FIX: A Unified Access Gateway 2010 SP1 client connection may fail when client traffic fails over between load balanced array nodes

Article ID: 2699805 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenario:
  • You create a Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 1 (SP1) array.
  • You enable integrated network load balancing or external hardware load balancing.
  • You configure Active Directory Federation Services (AD FS) 2.0 authentication for an HTTPS trunk.
  • A client connects to the Forefront UAG HTTPS trunk and successfully performs AD FS 2.0 authentication.
  • After the initial connection, an event that causes client traffic to fail over between load balanced array nodes for the existing browser session occurs.

    Note Based on IP affinity and network load balancing, this event should only occur during a node failure or an administrative stop of network load balancing for a node. With hardware network load balancing, the event may also occur if session IP affinity stickiness expires.

In this scenario, the client reauthentication for the session to the new node may fail, and you may receive a client error message that resembles the following:

HTTP/1.1 500 Internal Server Error

Server Error in '/InternalSite/ADFSv2Sites/Trunk_Name' Application

Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed. HTTP/1.1 500 Internal Server Error

Server Error in '/InternalSite/ADFSv2Sites/Trunk_Name' Application

Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed.


Additionally, the following ASP.Net event may be logged in the Application event log:

Event message: An unhandled exception has occurred.
Event time: date
Event time (UTC): time
Event ID: 1309
Event sequence: 2
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/InternalSite/ADFSv2Sites/trunk_name
Trust level: Full Application
Virtual Path: /InternalSite/ADFSv2Sites/trunk_name
Application Path: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\trunk_name

Machine name: computer_name
Process information:
Process ID: PID
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: CryptographicException
Exception message: Key not valid for use in specified state.


Back to the top | Give Feedback

Cause

This problem may occur because the Data Protection API (DPAPI) cannot decode the AD FS 2.0 client security context cookie that was encrypted by using the machine key of a different array node.
Back to the top | Give Feedback

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2710791
(http://support.microsoft.com/kb/2710791/ )
Description of Service Pack 2 for Forefront Unified Access Gateway 2010
Back to the top | Give Feedback

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

More information

When this problem occurs, Microsoft Web Services Enhancements (WSE) tries to decrypt the client security context token cookie for access to /InternalSite/ADFSv2Sites. To do this, WSE relies on the Data Protection API (DPAPI) to decode the cookie.

Unified Access Gateway uses a computer-specific configuration when the AD FS 2.0 trunk application /InternalSite/ADFSv2Sites is deployed in Internet Information Services (IIS). This configuration uses computer-specific encryption and does not support load balancing.

Note When you configure a WSE 3.0-based Web service to use secure conversation in a load-balanced environment, you may receive the following error message:

Key not valid for use in specified state

For more information about this error message, click the following article number to view the article in the Microsoft Knowledge Base:

939760
(http://support.microsoft.com/kb/939760/ )
Error message when you configure a WSE 3.0-based Web service to use secure conversation in a load-balanced environment: "Key not valid for use in specified state"

Back to the top | Give Feedback

References

For more information about Active Directory Federation Services (AD FS) 2.0, visit the following Microsoft TechNet website:

Active Directory Federation Services 2.0 solution guide
(http://technet.microsoft.com/en-us/library/gg295325.aspx)

For more information about how to create a Forefront Unified Access Gateway HTTPS portal trunk, visit the following Microsoft TechNet website:

Configuring trunk settings
(http://technet.microsoft.com/en-us/library/dd861438.aspx)

For more information about IP affinity stickiness, visit the following Microsoft TechNet website:

Forefront UAG registry keys
(http://technet.microsoft.com/en-us/library/ee809087.aspx)

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/ )
Description of the standard terminology that is used to describe Microsoft software updates

Back to the top | Give Feedback

Properties

Article ID: 2699805 - Last Review: December 7, 2012 - Revision: 3.0
Applies to
  • Microsoft Forefront Unified Access Gateway 2010 Service Pack 1
Keywords: 
kbqfe kbfix kbexpertiseinter kbbug kbsurveynew KB2699805
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top