Active Directory 同盟服務 (AD FS) 和 Web 應用程式 Proxy (WAP) 所需的更新Required Updates for Active Directory Federation Services (AD FS) and Web Application Proxy (WAP)

適用於: Windows Server 2016、 Windows Server 2012 R2、 Windows Server 2012、 Windows Server 2008 R2 SP1Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1

截至 2016 年 10 月 Windows Server 的所有元件的所有更新的都發行只透過 Windows Update (wu 提供修正檔)。As of October 2016, all updates to all components of Windows Server are released only via Windows Update (WU). 有任何其他 hotfix 或個人下載項目。There are no more hotfixes or individual downloads. 這適用於 Windows Server 2016、 Windows Server 2012 R2、 Windows Server 2012 和 Windows Server 2008 R2 SP1。This applies to Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2 SP1.

此頁面列出最重要的彙總套件 AD FS 和 WAP,以及歷史 hotfix AD FS 和 WAP 建議的更新的清單。This page lists rollup packages of particular interest for AD FS and WAP, as well as the historic list of hotfix updates recommended for AD FS and WAP.

AD FS 和 WAP 在 Windows Server 2016 的更新Updates for AD FS and WAP in Windows Server 2016

Windows Server 2016 的更新每個月透過 Windows Update 傳遞和是累計的。Updates for Windows Server 2016 are delivered monthly via Windows Update and are cumulative. 下列更新套件建議的所有 AD FS 和 WAP 2016 伺服器,並包含先前所需的所有更新,以及最新的修正。The update package listed below is recommended for all AD FS and WAP 2016 servers and includes all previously required updates as well as the latest fixes.

KB #KB # 描述Description 發行日期Date Released
4041688(作業系統組建 14393.1794)4041688 (OS Build 14393.1794) 此修正程式位址間歇性 misdirects AD 授權請求身分錯誤提供者,因為不正確的快取行為的問題。This fix addresses an issue that intermittently misdirects AD Authority requests to the wrong Identity Provider because of incorrect caching behavior. 這可以影響像使用多監視器因素驗證驗證功能。This can effect authentication features like Multi Factor Authentication.
新增的功能的 AAD 連接健康報告 ADFS 伺服器健康混合 WS2012R2 和 WS2016 ADFS 農場上正確精確度(使用 [詳細資訊稽核)使用。Added the ability for AAD Connect Health to report ADFS server health with correct fidelity (using verbose auditing) on mixed WS2012R2 and WS2016 ADFS farms.

有許多信賴廠商信任時,以提升發電廠行為 powershell cmdlet 位置期間升級 2012 R2 ADFS 伺服陣列 ADFS 2016 修正問題,失敗逾時。Fixed a problem where during upgrade of 2012 R2 ADFS farm to ADFS 2016, the powershell cmdlet to raise the farm behavior level fails with a timeout when there are many relying party trusts.

處理 AD FS 位置修改 wct 參數值聯盟要求到其他的安全性權杖伺服器 (STS) 時導致驗證失敗的問題。Addressed an issue where AD FS causes authentication failures by modifying the wct parameter value while federating the requests to other Security Token Server (STS).
2017 年 10 月October 2017
4038801(作業系統組建 14393.1737)4038801 (OS Build 14393.1737) 新增 OIDC 登出使用聯盟的 LDPs 的支援。Support added for OIDC logout using federated LDPs. 這可讓「Kiosk 案例「位置多位使用者可能會依序登入單一裝置與 LDP 聯盟的地方。This will allow "Kiosk Scenarios" where multiple users might be serially logged into a single device where there is federation with an LDP.
已修正位置 CEP 日 CES 根據憑證問題不適用於 gMSA 帳號 WinHello。Fixed a WinHello issue where CEP/CES based certificates don't work with gMSA accounts.

若要同步部分設定,例如 IdentityServerPolicy.Scopes 和 IdentityServerPolicy.Clients 表格 ApplicationGroupId 欄失敗 Windows 內部資料庫 (WID) 在 Windows Server 2016 ADFS 伺服器上的位置修正的問題)因為外部按鍵限制。Fixes a problem where the Windows Internal Database (WID) on Windows Server 2016 ADFS servers fails to sync some settings, such as the ApplicationGroupId columns from IdentityServerPolicy.Scopes and IdentityServerPolicy.Clients tables) due to a foreign key constraint. 這類同步失敗可以造成不同宣告、取得提供者和應用程式到第二個主要 ADFS 伺服器之間的體驗。Such sync failures can cause different claim, claim provider and application experiences between primary to secondary ADFS servers. 此外,如果 WID 的主要職務移到第二個節點中,應用程式群組將不會 ADFS 管理細微的Also, if the WID primary role is moved to a secondary node, application groups will no longer be manageable in the ADFS management UX.

這個更新可以修正問題位置多因素驗證無法正確運作的行動裝置版的裝置使用自訂文化的群島定義This update fixes an issues where Multi Factor Authentication does not work correctly with Mobile devices that use custom culture definitions
2017 年 9 月September 2017
4034661(作業系統組建 14393.1613)4034661 (OS Build 14393.1613) 修正問題的本機號碼 IP 位址所在 nog 411 事件 ADFS 4.0 的安全性事件登入來登入 \ 即使讓「成功稽核」及「失敗稽核「Windows Server 2016 RS1 ADFS 伺服器。Fixes a problem where the caller IP address is nog logged by 411 events in the Security Event log of ADFS 4.0 \ Windows Server 2016 RS1 ADFS servers even after enabling “success audits” and “failure audits”.
此修正程式在時 ADFX 伺服器設定為 HTTP proxy 伺服器位址使用 Azure 多因數驗證 (MFA) 的問題。This fix addresses an issue with Azure Multi Factor Authentication (MFA) when an ADFX server is configured to use an HTTP Proxy.

「處理位置簡報過期或撤銷憑證 ADFS Proxy 伺服器不會傳回錯誤給使用者的問題。」"Addressed an issue where presenting an expired or revoked certificate to the ADFS Proxy server does not return an error to the user."
2017 年 8 月August 2017
4034658(作業系統組建 14393.1593)4034658 (OS Build 14393.1593) 修正 2016 ad FS 伺服器為了支援 Windows Hello 適用於商務的 MFA 憑證註冊上 prem 部署Fix for 2016 AD FS server in order to support MFA certificate enrollment for Windows Hello For Business for on prem deployments 2017 年 8 月August 2017
4025334(作業系統組建 14393.1532)4025334 (OS Build 14393.1532) 處理位置 PkeyAuth 權杖處理常式如果可能會失敗驗證 pkeyauth 要求包含不正確資料的問題。Addressed an issue where the PkeyAuth token handler could fail an authentication if the pkeyauth request contains incorrect data. 執行裝置驗證不應該繼續驗證The authentication should still continue without performing device authentication 2017 年 7 月July 2017
4022723(作業系統組建 14393.1378)4022723 (OS Build 14393.1378) [Proxy web 應用程式]DisableHttpOnlyCookieProtection 設定屬性的值不是收取的 WAP 2016 在 2016 年 2012R2 日混合部署[Web Application Proxy] Value of DisableHttpOnlyCookieProtection configuration property is not picked up by WAP 2016 in 2012R2/2016 mixed deployment
[Proxy web 應用程式]無法從 AD FS EAS 的預先授權案例中取得使用者存取預付碼。[Web Application Proxy] Unable to obtain user access token from AD FS in EAS Pre-auth scenarios.

AD FS 2016: WSFED sign-out 導致例外AD FS 2016 : WSFED sign-out leads to an exception
2017 年 6 月June 2017
32139863213986 適用於 x64 系統 (KB3213986) 的 Windows Server 2016 的累積更新Cumulative Update for Windows Server 2016 for x64-based Systems (KB3213986) 2017 年 1 月January 2017

AD FS 和 WAP 在 Windows Server 2012 R2 的更新Updates for AD FS and WAP in Windows Server 2012 R2

以下是清單 hotfix 和更新彙總套件的已在 Windows Server 2012 R2 推出的 Active Directory 同盟 Services (AD FS)。Below is the list of hotfixes and update rollups that have been released for Active Directory Federation Services (AD FS) in Windows Server 2012 R2.

KB #KB # 描述Description 發行日期Date Released
40416854041685 處理 AD FS 問題要求標頭的 MSISConext cookie 可以最後溢位標頭大小上限,HTTP 狀態碼 400 造成驗證失敗「不良要求-標頭太長的時間」。Addressed an AD FS issue where MSISConext cookies in request headers can eventually overflow the headers size limit and cause failure to authenticate with HTTP status code 400 “Bad Request - Header Too Long".
已修正位置 ADFS 可以再忽略」提示 = 登入「在驗證期間發生問題。Fixed a problem where ADFS can no longer ignore "prompt=login" during authentication. 還原的案例可非密碼驗證加入」已停用] 的選項。A "Disabled" option was added to restore scenarios where non-password authentication is used.
2017 年 10 月更新彙總套件預覽October 2017 Preview of Update Rollup
40192174019217 工作的資料夾使用 Server 2012 R2 AD FS 伺服器用權杖代理人無法運作Work Folders clients using token broker do not work when using a Server 2012 R2 AD FS Server 2017 年 Preview 更新彙總套件May 2017 Preview Update Rollup
40155504015550 AD FS 不驗證外部使用者和 AD FS WAP 向前要求隨機無法修正問題Fixed an issue with AD FS not authenticating External users and AD FS WAP randomly failing to forward request 2017 年 4 月更新彙總套件April 2017 Update Rollup
40155474015547 AD FS 不驗證外部使用者和 AD FS WAP 向前要求隨機無法修正問題Fixed an issue with AD FS not authenticating External users and AD FS WAP randomly failing to forward request 2017 年 4 月安全性更新April 2017 Security Update
40122164012216 MS17-019 此安全性更新解析 Active Directory 同盟服務 (ADFS) 中的弱點。MS17-019 This security update resolves a vulnerability in Active Directory Federation Services (ADFS). 可能會允許資訊洩漏如果攻擊蓄意將要求傳送給 AD FS 伺服器,讓攻擊者讀取機密目標系統的相關資訊。The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an AD FS server, allowing the attacker to read sensitive information about the target system. 2017 年 3 月更新彙總套件March 2017 Update Rollup
31795743179574 AD FS 外部網路密碼更新以修正問題。Fixed issue with AD FS extranet password update. 2016 年 8 月更新彙總套件August 2016 Update Rollup
31726143172614 引入命令提示字元中 = 登入支援,AD FS 管理主控台與 AlwaysRequireAuthentication 設定修正問題。Introduced prompt=login support, fixed issue with the AD FS management console and AlwaysRequireAuthentication setting. 2016 年 7 月更新彙總套件July 2016 Update Rollup
31633063163306 Active Directory 同盟 Services (AD FS) 3.0 無法連接到使用安全通訊端層 (SSL) 連接埠 636 或 3269 連接字串中的設定輕量型 Directory 存取通訊協定 (LDAP) 屬性存放區。Active Directory Federation Services (AD FS) 3.0 can't connect to Lightweight Directory Access Protocol (LDAP) attribute stores that are configured to use Secure Sockets Layer (SSL) port 636 or 3269 in connection string. 2016 年 6 月更新彙總套件June 2016 Update Rollup
31485333148533 MFA 回溯驗證失敗透過 ADFS Proxy 在 Windows Server 2012 R2MFA fallback authentication fails through ADFS Proxy in Windows Server 2012 R2 2016 年May 2016
31347873134787 AD FS 登不包含在 Windows Server 2012 R2 account 鎖定案例 client IP 位址AD FS logs don't contain client IP address for account lockout scenarios in Windows Server 2012 R2 2016 年 2 月February 2016
31342223134222 MS16-020: 安全性更新 Active Directory 同盟服務的地址阻斷服務: 2016 年 2 月 9 日MS16-020: Security update for Active Directory Federation Services to address denial of service: February 9, 2016 2016 年 2 月February 2016
31058813105881 在 Windows Server 2012 R2 型 AD FS 伺服器支援的裝置驗證時,無法存取應用程式Can't access applications when device authentication is enabled in Windows Server 2012 R2-based AD FS server 2015 年 10 月October 2015
30920033092003 重複載入頁面,並驗證失敗時的使用者在 Windows Server 2012 R2 AD FS 使用 MFAPage loads repeatedly and authentication fails when users use MFA in Windows Server 2012 R2 AD FS 2015 年 8 月August 2015
30807783080778 AD FS 不會呼叫 on Error 時 MFA 介面卡擲在 Windows Server 2012 R2 回例外AD FS does not call OnError when MFA adapter throws an exception in Windows Server 2012 R2 2015 年 7 月July 2015
30756103075610 信任關係的遺失次要 AD FS 伺服器上之後您新增或移除宣告提供者,在 Windows Server 2012 R2Trust relationships are lost on secondary AD FS server after you add or remove claims provider in Windows Server 2012 R2 2015 年 7 月July 2015
30700803070080 家用領域探索的非-宣告注意可以方信任無法運作Home Realm Discovering not working correctly for Non-claims Aware Relying Party Trust 2015 年 6 月June 2015
30521223052122 更新的 Windows Server 2012 R2 AD FS 權杖中新增支援複合 ID 宣告Update adds support for compound ID claims in AD FS tokens in Windows Server 2012 R2 2015 年 5 月May 2015
30457113045711 MS15-040: Active Directory 同盟服務中的弱點可能會允許資訊洩漏MS15-040: Vulnerability in Active Directory Federation Services could allow information disclosure 2015 年 4 月April 2015
30421273042127 「 HTTP 400-錯誤的要求,「 您在 Windows Server 2012 R2 開放 WAP 透過共用的信箱時發生錯誤"HTTP 400 - Bad Request" error when you open a shared mailbox through WAP in Windows Server 2012 R2 2015 年 3 月March 2015
30421213042121 在 Windows Server 2012 R2 Web 應用程式 Proxy 驗證權杖 AD FS 權杖重播保護AD FS token replay protection for Web Application Proxy authentication tokens in Windows Server 2012 R2 2015 年 3 月March 2015
30350253035025 Hotfix 更新密碼的功能,讓使用者不必使用在 Windows Server 2012 R2 的且已的裝置Hotfix for update password feature so that users are not required to use registered device in Windows Server 2012 R2 2015 年 1 月January 2015
30339173033917 AD FS 無法處理 SAML 回應在 Windows Server 2012 R2AD FS cannot process SAML response in Windows Server 2012 R2 2015 年 1 月January 2015
30250803025080 當您嘗試透過 Web 應用程式 Proxy Office 檔案儲存在 Windows Server 2012 R2 失敗Operation fails when you try to save an Office file through Web Application Proxy in Windows Server 2012 R2 2015 年 1 月January 2015
30250783025078 您不會提示輸入使用者名稱再次當您登入 Windows Server 2012 R2 使用正確的使用者名稱You are not prompted for username again when you use an incorrect username to log on to Windows Server 2012 R2 2015 年 1 月January 2015
30208133020813 系統提示您輸入驗證當您執行 Windows Server 2012 R2 AD FS web 應用程式You are prompted for authentication when you run a web application in Windows Server 2012 R2 AD FS 2015 年 1 月January 2015
30207733020773 在 Windows Server 2012 R2 裝置登記服務的初始部署後逾時錯誤Time-out failures after initial deployment of Device Registration service in Windows Server 2012 R2 2015 年 1 月January 2015
30188863018886 系統提示您輸入使用者名稱和密碼兩次當您從內部網路存取 Windows Server 2012 R2 AD FS 伺服器You are prompted for a username and password two times when you access Windows Server 2012 R2 AD FS server from intranet 2015 年 1 月January 2015
30137693013769 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 12 月December 2014
30008503000850 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 11 月November 2014
29757192975719 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 8 月August 2014
29679172967917 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 7 月July 2014
29624092962409 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 6 月June 2014
29551642955164 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 5 月May 2014
29193552919355 Windows Server 2012 R2 更新彙總Windows Server 2012 R2 Update Roll-up 2014 年 4 月April 2014

更新 AD FS 在 Windows Server 2012 (AD FS 2.1) 以及 AD FS 2.0Updates for AD FS in Windows Server 2012 (AD FS 2.1) and AD FS 2.0

以下是清單 hotfix 和更新彙總套件所推出的 2.0 和 2.1 AD FS。Below is the list of hotfixes and update rollups that have been released for AD FS 2.0 and 2.1.

KB #KB # 描述Description 發行日期Date Released 適用於:Applies To:
31978783197878 透過 proxy 驗證失敗 (這是發行一般 hotfix 3094446) 的 Windows Server 2012 中Authentication through proxy fails in Windows Server 2012 (this is the general release of hotfix 3094446) 2016 年 11 月品質彙總套件November 2016 Quality Rollup AD FS 2.1AD FS 2.1
31978693197869 透過 proxy 驗證無法在 Windows Server 2008 R2 SP1 (這是 hotfix 3094446 一般版本)Authentication through proxy fails in Windows Server 2008 R2 SP1 (this is the general release of hotfix 3094446) 2016 年 11 月品質彙總套件November 2016 Quality Rollup AD FS 2.0AD FS 2.0
30944463094446 Windows Server 2012 或 Windows Server 2008 R2 SP1 的透過 proxy 驗證失敗Authentication through proxy fails in Windows Server 2012 or Windows Server 2008 R2 SP1 2015 年 9 月September 2015 AD FS 2.0 和 2.1AD FS 2.0 and 2.1
30700783070078 當您在 Windows Server 2012 中的加密憑證驗證,AD FS 2.1 擲例外AD FS 2.1 throws an exception when you authenticate against an encryption certificate in Windows Server 2012 2015 年 7 月July 2015 AD FS 2.1AD FS 2.1
30625773062577 MS15-062: Active Directory 同盟服務中的弱點可能會允許提高權限MS15-062: Vulnerability in Active Directory federation services could allow elevation of privilege 2015 年 6 月June 2015 AD FS 2.0 / 2.1AD FS 2.0 / 2.1
30033813003381 MS14-077: Active Directory 同盟服務中的弱點可能會允許資訊洩漏: 2015 年 4 月 14 日MS14-077: Vulnerability in Active Directory Federation Services could allow information disclosure: April 14, 2015 2014 年 11 月November 2014 AD FS 2.0 / 2.1AD FS 2.0 / 2.1
29878432987843 許多使用者登入 Windows Server 2012 中 web 應用程式會保留增加 AD FS 聯盟伺服器記憶體使用量Memory usage of AD FS federation server keeps increasing when many users log on a web application in Windows Server 2012 2014 年 7 月July 2014 AD FS 2.1AD FS 2.1
29576192957619 AD FS 信賴廠商信任停止委派權杖 AD FS 當要求The relying party trust in AD FS is stopped when a request is made to AD FS for a delegated token 2014 年 5 月May 2014 AD FS 2.1AD FS 2.1
29266582926658 ADFS SQL 發電廠部署失敗時,如果您不需要 SQL 權限ADFS SQL farm deployment fails if you do not have SQL permissions 2014 年 10 月October 2014 AD FS 2.1AD FS 2.1
289671329899562896713 or 2989956 更新可提供給 AD FS 伺服器上安裝的安全性更新 2843638 之後修正一些問題Update is available to fix several issues after you install security update 2843638 on an AD FS server 2013 年 11 月November 2013
2014 年 9 月September 2014
AD FS 2.0 / 2.1AD FS 2.0 / 2.1
28774242877424 更新可讓您使用多個 Relying 派對中 AD FS 2.1 發電廠信任憑證Update enables you to use one certificate for multiple Relying Party Trusts in an AD FS 2.1 farm 2013 年 10 月October 2013 AD FS 2.1AD FS 2.1
28731682873168 修正: 就會發生錯誤當您使用協力廠商 CSP 和 HSM,然後設定 Windows Server 2008 R2 Service Pack 1 AD FS 2.0 宣告提供者信任更新彙總套件 3FIX: An error occurs when you use a third-party CSP and HSM and then configure a claims provider trust in Update Rollup 3 for AD FS 2.0 on Windows Server 2008 R2 Service Pack 1 2013 年 9 月September 2013 AD FS 2.0AD FS 2.0
28610902861090 在主體名稱的加密憑證逗號例外導致 Windows Server 2008 R2 SP1A comma in the subject name of an encryption certificate causes an exception in Windows Server 2008 R2 SP1 2013 年 8 月August 2013 AD FS 2.0AD FS 2.0
28436392843639 [安全性]Active Directory 同盟服務中的弱點可能會允許資訊洩漏[Security] Vulnerability in Active Directory Federation Services Could Allow Information Disclosure 2013 年 11 月November 2013 AD FS 2.1AD FS 2.1
28436382843638 Active Directory 同盟服務 2.0 的安全性更新 MS13-066: 描述: 2013 年 8 月 13 日MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013 2013 年 8 月August 2013 AD FS 2.0AD FS 2.0
28277482827748 Federationmetadata.xml 檔案不包含 Windows Server 2012 中 Ws-trust 和 WS 同盟端點 MEX 端點資訊Federationmetadata.xml file does not contain the MEX endpoint information for the WS-Trust and WS-Federation endpoints in Windows Server 2012 2013 年May 2013 AD FS 2.1AD FS 2.1
27903382790338 Active Directory 同盟服務 (AD FS) 更新彙總套件 3 描述 2.0Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 2013 年 3 月March 2013 AD FS 2.0AD FS 2.0