Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: Client connections for Form-based SSO fail authentication in Forefront Unified Access Gateway 2010 SP4

FIX: Client connections for Form-based SSO fail authentication in Forefront Unified Access Gateway 2010 SP4

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have Service Pack 4 (SP4) for Microsoft Forefront Unified Access Gateway 2010 installed.

    Note SP4 is required for Internet Explorer 11 clients.

  • You have a portal trunk that publishes applications that were defined to provide Form-based single sign-on (SSO) to the back-end published resource for the web applications.

In this scenario, client connections that use Internet Explorer 11 fail SSO authentication to the web application.

↑ Back to the top

Cause

This problem occurs because of a change in the user-agent string in Internet Explorer 11. The Unified Access Gateway FormLoginDataDefinitions.xml file is defined to match "MSIE" for all versions of Internet Explorer. However, the Internet Explorer 11 user-agent string does not contain "MSIE" as earlier versions do. Therefore, the browser is categorized incorrectly.

This "MSIE" string is added to the Internet Explorer 11 agent string when you run in compatibility mode so Form-based SSO works in this mode.

↑ Back to the top

Resolution

This problem is fixed in Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4.

↑ Back to the top

Workaround

To work around this problem, follow these steps:
  1. In the FormLoginDataDefinitions.xml file, add the following to the "All Supported" section:

    <USER_AGENT id="IE11">
    <NAME>Internet Explorer 11</NAME>
    <SIGNATURE check_by="search">rv:11</SIGNATURE>
    <USER_AGENT> 

  2. Add this ID to the required USER_AGENT_GROUP. For example, if your SSO FormLogin.xml file limits this to <AGENT_TYPE search="group">all_supported</AGENT_TYPE>, add the following to the <USER_AGENT_GROUP name="all_supported"> section of the FormLoginDataDefinitions.xml file:

    <USER_AGENT_ID>IE11</USER_AGENT_ID>

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

Learn about user-agent string changes for Internet Explorer 11.

Note The compatible ("compatible") and browser ("MSIE") tokens are removed in Internet Explorer 11.

↑ Back to the top

References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbqfe, kbfix, kbnotautohotfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 3004023
Revision : 1
Created on : 1/7/2017
Published on : 10/28/2014
Exists online : False
Views : 200