Web Application Proxy hotfixes and updates for Windows Server 2012 R2


Microsoft is the only vendor that offers both on-premises and cloud solutions for remote application access. Not only do we offer both, we also work hard to keep these solutions current and continue improving them all the time. We have recently released many enhancements to Azure AD Application Proxy and we announced our Windows Server Web Application Proxy vNext with many new capabilities. It will be available next year as part of Windows Server vNext release. At the same time, we do not forget our current Web Application Proxy customers that are using Windows Server 2012 R2.

In this blog post, we document recommended hotfixes and update rollups you may not be aware of that are currently available for Windows Server 2012 R2 based Web Application Proxy and AD FS deployments.

The update rollup packages are cumulative so all rollups will include changes and features from previously released rollups. Hotfixes available will be included in later rollup packages that include updates for this role service (Web Application Proxy or AD FS). We recommended that you apply the Windows Server 2012 R2 update rollup packages as they become available in order to obtain all cumulative released hotfixes.

Please be aware that this is not a comprehensive list of all issues resolved in these Windows Server update rollups but only includes the changes directly related to the Web Application Proxy feature; please review the individual update rollup KB articles for a list of all included fixes.

 

Recommended hotfixes and update rollups that are currently available for Windows Server 2012 R2 based Web Application Proxy and AD FS deployments

Current hotfixes available since the last update rollup release:

Web Application Proxy hotfixes

  • 3042127 "HTTP 400 - Bad Request" error when you open a shared mailbox through WAP in Windows Server 2012 R2
  • 3042121 AD FS token replay protection for Web Application Proxy authentication tokens in Windows Server 2012 R2
  • 3020813 You are prompted for authentication when you run a web application in Windows Server 2012 R2 AD FS
  • 3025080 Operation fails when you try to save an Office file through Web Application Proxy in Windows Server 2012 R2

AD-FS related hotfixes

  • 3080778 AD FS does not call OnError when MFA adapter throws an exception in Windows Server 2012 R2
  • 3070080 Home realm discovery does not work correctly for a non–claims-aware relying party trust on Windows Server 2012 R2
  • 3045711 MS15-040: Vulnerability in Active Directory Federation Services could allow information disclosure
  • 3035025 Hotfix for update password feature so that users are not required to use registered device in Windows Server 2012 R2
    3033917 AD FS cannot process SAML response in Windows Server 2012 R2  
  • 3018886 You are prompted for a username and password two times when you access Windows Server 2012 R2 AD FS server from intranet
  • 3025078 You are not prompted for username again when you use an incorrect username to log on to Windows Server 2012 R2
  • 3020773 Time-out failures after initial deployment of Device Registration service in Windows Server 2012 R2

 

There were no new update rollups available through September 2015.

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: December 2014 http://support.microsoft.com/kb/3013769

Included in update rollup or later update release

  • 3011137 SSO error occurs upon your first visit to (SAML) 2.0 websites through ADFS 3.0 that is enabled in Windows Server 2012 R2
  • 3011135 Large URI request in Web Application Proxy fails in Windows Server 2012 R2
  • 3009351 AD FS Proxy could not be configured error in WAP post-installation configuration wizard in Windows Server 2012 R2
  • 3008990 Update to let you log off successfully from AD FS 3.0 server in Windows Server 2012 R2

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: November 2014 http://support.microsoft.com/kb/3000850

Previous hotfixes included in this update rollup release

  • 2982037 Update to enable or disable the HttpOnly feature for a WAP or an application in Windows Server
  • 2998082 gMSA-based services can't log on after a password change in a Windows Server 2012 R2 domain

 

There were no Web Application Proxy or AD FS changes in the Windows Server 2012 R2 update rollups for September or October 2014

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: August 2014 http://support.microsoft.com/kb/2975719

Included in update rollup or later update release

  • 2976996 Expired certificates cannot be removed when automatic certificate rollover is disabled in Windows Server 2012 R2
  • 2975066 You cannot sign in to a web application when you use certificate authentication method in Windows Server 2012 R2
  • 2971171 ADFS authentication issue for Active Directory users when extranet lockout is enabled 
  • 2978096 ExtendedProtectionTokenCheck setting keeps being disabled in AD FS 3.0 in Windows Server 2012 R2 
  • 2975719 You are prompted to re-enter credentials frequently when using Work Folders by using ADFS authentication in Windows 8.1
  • 2980756 You cannot log on to an AD FS server when you use an alternative UPN suffix account in Windows Server 2012 R2
  • 2975070 AD FS cannot start on a non-English language-based server in Windows Server 2012 R2 or Windows Server 2008 R2
  • 2975067 Update to support the SAML sender-vouches token in STS on a Windows Server 2012 R2-based AD FS server
  • 2958298 Single Sign-On is available for Office 365 users to access SharePoint Online sites in Windows 2012 R2

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: July 2014 http://support.microsoft.com/kb/2967917

Included in update rollup or later update release

  • 2970746 "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: June 2014 http://support.microsoft.com/kb/2962409

Included in update rollup or later update release

  • 2964732 STS passive sign-in fails when a sign-in request is sent to a Windows Server 2012 R2-based STS server through STS proxy
  • 2964733 AD FS device authentication is slow or fails in Windows Server 2012 R2
  • 2964735 Authentication failures and event 422 when AD FS STS servers and AD FS proxy servers are in Windows Server 2012 R2

 

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014 http://support.microsoft.com/kb/2955164

Included in update rollup or later update release

  • 2935613 Authentication fails when a device is Workplace Joined by using Azure DRS
  • 2935608 Web Application Proxy cannot detect the updated certificate after it automatically updates on Windows Server 2012 R2
  • 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in

 

Required servicing update for Windows Server 2012 R2

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update: April 2014 http://support.microsoft.com/kb/2919355

This update is a cumulative update that includes the security updates and the non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 that were released before March 2014.

  • Important : All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require this update to be installed.

Comments (5)

  1. Billy [MSFT] says:

    Updated with April 2015 available hotfixes.

  2. Jason says:

    Are there any updates since April?

  3. I’ve been looking for such a list for a while! Thanks Billy, awesome job!

  4. Talha says:

    Would you recommend these hotfixes be installed as part of a standard Web Application Proxy buildout?

Skip to main content