SymptomsWhen end users attempt to access the Forefront UAG portal, they may receive the following message "The request cannot be completed. User details are missing. Contact the site administrator." There may also be an event 161 in the event viewer or in the Web Monitor with the description "ADFSv2Site: Security token does not contain the user name claim type. User name claim type: [user_name_claim_type], Session ID: [session_ID], Trunk name: [trunk_name]."

CauseWhen users sign in to the Forefront UAG portal using federated authentication, the Federation Service provides a security token containing claims about the user. In this case, the security token does not contain the claim type that you defined on the Forefront UAG server as the lead user claim type.

Solution 1To change the claim type for the lead user:

  1. In the Forefront UAG Management console, click the trunk named in the event, and then in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Authentication tab, and then double-click the AD FS 2.0 authentication server.
  3. On the Authentication and Authorization Servers dialog box, click the AD FS 2.0 authentication server being used by this trunk, and then click Edit.
  4. In the Select the claim value to be used as lead user value list, select the claim type that you want to use for the lead user, click OK, and then activate the configuration.

Solution 2To change the claim types provided by the AD FS 2.0 server:

  1. In the AD FS 2.0 Management console, go to AD FS 2.0\Trust Relationships\Relying Party Trusts.
  2. In the Relying Party Trusts list, right-click the Forefront UAG relying party, and then click Edit Claim Rules.
  3. On the Edit Claim Rules dialog box, make sure that the AD FS 2.0 server is configured to send the claim type required by Forefront UAG.

Note: If the user is a partner employee, check the partner organization's Federation Service to ensure that it is sending the correct claim type with a claim value.