Update Rollup 1 is officially available for download from Microsoft here. The rollup addresses seven known issues with AD FS 2.0 and also adds four new capabilities. The known issues it resolves include:
- Issue 1: KB2254265 The “500″ error code is returned when you send an HTTP SOAP request to the “/adfs/services/trust/mex” endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008
- Issue 2: KB2272757 An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008
- Issue 3: The “400″ error code is returned when sending an authentication request to AD FS 2.0 federation server proxy through Windows integrated authentication endpoint (Nego 2)
- Issue 4: Decrease in performance occurs on AD FS 2.0 federation server when a user who is authenticating has a large number of group memberships.
- Issue 5: Failure to join an AD FS 2.0 federation server to an existing SQL-based federation server farm when the AD FS 2.0 administrator that tries the join operation does not have administrator rights to the SQL Server database.
- Issue 6: AD FS 2.0 Federation Service cannot create or verify SAML tokens when the private keys of an AD FS 2.0 token-signing certificate and/or token decryption certificate are stored by using third-party cryptographic service providers (CSP), for example hardware security mode (HSM).
But that isn’t the exiting part! What is exciting are the new features the Rollup provides to AD FS 2.0.
Multiple User Support
One of the biggest problems with AD FS 2.0 is related to multiple top level domains. So if you had and organization where there were multiple top level domains used for users UPN’s, like @office365.us and @office365.uk, you were required to deploy two instances of AD FS to use SSO. After updating AD FS and adding/converting your additional UPN’s for single sign-on (discussed here) new claim rules will be set to dynamically generate token issuer ID’s based on the UPN suffixes of the Office 365 user. The result is a single SSO instance J
Client Access Policy Support
Update Rollup 1 allows administrators to configure and implement client access policies to limit access based on these rules. The documentation on the full set of configuration options is currently unavailable, but some of the examples include:
- Blocking all extranet clients access to Office 365
- Blocking all extranet clients access to Office 365, except for devices accessing Exchange Online for Exchange Active Sync
When the link is up and running and I have some time to play around I’ll post my results for everyone.
Congestion Avoidance Algorithm
The congestion avoidance algorithm implements logic on the AD FS 2.0 federation server proxy to reject external client authentication requests if the AD FS 2.0 federation server is overloaded. The solution works by using a congestion window represented by a pool of tokens that it leases out to each incoming request to the federation server proxy. This algorithm eases the pressure on the federation server to prevent it from becoming congested and therefore making the system not work correctly. An AD FS 2.0 administrator can adjust the congestion algorithm in the federation server proxy’s config file. Here is the line for setting the congestion algorithm in the federation server proxy’s config file which is located in the <microsoft.identityServer.proxy> section:
- <congestionControl latencyThresholdInMSec=”2000″ minCongestionWindowSize=”16″ />
Additional AD FS 2.0 Performance Counters
Granted, this is less sexy than the top three features but nonetheless provides excellent counters for troubleshooting and for evaluating existing loads to benchmark performance for your organization. Below is a list of the counters:
| Performance counter name | When to use | Performance Counter Location |
| Outstanding Token Requests | When you want to measure the number of outstanding WS-Trust Token Requests on federation server proxy | Federation server proxy |
| Rejected Token Requests | When you want to measure the number of WS-Trust requests that were rejected because of congestion throttling on federation server proxy | Federation server proxy |
| Rejected Token Requests/sec | When you want to measure the number of WS-Trust requests that were rejected because of congestion throttling per second on federation server proxy | Federation server proxy |
| Token Request Latency | When you want to measure the average roundtrip time (RTT) of WS-Trust requests on federation server proxy | Federation server proxy |
| Failed U/P authentications | When you want to measure the number of failed username and password authentications on federation server | Federation server |
| Failed U/P authentications per Second | When you want to measure the number of failed username and password authentications per second on federation server | Federation server |
All in all AD FS 2.0 Update Rollup 1 provides some major feature enhancements that the community has been asking for. Over the next week I plan on implementing this rollup in my test environment and will provide some feedback to the community on the feature enhancements, pitfalls, neato features and surprises I find.
