FIX: Client connections for Form-based SSO fail authentication in Forefront Unified Access Gateway 2010 SP4

Applies to: Microsoft Forefront Unified Access Gateway 2010 Service Pack 4

Symptoms


Consider the following scenario:
  • You have Service Pack 4 (SP4) for Microsoft Forefront Unified Access Gateway 2010 installed.

    Note SP4 is required for Internet Explorer 11 clients.

  • You have a portal trunk that publishes applications that were defined to provide Form-based single sign-on (SSO) to the back-end published resource for the web applications.

In this scenario, client connections that use Internet Explorer 11 fail SSO authentication to the web application.

Cause


This problem occurs because of a change in the user-agent string in Internet Explorer 11. The Unified Access Gateway FormLoginDataDefinitions.xml file is defined to match "MSIE" for all versions of Internet Explorer. However, the Internet Explorer 11 user-agent string does not contain "MSIE" as earlier versions do. Therefore, the browser is categorized incorrectly.

This "MSIE" string is added to the Internet Explorer 11 agent string when you run in compatibility mode so Form-based SSO works in this mode.

Resolution


This problem is fixed in Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4.

Workaround


To work around this problem, follow these steps:
  1. In the FormLoginDataDefinitions.xml file, add the following to the "All Supported" section:

    <USER_AGENT id="IE11">
    <NAME>Internet Explorer 11</NAME>
    <SIGNATURE check_by="search">rv:11</SIGNATURE>
    <USER_AGENT> 

  2. Add this ID to the required USER_AGENT_GROUP. For example, if your SSO FormLogin.xml file limits this to <AGENT_TYPE search="group">all_supported</AGENT_TYPE>, add the following to the <USER_AGENT_GROUP name="all_supported"> section of the FormLoginDataDefinitions.xml file:

    <USER_AGENT_ID>IE11</USER_AGENT_ID>

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


Learn about user-agent string changes for Internet Explorer 11.

Note The compatible ("compatible") and browser ("MSIE") tokens are removed in Internet Explorer 11.

References


Learn about the terminology that Microsoft uses to describe software updates.