locked
UAG sso and upn problems RRS feed

  • Question

  • here is my problem to which i hope someone can guide me to the answer!

    we have OWA and sharepoint published via a portal and configured to use SSO

    when i login with just the username (i.e joe.bloggs) it authenticates and i can log on to both app's fine....

    i check the web monitor and i see for example constoso.com\joe.bloggs is an authenticated user!

    which is all good

    the problem is when upn's are used so i log in at the portal session with joe.bloggs@contoso.com

    it logs in fine and presents the applications i click owa and it logs fine

    but when i click sharepoint it says i do not have permission to access the website...

    when i check the web monitor its says constoso.com\joe.bloggs@contoso.com is logged on...

    and there is my problem.... sharepoint wont understand all that!

    so i need a way within UAG to remote either the @contoso.com or remove the primary domain contoso.com before it passes the credentials to sharepoint...

    can anyone help?

     


    John
    Saturday, August 14, 2010 11:05 PM

Answers

  • John,

    when you configured your AD repository, did you specify a default domain, as part of the repository (it's at the bottom of the configuration screen)

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:59 AM
    Sunday, August 22, 2010 8:59 AM

All replies

  • John,

    when you configured your AD repository, did you specify a default domain, as part of the repository (it's at the bottom of the configuration screen)

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:59 AM
    Sunday, August 22, 2010 8:59 AM
  • i did as there are other application depending on single sign on....

     

    i have tried removing it but it still seems to "mangle" the upn request to sharepoint...

     

     


    John
    Monday, August 23, 2010 7:36 AM
  • Hi John,

    Take a look at the TranslateUPN registry key described here: http://technet.microsoft.com/en-us/library/ee809087.aspx, and note the Details section which instructs you to also create a custom repository, based on a sample file.

    See if that helps,

    -Ran

    Monday, August 23, 2010 10:07 AM
  • Hi, I have a simmilar or maybe the same issue and had a look at the TranslateUPN registry key.  In fact, I used that key.  Problem is that the initial logon to UAG works and the events on the session show that.  Normal NTLM style logon works, but the UPN style logon produces the mangled credentials.  The logon sequence transfers good DOMAIN\User content, which it just loged on and said Succesfull to the session as domain.com\user@domain.com.

    Any ideas on assiting in tracing why will be appreciated.

     

    Thanks

    Thursday, September 2, 2010 1:16 PM
  • Dawie,

    You mentioned you are using the TranslateUPN registry key. Have you also created the custom INC file mentioned in the KB article I pointed to, above?

    -Ran

    Thursday, September 2, 2010 2:24 PM
  • Dawie,

    You mentioned you are using the TranslateUPN registry key. Have you also created the custom INC file mentioned in the KB article I pointed to, above?

    -Ran


    Yes, we have two DCs and I created two INC files.  Even looked in the Domain Controllers OU to see in which CASE their names appear.  The Translation works well, because we logon using a UPN and the events log of that session shows the DOMAIN\user and not user@domain.com.  This is on line two of that session.  The following entry in the table says that it transfers the user detail and creates a session.  It is in this entry where the name is now transformed into domain.com\user@domain.com.  If you look at the active sessions, it also displays the "Lead User" as: domain.com\user@domain.com.  It also says Authenticated.  In other words - ready to use applications.

    If I specify the two DCs and the SSO domain, then the detail changes to DOMAIN\user@domain.com.

    I followed this process: http://technet.microsoft.com/en-us/library/ff607424.aspx

     

    Thursday, September 2, 2010 2:33 PM