Symptoms
Consider the following scenario:
-
You configure Microsoft Forefront Unified Access Gateway 2010 to accept user principal name (UPN) logons.
-
Domains from all forests are served by one repository.
-
You try to log on to the Unified Access Gateway portal from a domain in a trusted forest by using the UPN format.
In this scenario, you receive an "Authentication failed" error message. However, if you specify your logon credentials by using the SAM account name format, you can successfully log on. Additionally, other users from a domain in the Unified Access Gateway forest can log on by using the UPN format.
Cause
This issue occurs when Unified Access Gateway cannot convert the UPN name into the Security Accounts Manager (SAM) account name format.
Resolution
This problem is fixed in Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4.
Workaround
To work around this problem, log on to the Unified Access Gateway portal by using the SAM account name, or create a separate authentication repository for the domain in the trusted forest. Users from the remote forest then have to select the repository for the new domain in the drop-down list on the logon page.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.