IE11 and UAG AD FS trunk issue after upgrade to SP4
We got word of a couple of instances where an issue occurred on a UAG server after upgrading to Service Pack 4 for UAG 2010 (SP4 is available for download here).
The symptoms:
You are using UAG running version SP3 Rollup 1.
The UAG server is configured with at least one portal trunk that uses AD FS 2. 0 as the trunk authentication server (a.k.a. “authentication repository”)
You upgrade this UAG server to Service Pack 4
After upgrade to SP4, end-users using IE11 who access the UAG portal trunk that uses AD FS authentication are presented with the following error message, instead of the expected logon page:
Sign-in Error
Access to this portal from a mobile device is not allowed because the portal uses federated authentication.
Why does this happen?
The issue occurs when a configuration file on the UAG server fails to get updated to its latest version, which adds support for IE11. This file is named mobile.browser, and is located in the …\InternalSite\ADFSv2Sites\<trunk name>\App_Browsers\DetectionModule folder on the UAG server.
This file is used by AD FS trunks on UAG in order to correctly recognize and categorize connecting clients. In those cases in which the file was not correctly updated to its latest version by the installation of SP4 for UAG, the IE11 browser is incorrectly recognized by UAG as a mobile device and thus denied access to the AD FS trunk. You can easily recognize that the file is not up to date by its Date modified attribute, which will show a date in 2011.
How do I fix this?
The fix for this issue, should you be affected by it, is extremely simple. Just follow these easy steps:
Locate the file mobile.browser in the …\InternalSite\ADFSv2Sites\<trunk name>\App_Browsers\DetectionModule folder on the UAG server.
Note: the same file exists in three other folders of the UAG server. Do not change those files, only change the file (or files, if you have several AD FS trunks) located under the ADFSv2Sites folder!Delete the file, or, to be on the safe side, copy it to another location or rename its extension to anything you wish. For example: mobile.browser_backup
In case you have configured more than one trunk using AD FS 2.0 authentication , repeat step 2 above for each mobile.browser file in each one of the folders within …\InternalSite\ADFSv2Sites\
Activate the UAG configuration.
This will cause the file mobile.browser file to be recreated in the …\InternalSite\ADFSv2Sites folder. This newly created file will be in the correct, SP4 version, which handles IE11. Note that the file’s Date modified attribute now shows a date in 2013.
Hope this helps.
Thanks to Ophir Polotsky for reporting this issue to us, and to Aaron Ellis for spotting an error in the instructions above.
---------------------
Ran Dolev
Senior Program Manager
Comments
Anonymous
December 04, 2013
I would make on mod on this recommendation. Make sure you change the extension on the file instead of just pre-pending old_ to the filename. I only added that tag and ended up with asp errors about duplicate objects and my federated trunks errors when trying to visit anything published on it. Removing the old file altogether instantly resolved the issue.Anonymous
December 05, 2013
@Aaron: thank you Aaron, you are of course correct and I've made the correction in the blog post. Thanks, -Ran