Important Announcement: AD FS 2.0 and MS13-066

This post has been republished via RSS; it originally appeared at: Ask the Directory Services Team articles.

First published on TechNet on Aug 15, 2013
Update (8/19/13):

We have republished MS13-066 with a corrected version of the hotfixes that contributed to this problem.  If you had held off on installing the update, it should be safe to install on all of your ADFS servers now.



The updated security bulletin is here: http://technet.microsoft.com/en-us/security/bulletin/MS13-066



Thanks everyone for your patience with this one.  If anyone is still having trouble after installing the re-released update, please call us and open a support case so that our engineers can get you working again!

===============================================================





Hi everyone, Adam and JR here with an important announcement.

We’re tracking an important issue in support where some customers who have installed security update MS13-066 on their AD FS 2.0 servers are experiencing authentication outages.  This is due to a dependency within the security update on certain versions of the AD FS 2.0 binaries.  Customers who are already running ADFS 2.0 RU3 before installing the update should not experience any issues.

We have temporarily suspended further downloads of this security update until we have resolved this issue for all ADFS 2.0 customers.

Our Security and AD FS product team are working together to resolve this with their highest priority.  We’ll have more news for you soon in a follow-up post.  In the meantime, here is what we can tell you right now.



What to Watch For

If you have installed KB 2843638 or KB 2843639 on your AD FS server, you may notice the following symptoms:

  1. Federated sign-in fails for clients.
  2. Event ID 111 in the AD FS 2.0/Admin event log:


The Federation Service encountered an error while processing the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data

Exception details:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeLoadException: Could not load
type ‘Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.


at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)

--- End of inner exception stack trace ---

at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)

at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)

at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()

at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateSTS()

at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateDispatchContext(Message requestMessage, String requestAction, String responseAction, String
trustNamespace, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext)

at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..ctor(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)



What to do if the problem occurs:

  1. Uninstall the hotfixes from your AD FS servers.
  2. Reboot any system where the hotfixes were
    removed.
  3. Check back here for further updates.

We’ll update this blog post with more information as it becomes available, including links to any followup posts about this problem.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.