Microsoft has released the Service Pack 1 Rollup 1 hotfix package for Microsoft Forefront Unified Access Gateway (UAG) 2010. The build number of this hotfix rollup is 4.0.1752.10020.
Issues that are fixed in this hotfix rollup
This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.Issue 1
The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functions Change User Password
and Check for Password Expiration
cannot handle non-ASCII characters that are contained in the Username
, or Path
fields of the distinguished name (DN).
The ruleset that is preventing users who use non-ASCII characters from changing their passwords is as follows:
The following two parameters of this ruleset fail the password change:
Both parameters have a default value of 50. After this hotfix rollup is applied, these parameters have a default value of 500.Issue 2
You publish a web application by using a webapp generic template that uses the Portal Host Name
type. If, during a response, the application sets a cookie with a domain attribute that has a character count longer than the trunk public host name, an Access Violation error is generated from the Secure Remote Access (SRA) file when SRA tries to sign the domain attribute of cookies. The result is that the filter abandons the process and sends error 500 to the endpoint.Issue 3
You cannot define a WinHTTP repository in Unified Access Gateway (UAG). The path that you type inside the Path
field is sometimes accepted. However, when you try to enable the UAG configuration, you receive one of the following error messages:Error message 1
Error message 2
The following operation failed: Allowing connection by URL "urlname" Error code [0x80004005]
Error message 3
Failed to find port for service [urlname] [0x80004005]
Firewall settings could not be configured.
The silent removal of client components restarts the client computer without a warning message.Issue 5
Kerberos Constrained Delegation (KCD) does not work if a back-end application does not support SPNEGO or is not configured to support SPNEGO. The HTTP log indicates that a "200 OK" response is returned immediately after UAG sends a Kerberos token. The application sends a "200 OK" response. However, UAG is expecting a negotiation token.Workaround
In an optimal scenario, the back-end web server should return error 401 when it receives a GSS_S_CONTINUE_NEEDED value to complete the negotiation. In this scenario, UAG should send a token back to the back-end web server to finish the authentication process. However, some back-end applications do not support or are not configured to support mutual Kerberos authentication (for example, no support for the Simple and Protected Negotiate [SPNEGO] implementation). For these applications, an additional Security Service Provider (SSP) may be used by setting the registry.
The following registry entry changes the SSP from Negotiate
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\eGap\von\UrlFilterIssue 6
You cannot define a WinHTTP repository when the repository URL does not specify the port number explicitly.
To work around this issue, define the URL in the WinHTTP repository. For example, change https://urlname
RemoteApps Single Sign-On (SSO) does not work when UAG component installation and activation is disabled.Issue 8
Authorization fails for users who have Unicode display names in Active Directory when LDAP signing is required. This problem occurs only if you have to have LDAP signing enabled on the domain controller.Issue 9
Client components do not provide a meaningful return code to indicate whether the installation succeeded or whether it failed and is pending a restart. The MSI package always returns 0 (zero) after the installation or removal of the client components, regardless of whether the installation or removal succeeded or failed.Issue 10
During the unattended removal of UAG client components, a dialog box appears on the user's screen. Because of the deployment method, this dialog box is displayed as a black box on the user’s desktop. However, the dialog box still reacts to user inputs, and the buttons in the dialog box can be clicked.
After you install this hotfix rollup, you have more control over whether there any progress dialog boxes are displayed during the installation, removal, or upgrade of the UAG client components.Issue 11
You download the OfflineInstaller.msi file from the UAG portal site. When you run the offline installation from a client computer, you receive the following error message:
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
This problem occurs on the Japanese Windows operating system. You copy any of the WhlClientSetup-*.msi files from the UAG server to the client computer. When you run the file, you receive the following error message:
The installation wizard does not start and no endpoint component is installed. But, on Event Viewer "Installation completed" log is recorded. There is no program in the Add or Remove Programs in Control Panel.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
You must have UAG 2010 Service Pack 1 installed to apply this hotfix rollup.
For more information about how to obtain UAG 2010 Service Pack 1, visit the following Microsoft website:
You do not have to restart the computer after you apply this hotfix rollup. However, you must enable UAG 2010 after you install the hotfix rollup.
To remove this hotfix rollup, use one of the following methods:
- Log on as a built-in administrator, and then uninstall the update by using the Programs and Features item in Control Panel.
- At a command prompt, type the following command, and then press Enter:
msiexec.exe /uninstallNote The command line should be elevated for this removal method. Removing the Unified Access Gateway 2010 Service Pack 1 automatically removes the Rollup 1 hotfix package for Unified Access Gateway 2010 Service Pack 1.
This hotfix rollup does not replace a previously released hotfix.
The English version of this hotfix rollup has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
|File name||File version||File size||Date||Time||Platform|
|Adfs.whlclientinst.inc||Not applicable||1,104||19-Dec-2010||22:43||Not applicable|
|Clientcompres.cab||Not applicable||256,003||19-Dec-2010||23:35||Not applicable|
|Clientconf.cab||Not applicable||8,413||19-Dec-2010||23:35||Not applicable|
|Clientconf.xml||Not applicable||8,561||19-Dec-2010||22:05||Not applicable|
|Clientconf.xml.sig||Not applicable||128||19-Dec-2010||22:05||Not applicable|
|Install.js||Not applicable||11,222||19-Dec-2010||22:43||Not applicable|
|Otp.whlclientinst.inc||Not applicable||1,104||19-Dec-2010||22:43||Not applicable|
|Portalhomepage.whlclientsetup_all.msi||Not applicable||3,556,864||19-Dec-2010||23:23||Not applicable|
|Portalhomepage.whlclientsetup_basic.msi||Not applicable||3,557,888||19-Dec-2010||23:29||Not applicable|
|Portalhomepage.whlclientsetup_networkconnector.msi||Not applicable||3,557,888||19-Dec-2010||23:19||Not applicable|
|Portalhomepage.whlclientsetup_networkconnectoronly.msi||Not applicable||3,557,888||19-Dec-2010||23:20||Not applicable|
|Portalhomepage.whlclientsetup_socketforwarder.msi||Not applicable||3,557,888||19-Dec-2010||23:25||Not applicable|
|Rsast.cab||Not applicable||79,766||19-Dec-2010||23:35||Not applicable|
|Sfhlprutil.cab||Not applicable||63,016||19-Dec-2010||23:35||Not applicable|
|Uagqec.cab||Not applicable||64,832||19-Dec-2010||23:35||Not applicable|
|Uninstalluagupdate.cmd||Not applicable||183||19-Dec-2010||23:45||Not applicable|
|Whlcache.cab||Not applicable||265,479||19-Dec-2010||23:35||Not applicable|
|Whlclientinst.inc||Not applicable||1,104||19-Dec-2010||22:43||Not applicable|
|Whlclntproxy.cab||Not applicable||244,280||19-Dec-2010||23:35||Not applicable|
|Whlcompmgr.cab||Not applicable||951,812||19-Dec-2010||23:35||Not applicable|
|Whldetector.cab||Not applicable||262,306||19-Dec-2010||23:35||Not applicable|
|Whlio.cab||Not applicable||192,920||19-Dec-2010||23:35||Not applicable|
|Whllln.cab||Not applicable||167,091||19-Dec-2010||23:35||Not applicable|
|Whlllnconf1.cab||Not applicable||6,521||19-Dec-2010||23:35||Not applicable|
|Whlllnconf2.cab||Not applicable||6,610||19-Dec-2010||23:35||Not applicable|
|Whlllnconf3.cab||Not applicable||6,599||19-Dec-2010||23:35||Not applicable|
|Whltrace.cab||Not applicable||255,946||19-Dec-2010||23:35||Not applicable|
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.