FIX: "Sign-in Error" errors on Internet Explorer 11 clients when they access a Unified Access Gateway portal trunk that has ADFS 2.0 authentication

Applies to: Microsoft Forefront Unified Access Gateway 2010 Service Pack 4

Symptoms


Consider the following scenario:
  • You have Service Pack 3 for Microsoft Forefront Unified Access Gateway (UAG) 2010 installed on your UAG server.
  • The UAG server is configured to use at least one portal trunk that uses Active Directory Federation Services (AD FS) 2.0 as the trunk authentication server (Authentication Repository).
  • You upgrade this UAG server to Service Pack 4 (SP4).

In this scenario, after SP4 is applied, clients who use Internet Explorer 11 to access the Unified Access Gateway portal trunk that uses AD FS authentication receive the following error message instead of the expected logon page:

Sign-in Error : Access to this portal from a mobile device is not allowed because the portal uses federated authentication.

Cause


This problem occurs when a configuration file on the UAG server is not updated to Microsoft Forefront Unified Access Gateway 2010 SP4. The SP4 version adds support for Internet Explorer 11.

Note The configuration file is named Mobile.browser and is located in the following folder on the UAG server:

…\InternalSite\ADFSv2Sites\<trunk name>\App_Browsers\DetectionModule

Resolution


This problem is fixed in Rollup 1 for Forefront UAG 2010 SP4.

Workaround


To work around this problem, follow these steps:
  1. Locate the file mobile.browser in the "…\InternalSite\ADFSv2Sites\<trunk name>\App_Browsers\DetectionModule" folder on the UAG server.

    Note The same file exists in three other folders of the UAG server. Do not change those files. Change only the file for all AD FS trunks that are located in the ADFSv2Sites folder.
  2. Delete the file.

    Note For safety, copy the file to another location or rename its file name extension to anything that you want. For example, change the file name to the following:

    mobile.browser_backup

    If you have configured more than one trunk by using AD FS 2.0 authentication, repeat step 2 for each Mobile.browser file in each folder within the InternalSite\ADFSv2Sites folder.
  3. Enable the UAG configuration.

This procedure causes the Mobile.browser file to be re-created in the InternalSite\ADFSv2Sites folder. This new file is the correct Service Pack 4 version. This version file correctly detects Internet Explorer 11 web browsers as the correct client type. The file's Date modified attribute should show a date that is in 2013.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


The Mobile.browser file is used by AD FS trunks on the Unified Access Gateway server in order to correctly recognize and categorize connecting clients. If the file was not updated correctly to its latest version by the installation of Service Pack 4 for Unified Access Gateway, the Internet Explorer 11 browser is recognized incorrectly by the Unified Access Gateway server as a mobile device. Therefore, the server denies access to the AD FS trunk. You can identify a file that is not up to date by its Date modified attribute. The value will be a date that is in 2011.

References


Learn about the terminology that Microsoft uses to describe software updates.