none
UAG on ADFS Resource side RRS feed

  • Question

  • I want to use a UAG on the resource side as 1) an ADFS-Proxy, 2) the UAG Portal be an ADFS resource itself, 3)  UAG publishing other ADFS resources.   I know the UAG must be domain joined but to what domain if there are multiple domains.  Does it matter?   Does it need to be same domain as ADFS-R or as every ADFS-web-resource, or can it talk to an ADFS-R in different domain and publish resources in different domains as long as trusts exist?

    Thanks,

    Mark

    Tuesday, May 4, 2010 7:25 PM

Answers

  • There is a trust.   In fact I uninstalled UAG/TMG from teh server and setup a veneric website on teh server manually in IIS.  ADFS web enabled it as a NT token app and it worked.   SO that should prove the domain difference is fine, as well as IP's, certificates, etc.   Since its not working with UAG portal as hte web enabled app still, i went ahead and opened an SR with Microsoft..
    • Marked as answer by Erez Benari Friday, May 28, 2010 8:48 PM
    Friday, May 14, 2010 3:30 PM

All replies

  • I think I've figured out the answer is no.   I took my UAG which is domain joined to a different domain than my ADFS-R and removed UAG software all  together.   Then created a very generic NT token based web app on the IIS and ADFS worked just fine. (using same ADFS-R and ADFS-A)

    However I still can't get it to work with UAG yet.  When I go to the portal URL, I get redirected to the ADFS-R, then to the ADFS-A, asked for my credentials, and eventually back to UAG portal.   But I get a UAG error 109.  Pretty sure its coming from the ADFSvalidate.inc because it can't pull a username from the ADFS websso token.   I also get an event in eventviewer that says:

    "The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension was unable to obtain a Windows NT token from the authentication service.

    An anonymous token will be generated for this request."

     

    Any ideas??

     

    Thanks,

    Mark 

     

    Wednesday, May 12, 2010 9:37 PM
  • Sorry, meant error_code=9   (not 109)
    Thursday, May 13, 2010 1:30 PM
  • If there is no trust between these domains it will not work.

    Friday, May 14, 2010 12:31 AM
  • There is a trust.   In fact I uninstalled UAG/TMG from teh server and setup a veneric website on teh server manually in IIS.  ADFS web enabled it as a NT token app and it worked.   SO that should prove the domain difference is fine, as well as IP's, certificates, etc.   Since its not working with UAG portal as hte web enabled app still, i went ahead and opened an SR with Microsoft..
    • Marked as answer by Erez Benari Friday, May 28, 2010 8:48 PM
    Friday, May 14, 2010 3:30 PM