FIX: User authentication may not function for Exchange ActiveSync in a Forefront Unified Access Gateway (UAG) 2010 environment


Consider the following scenario:
  • You publish Microsoft Exchange ActiveSync application access on a server that is running Microsoft Forefront Unified Access Gateway (UAG) 2010.
  • You configure UAG access restrictions to limit access to the Exchange ActiveSync application for a specific user name or group membership.
  • A user starts an Exchange ActiveSync connection and provides valid authentication credentials to log on.

In this scenario, the authenticated user may be able to access the Exchange ActiveSync application even when the credentials that were supplied do not match the specific group or user account restrictions that you specified as the UAG administrator.


This issue occurs because, even though user authentication is required and performed correctly, application authorization may not be enforced for rich client access. An example of rich client access is when a non-browser client agent uses HTTP authentication and does not use HTML Forms Based Authentication (FBA). In this case, the UAG authorization process that is based on the administratively defined group or user accounts may not appropriately restrict client access to the published application.


To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2710791 Description of Service Pack 2 for Forefront Unified Access Gateway 2010


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Article ID: 2743301 - Last Review: Dec 7, 2012 - Revision: 1

Microsoft Forefront Unified Access Gateway 2010 Service Pack 1