You have a server that is running Microsoft Forefront Unified Access Gateway (UAG) 2010.
The Forefront UAG server is not a domain member.
Forefront UAG application authorization is based on primary group membership such as "Domain Users," and the user account that is used for access to applications is a member of this primary group.
The user tries to access an application through the Forefront UAG server.
In this scenario, application access through the Forefront UAG server is unsuccessful.
When Forefront UAG 2010 looks up the user's primary group by using Active Directory Service Interfaces (ADSI), the lookup is unsuccessful when Forefront UAG is not part of the domain. When a Lightweight Directory Access Protocol (LDAP) repository is used for authentication, the LDAP search response for the MemberOf attribute does not include the user's primary group.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2710791 Description of Service Pack 2 for Forefront Unified Access Gateway 2010
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about the need to query groups to give users access that is based on group membership, click the following article number to view the article in the Microsoft Knowledge Base:
275523 Setting Primary Group excludes the user from the group membership in Active Directory
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates