Article ID: 2783332 - View products that this article applies to.
Consider the following scenario:
To resolve this problem, install the hotfix package that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2735208/ )Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
By default, TMG 2010 uses the "Domain NETBIOS name\User name" format when it requests a Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket resemble the following:
User: FirstName.LastNameUpdate 960146 introduced a design change in TMG to control how to format the domain name and the user name by using script.
However, when the Const SE_VPS_VALUE property is set to 2, the FQDN is used for the domain name format. This does not work for users whose name part before the @ sign for the Security Accounts Manager (SAM) account differs from the user principal name (UPN) authentication account.
For example, authentication is successful when SAM and UPN match as follows:
SAM: domain\usernameAuthentication is unsuccessful when SAM and UPN do not match as follows:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 2783332 - Last Review: January 10, 2013 - Revision: 1.0