And here is a small update on that:
Because others seem to have the same issue that I had, I cannot recommend to installation of KB4077525 on any ADFS Server! It looks like. that the problem occurs mostly with ADFS Server Farms that use WID as a backend. However, I cannot guarantee that it works better with a “real” SQL Server backend instead of WID.
If you want to give it a try, do yourself a big favour and use the AD FS Rapid Restore Tool to create a backup before. And maybe you should do a Backup of your OS before (Or a Snapshot if you have a Hypervisor, like I do).
Original article content:
Microsoft released the KB4077525 (OS Build 14393.2097) Fix, this fix contains some Active Directory Federation Services (ADFS) related bugfixes.
In my case, this one was the reason why I immediately applied it:
Addresses issue where AD FS incorrectly displays the Home Realm Discovery (HRD) page when an identity provider (IDP) is associated with a relying party (RP) in an OAuth Group. Unless multiple IDPs are associated with the RP in the OAuth Group, the user will not be shown the HRD page. Instead, the user will go directly to the associated IDP for authentication.
Right after applying the system asked for a reboot…
And then my headache started! The Active Directory Federation Services (ADFS) didn’t start. Lots of Error 102,220, and 352 in the Eventlog!
The Service wasn’t able to access the configuration database, but the Database seems to work.
I tried to remove the KB4077525 Fix from the system, but that doesn’t solve my issues. The errors 102,220, and 352 still flooded my Eventlog.
The KB4077525 fix also contains the following:
Addresses issue where an HTTP 500 error occurs when an ADFS farm has at least two servers using Windows Internal Database (WID). In this scenario, HTTP basic pre-authentication on the Web Application Proxy (WAP) server fails to authenticate some users. When the error occurs, you might also see the Microsoft Windows Web Application Proxy warning Event ID 13039 in the WAP event log. The description reads, “Web Application Proxy failed to authenticate the user. Pre-authentication is ‘ADFS For Rich Clients’. The given user is not authorized to access the given relying party. The authorization rules of either the target relying party or the WAP relying party are needed to be modified.”
That might killed my installation. I have two servers using Windows Internal Database (WID). Never had that Issue, but it sounds suspicious enough to me.
So if you have an Active Directory Federation Services (ADFS) do some testing before you apply it to all your systems. And thing about a backup, AD FS Rapid Restore Tool is a great tool!