FIX: A client connection to an HTTPS trunk may fail in a Forefront Unified Access Gateway 2010 SP1 array with Error 152 or 116

Article translations Article translations
Article ID: 2699807 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenario:
  • You create a Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 1 (SP1) array.
  • You configure an HTTPS trunk by using a name such as TrunkAAA.
  • You configure a second HTTPS trunk in the same domain suffix by using a name that represents an extension of the first trunk name such as TrunkAAAbbb.
  • A client accesses both HTTPS trunks in the same session.

In this scenario, the client connection to an HTTPS trunk may fail, and one of the following error messages occurs:
  • Error 152: ADFS User Group - You have authenticated successfully using AD FS, but your user name or group cannot be located in a Forefront UAG local group.
  • Error 116: Logon error - The logon process cannot be completed. The page was accessed from an unauthorized URL.
Notes
  • Error 116 may occur even for Forefront UAG trunks for which Active Directory Federation Services (AD FS) authentication is not configured.
  • This problem may also occur when two similarly named trunks are located on separate Forefront UAG server installations, and the client accesses both Forefront UAG server trunks in the same session.

Cause

This problem may occur when a search function locates the Forefront UAG "NLSession[SC]trunk_name" authentication cookie in the client request. The string search incorrectly matches the extended cookie name with the shorter search string.

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2710791 Description of Service Pack 2 for Forefront Unified Access Gateway 2010

Workaround

To work around this problem, use complete and unique names when you name a trunk. Because there is no capability in Forefront UAG to rename an existing trunk, you must completely delete and re-create at least one of the existing, similarly named trunks.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2699807 - Last Review: December 7, 2012 - Revision: 3.0
Applies to
  • Microsoft Forefront Unified Access Gateway 2010 Service Pack 1
Keywords: 
kbqfe kbfix kbexpertiseinter kbbug kbsurveynew KB2699807

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com