Forefront UAG Troubleshooting: Event ID 161: The User Name Claim Type Is Missing from the Security Token

Forefront UAG Troubleshooting: Event ID 161: The User Name Claim Type Is Missing from the Security Token

SymptomsWhen end users attempt to access the Forefront UAG portal, they may receive the following message "The request cannot be completed. User details are missing. Contact the site administrator." There may also be an event 161 in the event viewer or in the Web Monitor with the description "ADFSv2Site: Security token does not contain the user name claim type. User name claim type: [user_name_claim_type], Session ID: [session_ID], Trunk name: [trunk_name]."

CauseWhen users sign in to the Forefront UAG portal using federated authentication, the Federation Service provides a security token containing claims about the user. In this case, the security token does not contain the claim type that you defined on the Forefront UAG server as the lead user claim type.

Solution 1To change the claim type for the lead user:

  1. In the Forefront UAG Management console, click the trunk named in the event, and then in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Authentication tab, and then double-click the AD FS 2.0 authentication server.
  3. On the Authentication and Authorization Servers dialog box, click the AD FS 2.0 authentication server being used by this trunk, and then click Edit.
  4. In the Select the claim value to be used as lead user value list, select the claim type that you want to use for the lead user, click OK, and then activate the configuration.

Solution 2To change the claim types provided by the AD FS 2.0 server:

  1. In the AD FS 2.0 Management console, go to AD FS 2.0\Trust Relationships\Relying Party Trusts.
  2. In the Relying Party Trusts list, right-click the Forefront UAG relying party, and then click Edit Claim Rules.
  3. On the Edit Claim Rules dialog box, make sure that the AD FS 2.0 server is configured to send the claim type required by Forefront UAG.

Note: If the user is a partner employee, check the partner organization's Federation Service to ensure that it is sending the correct claim type with a claim value.

Leave a Comment
  • Please add 1 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 7. Comment: Removed (en-US) from title

  • Patris_70 edited Revision 5. Comment: added en-US title

  • Ed Price MSFT edited Revision 2. Comment: Updated title and tags.

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price MSFT edited Revision 2. Comment: Updated title and tags.

  • I received this error after following this article (blogs.technet.com/.../configuring-adfs-trusts-for-multiple-identity-providers-with-sharepoint-2010.aspx) to configure an ADFS 'hub setup'.  We had ADFS working when we went around UAG, but as soon as we put UAG in the mix we got this error.  I had to edit the ADFS 'hub server' that was being used as the AUTH in UAG.  The part I had to edit was related to Solution #2 above and the Relying Trust Party was my connection to UAG.  I originally only had LDAP attributes as claims, so I added a Pass through or Filter an incoming claim and selected the correct lead claim and on both sides and presto - it started working!   I def think others will find this useful if they use UAG as it was not easy figuring this out.

  • Patris_70 edited Revision 5. Comment: added en-US title

  • Richard Mueller edited Revision 7. Comment: Removed (en-US) from title

Page 1 of 1 (4 items)