Description—You have previously configured Forefront UAG with an AD FS 2.0 authentication repository and configured an application to use Kerberos constrained delegation for single sign-on (SSO) using a claim type provided by the AD FS 2.0 authentication server, but when you try to activate the configuration, you receive the following error message "The application 'application_name' in trunk 'trunk_name' is configured to use Kerberos constrained delegation for single sign-on. Select a claim type that is provided by the authentication provider for Kerberos constrained delegation."

Cause—If the AD FS 2.0 administrator changed the claim types provided by the AD FS 2.0 server, the federation metadata is automatically changed. If you re-retrieved the federation metadata for the AD FS 2.0 repository, the AD FS 2.0 server may no longer provide the claim type that the application is using for SSO.

Solution 1—To change the claim type for SSO with Kerberos constrained delegation:

  1. In the Forefront UAG Management console, click the trunk through which the AD FS 2.0 application is published. In the Applications list, click the application, and then click Edit.
  2. On the Application Properties dialog box, click the Authentication tab, and then in the Use the value from this claim type as the shadow account user name for KCD when using federated authentication list select a claim type provided by the Federation Service.
  3. Click OK and then activate the configuration.

Solution 2—To change the claim types provided by the AD FS 2.0 server:

  1. On the AD FS 2.0 server in the AD FS 2.0 Management console, go to AD FS 2.0\Service\Claim Descriptions.
  2. In the Claim Descriptions pane, right-click the claim that you want to provide, and click Properties.
  3. On the Properties dialog box, select the Publish this claim description in federation metadata as a claim type that this Federation Service can send check box, and then click OK.
  4. In the AD FS 2.0 Management console, go to AD FS 2.0\Trust Relationships\Relying Party Trusts.
  5. In the Relying Party Trusts list, right-click the Forefront UAG relying party, and then click Edit Claim Rules.
  6. On the Edit Claim Rules dialog box, make sure that the AD FS 2.0 server is configured to send the claim type required by Forefront UAG.
  7. In the Forefront UAG Management console, re-retrieve the federation metadata as described in Configuring an AD FS 2.0 authentication repository, and then activate the configuration.