To enable a Forefront Unified Access Gateway (UAG) portal trunk for Active Directory Federation Services (AD FS), you must configure the Forefront UAG portal trunk that publishes the applications for which you want to allow AD FS access to use Active Directory authentication. You must also ensure that client endpoint access to the applications is working as expected. When using AD FS, the user does not authenticate to Forefront UAG, but to AD FS. After authentication, Forefront UAG retrieves the user/group identity from the NT-token issued by the AD FS Web agent. Note that even when the published application uses a claim-aware based authentication method, the Forefront UAG application on the federation server should still be configured as an NT-token based authentication. The retrieved user/group is set as Forefront UAG session "lead user", and if application authorization is enabled, it is set accordingly. The trunk login pages should be configured to ADFS/login.asp authentication.

This topic describes how to enable a Forefront UAG portal trunk for AD FS.

Prerequisites

Before you can complete this procedure you must do the following:

  • Create a certificate for the portal trunk and import it into the Personal certificates on the Forefront UAG server. The certificate should be issued by a trusted Certification Authority (CA).

  • Create a portal trunk using:

    • The first static IP address configured on the external network adapter.

    • The portal trunk certificate.

    • Any available authentication repository.

To enable a portal trunk for AD FS

  1. In the Forefront UAG Management console, select the required portal trunk.

  2. In the Trunk Configuration area, click Configure, and then on the Advanced Trunk Configuration dialog box, click the Authentication tab.

  3. In Select authentication servers, click Add.

  4. On the Authentication and Authorization Servers dialog box, click Add.

  5. In Server type, click Active Directory. In Server name, type "adfs", and specify the details of the Active Directory domain controller. Specify an administrator password for the domain controller if one is required.

    Note:
    You must name the server adfs, in lower case letters.

  6. On the Authentication and Authorization Servers dialog box, click the server that you specified in the previous step, and then click Select.

  7. On the Advanced Trunk Configuration dialog box, on the Authentication tab, do the following steps, and then click OK:

    1. In the User login page box, type ADFS/login.asp.

    2. In the On-the-fly user logon page box, type ADFS/login.asp.

    3. Clear the Enable users to add credentials on-the-fly check box.

    4. Clear the Enable users to manage credentials check box.

  8. Click OK to close the Advanced Trunk Configuration dialog box.

  9. On the portal properties page, in the Applications list click Portal, and then click Edit.

  10. On the Application Properties dialog box, click the Web Servers tab, and then in the HTTPS Ports box, enter Auto.

  11. On the Application Properties dialog box, click the Portal Link tab, and then in the Application URL box, change the URL from HTTP to HTTPS.

    Important:
    It is necessary to change the application URLs from HTTP to HTTPS, because any application that you publish using AD FS authentication must be published using HTTPS.

  12. Click OK to close the Application Properties dialog box.