information disclosureApril 2015
3042127"HTTP 400 - Bad Request" error when you open a shared mailbox through WAP in Windows Server 2012 R2March 2015
3042121AD FS token replay protection for Web Application Proxy authentication tokens in Windows Server 2012 R2March 2015
3035025Hotfix for update password feature so that users are not required to use registered device in Windows Server 2012 R2January 2015
3033917AD FS cannot process SAML response in Windows Server 2012 R2January 2015
3025080Operation fails when you try to save an Office file through Web Application Proxy in Windows Server 2012 R2January 2015
3025078You are not prompted for username again when you use an incorrect username to log on to Windows Server 2012 R2January 2015
3020813You are prompted for authentication when you run a web application in Windows Server 2012 R2 AD FSJanuary 2015
3020773Time-out failures after initial deployment of Device Registration service in Windows Server 2012 R2January 2015
3018886You are prompted for a username and password two times when you access Windows Server 2012 R2 AD FS server from intranetJanuary 2015
3013769Windows Server 2012 R2 Update Roll-upDecember 2014
3000850Windows Server 2012 R2 Update Roll-upNovember 2014
2975719Windows Server 2012 R2 Update Roll-upAugust 2014
2967917Windows Server 2012 R2 Update Roll-upJuly 2014
2962409Windows Server 2012 R2 Update Roll-upJune 2014
2955164Windows Server 2012 R2 Update Roll-upMay 2014
2919355Windows Server 2012 R2 Update Roll-upApril 2014

Updates for AD FS in Windows Server 2012 (AD FS 2.1) and AD FS 2.0

Below is the list of hotfixes and update rollups that have been released for AD FS 2.0 and 2.1.

KB #DescriptionDate ReleasedApplies To:
3197878Authentication through proxy fails in Windows Server 2012 (this is the general release of hotfix 3094446)November 2016 Quality RollupAD FS 2.1
3197869Authentication through proxy fails in Windows Server 2008 R2 SP1 (this is the general release of hotfix 3094446)November 2016 Quality RollupAD FS 2.0
3094446Authentication through proxy fails in Windows Server 2012 or Windows Server 2008 R2 SP1September 2015AD FS 2.0 and 2.1
3070078AD FS 2.1 throws an exception when you authenticate against an encryption certificate in Windows Server 2012July 2015AD FS 2.1
3062577MS15-062: Vulnerability in Active Directory federation services could allow elevation of privilegeJune 2015AD FS 2.0 / 2.1
3003381MS14-077: Vulnerability in Active Directory Federation Services could allow information disclosure: April 14, 2015November 2014AD FS 2.0 / 2.1
2987843Memory usage of AD FS federation server keeps increasing when many users log on a web application in Windows Server 2012July 2014AD FS 2.1
2957619The relying party trust in AD FS is stopped when a request is made to AD FS for a delegated tokenMay 2014AD FS 2.1
2926658ADFS SQL farm deployment fails if you do not have SQL permissionsOctober 2014AD FS 2.1
2896713 or 2989956Update is available to fix several issues after you install security update 2843638 on an AD FS serverNovember 2013
September 2014
AD FS 2.0 / 2.1
2877424Update enables you to use one certificate for multiple Relying Party Trusts in an AD FS 2.1 farmOctober 2013AD FS 2.1
2873168FIX: An error occurs when you use a third-party CSP and HSM and then configure a claims provider trust in Update Rollup 3 for AD FS 2.0 on Windows Server 2008 R2 Service Pack 1September 2013AD FS 2.0
2861090A comma in the subject name of an encryption certificate causes an exception in Windows Server 2008 R2 SP1August 2013AD FS 2.0
2843639[Security] Vulnerability in Active Directory Federation Services Could Allow Information DisclosureNovember 2013AD FS 2.1
2843638MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013August 2013AD FS 2.0
2827748Federationmetadata.xml file does not contain the MEX endpoint information for the WS-Trust and WS-Federation endpoints in Windows Server 2012May 2013AD FS 2.1
2790338Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0March 2013AD FS 2.0
© 2017 Microsoft