Description of the Service Pack 1 Rollup 1 hotfix package for Unified Access Gateway 2010

Issues that are fixed in this hotfix rollup

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functions Change User Password and Check for Password Expiration cannot handle non-ASCII characters that are contained in the Username, Password, or Path fields of the distinguished name (DN).

The ruleset that is preventing users who use non-ASCII characters from changing their passwords is as follows:

InternalSite_Rule9The following two parameters of this ruleset fail the password change:

• dummy_user_repository

• user_repository

Both parameters have a default value of 50. After this hotfix rollup is applied, these parameters have a default value of 500.

Issue 2

You publish a web application by using a webapp generic template that uses the Portal Host Name type. If, during a response, the application sets a cookie with a domain attribute that has a character count longer than the trunk public host name, an Access Violation error is generated from the Secure Remote Access (SRA) file when SRA tries to sign the domain attribute of cookies. The result is that the filter abandons the process and sends error 500 to the endpoint.



Issue 3

You cannot define a WinHTTP repository in Unified Access Gateway (UAG). The path that you type inside the Path field is sometimes accepted. However, when you try to enable the UAG configuration, you receive one of the following error messages:

Error message 1

Error message 2

Error message 3

Issue 4

The silent removal of client components restarts the client computer without a warning message.



Issue 5

Kerberos Constrained Delegation (KCD) does not work if a back-end application does not support SPNEGO or is not configured to support SPNEGO. The HTTP log indicates that a "200 OK" response is returned immediately after UAG sends a Kerberos token. The application sends a "200 OK" response. However, UAG is expecting a negotiation token.

Workaround

In an optimal scenario, the back-end web server should return error 401 when it receives a GSS_S_CONTINUE_NEEDED value to complete the negotiation. In this scenario, UAG should send a token back to the back-end web server to finish the authentication process. However, some back-end applications do not support or are not configured to support mutual Kerberos authentication (for example, no support for the Simple and Protected Negotiate [SPNEGO] implementation). For these applications, an additional Security Service Provider (SSP) may be used by setting the registry.

The following registry entry changes the SSP from Negotiate to Kerberos:

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\eGap\von\UrlFilter
Entry: KCDUseKerberosSSN
Type: REG_DWORD
Value: 1


Issue 6

You cannot define a WinHTTP repository when the repository URL does not specify the port number explicitly.

To work around this issue, define the URL in the WinHTTP repository. For example, change https://urlname to https://urlname:443.


Issue 7

RemoteApps Single Sign-On (SSO) does not work when UAG component installation and activation is disabled.



Issue 8

Authorization fails for users who have Unicode display names in Active Directory when LDAP signing is required. This problem occurs only if you have to have LDAP signing enabled on the domain controller.



Issue 9

Client components do not provide a meaningful return code to indicate whether the installation succeeded or whether it failed and is pending a restart. The MSI package always returns 0 (zero) after the installation or removal of the client components, regardless of whether the installation or removal succeeded or failed.



Issue 10

During the unattended removal of UAG client components, a dialog box appears on the user's screen. Because of the deployment method, this dialog box is displayed as a black box on the user’s desktop. However, the dialog box still reacts to user inputs, and the buttons in the dialog box can be clicked.

After you install this hotfix rollup, you have more control over whether there any progress dialog boxes are displayed during the installation, removal, or upgrade of the UAG client components.



Issue 11

You download the OfflineInstaller.msi file from the UAG portal site. When you run the offline installation from a client computer, you receive the following error message:

Issue 12

This problem occurs on the Japanese Windows operating system. You copy any of the WhlClientSetup-*.msi files from the UAG server to the client computer. When you run the file, you receive the following error message:

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.