SymptomsWhen end users attempt to access the Forefront UAG portal, they may receive the following message "An authentication error occurred when signing in." There may also be an event 176 in the event viewer or in the Web Monitor with the description "ADFSv2Site: Found more than one claim with lead user name claim type [user_name_claim_type], Session ID: [session_ID], Trunk name: [trunk_name]."

CauseIf your AD FS 2.0 server sends more than one claim with the claim type that is used for the lead user value, users will be unable to sign in to the portal because Forefront UAG can accept only one claim of the claim type used for the lead user.

SolutionTo change the claim types provided by the AD FS 2.0 server:

  1. On the AD FS 2.0 server, in the AD FS 2.0 Management console, go to AD FS 2.0\Trust Relationships\Relying Party Trusts.
  2. In the Relying Party Trusts list, right-click the Forefront UAG relying party, and then click Edit Claim Rules.
  3. On the Edit Claim Rules dialog box, make sure that the AD FS 2.0 server is configured to send the claim type required by Forefront UAG and that only one claim with the lead user claim type will be sent.