Article ID: 2475733 - View products that this article applies to.
Microsoft has released the Service Pack 1 Rollup 1 hotfix package for Microsoft Forefront Unified Access Gateway (UAG) 2010. The build number of this hotfix rollup is 4.0.1752.10020.
Issues that are fixed in this hotfix rollupThis hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.
The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functions Change User Password and Check for Password Expiration cannot handle non-ASCII characters that are contained in the Username, Password, or Path fields of the distinguished name (DN).
The ruleset that is preventing users who use non-ASCII characters from changing their passwords is as follows:
InternalSite_Rule9The following two parameters of this ruleset fail the password change:
Both parameters have a default value of 50. After this hotfix rollup is applied, these parameters have a default value of 500.
You publish a web application by using a webapp generic template that uses the Portal Host Name type. If, during a response, the application sets a cookie with a domain attribute that has a character count longer than the trunk public host name, an Access Violation error is generated from the Secure Remote Access (SRA) file when SRA tries to sign the domain attribute of cookies. The result is that the filter abandons the process and sends error 500 to the endpoint.
You cannot define a WinHTTP repository in Unified Access Gateway (UAG). The path that you type inside the Path field is sometimes accepted. However, when you try to enable the UAG configuration, you receive one of the following error messages:
Error message 1
The following operation failed: Allowing connection by URL "urlname" Error code [0x80004005]
Error message 2
Failed to find port for service [urlname] [0x80004005]
Error message 3
Firewall settings could not be configured.
The silent removal of client components restarts the client computer without a warning message.
Kerberos Constrained Delegation (KCD) does not work if a back-end application does not support SPNEGO or is not configured to support SPNEGO. The HTTP log indicates that a "200 OK" response is returned immediately after UAG sends a Kerberos token. The application sends a "200 OK" response. However, UAG is expecting a negotiation token.
In an optimal scenario, the back-end web server should return error 401 when it receives a GSS_S_CONTINUE_NEEDED value to complete the negotiation. In this scenario, UAG should send a token back to the back-end web server to finish the authentication process. However, some back-end applications do not support or are not configured to support mutual Kerberos authentication (for example, no support for the Simple and Protected Negotiate [SPNEGO] implementation). For these applications, an additional Security Service Provider (SSP) may be used by setting the registry.
The following registry entry changes the SSP from Negotiate to Kerberos:
You cannot define a WinHTTP repository when the repository URL does not specify the port number explicitly.
To work around this issue, define the URL in the WinHTTP repository. For example, change https://urlname to https://urlname:443.
RemoteApps Single Sign-On (SSO) does not work when UAG component installation and activation is disabled.
Authorization fails for users who have Unicode display names in Active Directory when LDAP signing is required. This problem occurs only if you have to have LDAP signing enabled on the domain controller.
Client components do not provide a meaningful return code to indicate whether the installation succeeded or whether it failed and is pending a restart. The MSI package always returns 0 (zero) after the installation or removal of the client components, regardless of whether the installation or removal succeeded or failed.
During the unattended removal of UAG client components, a dialog box appears on the user's screen. Because of the deployment method, this dialog box is displayed as a black box on the user’s desktop. However, the dialog box still reacts to user inputs, and the buttons in the dialog box can be clicked.
After you install this hotfix rollup, you have more control over whether there any progress dialog boxes are displayed during the installation, removal, or upgrade of the UAG client components.
You download the OfflineInstaller.msi file from the UAG portal site. When you run the offline installation from a client computer, you receive the following error message:
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
This problem occurs on the Japanese Windows operating system. You copy any of the WhlClientSetup-*.msi files from the UAG server to the client computer. When you run the file, you receive the following error message:
The installation wizard does not start and no endpoint component is installed. But, on Event Viewer "Installation completed" log is recorded. There is no program in the Add or Remove Programs in Control Panel.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesYou must have UAG 2010 Service Pack 1 installed to apply this hotfix rollup.
For more information about how to obtain UAG 2010 Service Pack 1, visit the following Microsoft website:
Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 1 (SP1)
Restart informationYou do not have to restart the computer after you apply this hotfix rollup. However, you must enable UAG 2010 after you install the hotfix rollup.
Removal informationTo remove this hotfix rollup, use one of the following methods:
Replacement informationThis hotfix rollup does not replace a previously released hotfix.
File informationThe English version of this hotfix rollup has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 2475733 - Last Review: February 3, 2011 - Revision: 1.0