Skip to content

KB4077525 caused some issues with my ADFS servers (Updated)

And here is a small update on that:
Because others seem to have the same issue that I had, I cannot recommend to installation of KB4077525 on any ADFS Server! It looks like. that the problem occurs mostly with ADFS Server Farms that use WID as a backend. However, I cannot guarantee that it works better with a “real” SQL Server backend instead of WID.

If you want to give it a try, do yourself a big favour and use the AD FS Rapid Restore Tool to create a backup before. And maybe you should do a Backup of your OS before (Or a Snapshot if you have a Hypervisor, like I do).

Original article content:
Microsoft released the KB4077525 (OS Build 14393.2097) Fix, this fix contains some Active Directory Federation Services (ADFS) related bugfixes.

ADFS related Fixes in KB4077525
ADFS related Fixes in KB4077525

In my case, this one was the reason why I immediately applied it:

Addresses issue where AD FS incorrectly displays the Home Realm Discovery (HRD) page when an identity provider (IDP) is associated with a relying party (RP) in an OAuth Group. Unless multiple IDPs are associated with the RP in the OAuth Group, the user will not be shown the HRD page. Instead, the user will go directly to the associated IDP for authentication.


Right after applying the system asked for a reboot…

And then my headache started! The Active Directory Federation Services (ADFS) didn’t start. Lots of Error 102,220, and 352 in the Eventlog!

The Service wasn’t able to access the configuration database, but the Database seems to work.

WID is running
WID is running

I tried to remove the KB4077525 Fix from the system, but that doesn’t solve my issues. The errors 102,220, and 352 still flooded my Eventlog.

Not working
Not working

I ended up with restoring both systems and restored the Database. Right after the restore I took another Snapshot with the AD FS Rapid Restore Tool and blacklisted the KB4077525 for now!

The KB4077525 fix also contains the following:

Addresses issue where an HTTP 500 error occurs when an ADFS farm has at least two servers using Windows Internal Database (WID). In this scenario, HTTP basic pre-authentication on the Web Application Proxy (WAP) server fails to authenticate some users. When the error occurs, you might also see the Microsoft Windows Web Application Proxy warning Event ID 13039 in the WAP event log. The description reads, “Web Application Proxy failed to authenticate the user. Pre-authentication is ‘ADFS For Rich Clients’. The given user is not authorized to access the given relying party. The authorization rules of either the target relying party or the WAP relying party are needed to be modified.”

That might killed my installation. I have two servers using Windows Internal Database (WID). Never had that Issue, but it sounds suspicious enough to me.

So if you have an Active Directory Federation Services (ADFS) do some testing before you apply it to all your systems. And thing about a backup, AD FS Rapid Restore Tool is a great tool!

This content is older than 2 years. It might be outdated.
Published inNews


  1. Craig Craig

    I have been dealing with the exact same issue with ADFS and this patch today. Was able to recover from a backup but defeinitely an issue with the patch.

    • Joerg Hochwald Joerg Hochwald

      The Release fast and release often doesn’t work to well all the time… I had a few issues with Exchange and other services in the last time. This time it was partly my fault: Updates both nodes of my ADFS Farm without checking the 1st one.
      It looks like a bigger issue, had a chat with a few customers: Most was running into the same problem. Some are running just one server for now, they wait for a hostfix before doing anything else.

  2. Balagev Balagev

    Hi All,

    This ADFS bug fixed in this update:

Comments are closed.