SymptomsWhen end users attempt to access the Forefront UAG portal, they may receive the following message "You are not authorized to access this application." There may also be an event 167 in the event viewer or in the Web Monitor with the description "The KCD shadow user name claim cannot be retrieved because of the following reason: [failure_reason]. The application is [application_name] of type [application_type] on trunk [trunk_name]; Secure=[HTTPS=1_HTTP=0]; Source IP=[IP_address]"

CauseIf end users are unable to access the Forefront UAG portal due to an issue related to the Kerberos constrained delegation shadow user name claim, it can be caused by the following:

  • The Federation Service of the user did not send the claim type that you defined for the shadow account user name.
  • The Federation Service of the user sent the claim type that you defined for the shadow account user name, but there was no claim value.
  • The Federation Service of the user sent more than one claim of the type that you defined for the shadow account user name.

SolutionMake sure that the Federation Service is configured to send the claim type that you defined in Forefront UAG for the shadow account user name. The shadow account user name is defined in the Forefront UAG Management console on the Authentication tab of the Application Properties dialog box. You should also make sure that the claim type contains a claim value.