This topic describes how to configure an Active Directory Federation Services (AD FS) 2.0 authentication repository on Forefront Unified Access Gateway (UAG). When defining the AD FS 2.0 authentication repository, you should use a federation metadata file containing configuration information that facilitates the proper configuration of claims provider trusts and relying party trusts.

You can also create an AD FS 2.0 authentication repository during trunk creation. See Creating a portal trunk for AD FS 2.0.


Before you configure the AD FS 2.0 authentication repository, make sure that your AD FS 2.0 server federation metadata is available to your Forefront UAG server. The federation metadata is normally available on the AD FS 2.0 server at the following URL: https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml.

To configure AD FS 2.0 authentication

  1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.

  2. On the Authentication and Authorization Servers dialog box, click Add.

  3. In the Server type list, click AD FS 2.0, and on the Add Authentication Server dialog box, configure the server settings.

  4. In Server name, enter the name of the server or repository. This name is used for identification when you select the server or repository during the configuration of Forefront UAG. It is also part of the name of the AD FS 2.0 application that is automatically created by Forefront UAG. It is not the DNS name or FQDN of the federation server.

  5. In Federation Metadata, select one of the following options to import the federation metadata from the AD FS 2.0 server:

    • Specify the URL of the federation metadata file—Enter the URL of the federation metadata file. For example, https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml.

    • Import the federation metadata file—Click the Browse button to locate the federation metadata file.

      It is recommended that you copy the federation metadata file to the Forefront UAG server before you attempt to import the file.
  6. Click Retrieve Metadata to retrieve the list of claims defined in the federation metadata file.

    Forefront UAG validates the federation metadata and checks that the AD FS 2.0 Token-signing certificate used to sign the federation metadata is valid. This validation may take up to a minute.If you receive a warning that the certificate is not trusted, you can continue, but you should check the certificate chain of trust, whether the certificate has expired, or if the certificate is not yet valid. You may also need to export the Token-signing certificate from the AD FS 2.0\Service\Certificates pane in the AD FS 2.0 Management console and import it into the Trusted Root Certification Authority certificates store on your Forefront UAG server.
    Whenever the federation metadata is modified, you must return to this dialog box and click Retrieve Metadata and then select the lead user claim value.

    For information about troubleshooting federation metadata retrieval, see Troubleshooting Forefront UAG federation metadata retrieval errors (

  7. In the Select the claim value to be used as lead user value list, select the claim type from which you will use the claim value for the users that initiate the web sessions with Forefront UAG. This value is used in Forefront UAG Web Monitor to allow you to monitor the users session. It is recommended to use claim types such as: name or email address.

    The drop-down list shows the friendly name for each claim type instead of the full URI.

    Forefront UAG supports only English characters in the claim type.
    When you configure the AD FS 2.0 server claim rules, you must make sure that the AD FS 2.0 server is configured to send the claim type that you choose here. See Creating a rule to pass-through or filter an incoming claim.
  8. On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.