We have come across the following intermittent error when clients attempt to access a UAG URL: The error is-
You have authenticated successfully using Active Directory Federated Services (ADFS), but your user name or group cannot be located in a required Forefront UAG local group.
The infrastructure is setup using 2 independent UAG Celestix appliances with the exact same configuration on each appliance. As these are placed in different datacentres, failover is performed by an F5 Global load balancer. So these appliances are
not in an array.
The first appliances was producing this error intermittently for the past week and now we have found that the other appliances not produces the same error. So far for around small handful of users, again intermittently.
No relevant logs have been seen so far to easily troubleshoot this issue.
I think I saw similar error when a user access UAG using a cookie that was generated on different UAG with the same trunk's name (which seems to match your scenario). I suspect that from some reason, your F5 GLB does not keep affinity (stickiness) and the
client is being "jump" from one UAG to the other.
Can you check if cleaning the client's cookie cache solve the problem ? If not - if you can afford it, you can try disable the LB so all traffic will go to a single UAG and (after clean cookie) test again and if this fix the problem it will prove it is LB
issue (jumping between UAGs).
Thanks Ophir Yes we thought it may be a cookie issue. But the traffic I believe gets passed to a single UAG server in one data centre and the fails overto the other in the event of a failure. I will confirm this. We are currently upgeading to SP2 to see
if this resolves the issue then look to bypass the hlb if clients still get the error? Thanks