When you use Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0 authentication, you may encounter a number of errors when activating the configuration in the Forefront UAG Management console.

The following table provides links to troubleshooting topics for the errors that you may encounter:

Wiki topic title Forefront UAG error message

Forefront UAG Troubleshooting - The AD FS 2.0 application does not allow unauthenticated access

The AD FS 2.0 application 'application_name' in trunk 'trunk_name' is not configured to allow unauthenticated access. This is required when using federated trunk authentication.

Forefront UAG Troubleshooting - The application uses KCD for SSO, but no claim type is provided

The application 'application_name' in trunk 'trunk_name' is configured to use Kerberos constrained delegation for single sign-on. Select a claim type that is provided by the authentication provider for Kerberos constrained delegation.

Forefront UAG Troubleshooting - The AD FS 2.0 authentication server is used in more than one trunk

The AD FS 2.0 authentication server 'authentication_server' is used in more than one trunk: trunk_list. Configure Forefront UAG to use the AD FS 2.0 authentication server in one trunk only.

Forefront UAG Troubleshooting - The application uses authorization rules based on claims from the wrong trunk authentication server The application 'application_name' in trunk 'trunk_name' uses authorization rules based on claims from authentication servers that are not configured for trunk authentication. Remove these rules from the application configuration.
Forefront UAG Troubleshooting - The application uses authorization rules based on claims that are not provided by the authentication server The application 'application_name' in trunk 'trunk_name' uses authorization rules based on claim types that are no longer provided by the authentication server. Update the authorization rules using available claim types.
Forefront UAG Troubleshooting - The trunk contains applications that have the same public host name and path

The trunk 'trunk_name' contains applications that have the same public host name and path. Configure unique public host names and paths for these applications:

Forefront UAG Troubleshooting - Do you want to associate your current AD FS 2.0 application with the authentication server?

An AD FS 2.0 authentication server is used in trunk 'trunk_name'. The authentication server should be associated with an AD FS 2.0 application to provide automatic management of the AD FS 2.0 application. You can associate your current AD FS 2.0 application 'application_name' or you can create a new AD FS 2.0 application. Do you want to associate your current AD FS 2.0 application with the authentication server?