Forefront Unified Access Gateway (UAG) allows end users to authenticate to the Forefront UAG portal and to application servers that are published through the portal, by using forms-based authentication with a user principal name (UPN) and a password. Because the UPN of an end user is unique in a domain forest, the end user can authenticate to any application server within the forest, without providing the domain as a credential.

When an end user authenticates to the Forefront UAG portal by using a client certificate (for example, a smart card), and then attempts to open an application that requires authentication, the UPN of that end user is automatically displayed in the User name box, eliminating the need to manually enter the user name.

You can also configure Forefront UAG to use Kerberos authentication to backend published servers. The following procedures describe how to enable UPN logon, and how to perform Kerberos authentication using UPN.

To enable UPN logon

  1. On the Forefront UAG server, click Start, click Run, and then type regedit.

  2. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UserMgr\ subkey.

  3. Set the value of the TranslateUPN key to 1. The key exists by default and is set to 0.

    Warning:
    Serious problems may occur if you modify the registry incorrectly by using the Registry Editor or another method. These problems may require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  4. Copy the file repository_for_upn.inc from the ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples folder to the ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder.

  5. Rename the file as follows: <Server_Name>.inc

    where Server_Name is the name of the authentication server against which you want to allow users to authenticate with their UPN.

    For example, if you named the server "AD_auth", name the file AD_auth.inc.

  6. Repeat steps 4 through 5 for all the authentication servers against which you want to allow users to authenticate with their UPN.

  7. Restart the Forefront UAG User Manager service.

  8. Activate the configuration.

To perform Kerberos authentication using UPN

  1. On the Forefront UAG server, click Start, click Run, and then type regedit.

  2. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\URLFilter\.subkey.

  3. Create a DWORD registry key named KCDUseUPN, and set the value to 1. If the value is set to 0, or no value is set, the format DOMAIN\UserName is used.