Symptoms—When end users attempt to access the Forefront UAG portal, they may receive the following message "You are not authorized to access this application." There may also be an event 167 in the event viewer or in the Web Monitor with the description "The KCD shadow user name claim cannot be retrieved because of the following reason: [failure_reason]. The application is [application_name] of type [application_type] on trunk [trunk_name]; Secure=[HTTPS=1_HTTP=0]; Source IP=[IP_address]"
Cause—If end users are unable to access the Forefront UAG portal due to an issue related to the Kerberos constrained delegation shadow user name claim, it can be caused by the following:
Solution—Make sure that the Federation Service is configured to send the claim type that you defined in Forefront UAG for the shadow account user name. The shadow account user name is defined in the Forefront UAG Management console on the Authentication tab of the Application Properties dialog box. You should also make sure that the claim type contains a claim value.
Maheshkumar S Tiwari edited Revision 3. Comment: Added Tag
Ed Price MSFT edited Original. Comment: Updated the title case.
James Kilner edited Revision 1. Comment: No need for title case