You have to authenticate again to the AD FS server when the published server is configured for single sign-on in Forefront Unified Access Gateway 2010

Applies to: Forefront Unified Access Gateway 2010Microsoft Forefront Unified Access Gateway 2010 Service Pack 1

Symptoms


Consider the following scenario in Microsoft Forefront Unified Access Gateway (UAG) 2010:
  • You have a Forefront UAG trunk portal that is configured to perform trunk authentication to an Active Directory or other non-Active Directory Federation Services (AD FS) repository.
  • You publish an AD FS server by using the built-in (AD FS) 2.0 template.
  • You configure an application for single sign-on from the trunk repository.

In this scenario, you may find that single sign-on does not occur, and you have to authenticate again to the AD FS server.

Cause


This problem may occur because of any of the following:
  • You upgrade a working configuration to UAG Service Pack 2 or Service Pack 3 in some cases.
  • You add a new trunk that uses the AD FS repository that is linked to the published AD FS server for trunk authentication.
  • You make any change to the AD FS application properties.

Resolution


To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010.

Workaround


To work around this problem in some cases, remove and republish the AD FS server.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


See the terminology Microsoft uses to describe software updates.