UAG & ADFS error RRS feed

  • General discussion

  • trying to authenticate against a UAG  portal using ADFS auth as the auth server using Windows acct (domain\accountName). I hit the ADFS server (via UAG) and get the following after 3 attempts to logon with a domain admin acct:

    Unauthorized: Access is denied due to invalid credentials. you do not have permission to view the directory or page using the creds that you specifeid

    The acct is valid.

    I can see sec failures in the windows sec log (audit failures, event ID 4625, status 0xc000035b).

    any ideas?


    Thursday, March 29, 2012 2:19 PM

All replies

  • Hi Mark,

    See if this helps: take a look at Forefront UAG and AD FS 2.0 supported scenarios and prerequisites , at the section "For topologies providing access to your remote employees", where CBT is discussed.



    Thursday, March 29, 2012 3:29 PM
  • Appreciate the reply.

    Tried that, rebooted the ADFS server but still the same. Is there any way to troubleshoot what's going on. Tried tracing with Wireshark but nothing obvious.

    Thursday, March 29, 2012 4:25 PM
  • strange, if I enable netlogon logging on the adfs server and logon with an account in the same domain as the servers I get :

     [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)

    [LOGON] SamLogon: Network logon of Domain\UserA from PCName Returns 0xC000006A

    which equates to wrong password (which it 100% is not)

    If I logon with an account in a seperate domain (trusted) I get:

    [LOGON] SamLogon: Network logon of Domain\UserA from PCName Entered

    [LOGON] SamLogon: Network logon of Domain\UserA from PCName Returns 0x0

    If I try and logon to UAG using a pure AD portal (no ADFS at all) it works fine with both account.

    lso, looking at netlogon tracing on the DC, only see successes (Returns 0x0) on both accounts!! Very annoying.

    Does anyone have any suggestions to further troubleshoot this problem?

    • Edited by Mark_Robson Friday, March 30, 2012 10:40 AM
    Friday, March 30, 2012 10:29 AM
  • sorted.. it was the extended protection on adfs\ls. Thought I had changed it :-)

    Disable IIS Extended Protection on ADFS Server

    When ADFS server is handling authentication requests behind a reverse proxy Extended Protection needs to be disabled on IIS.

    More information on this here: http://technet.microsoft.com/en-us/library/gg470578.aspx

    Friday, March 30, 2012 3:50 PM