Activation errors with ADFS trunks

If your UAG server has an ADFS trunk, you might run into activation errors, saying:

Failed to run FedUtil from location C:\Microsoft Forefront Unified Access Gateway\Utils\ConfigMgr\Fedutil.exe with parameters /u "C:\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\adfs\web.config".

This issue stems from the fact that UAG allocates a limited time FedUtil to do its work. FedUtil is a utility external to UAG (its part of the Windows Identity Foundation) and is used to generate a meta-data file that’s required as part of creating ADFS trunks. When UAG runs FedUtil, it generates a file called FederationMetadata.xml, which the administrator is supposed to use later to complete the configuration of the relaying party on his ADFS server.

Even though the error indicates that there was a failure, what actually happens is that FedUtil simply took longer to complete than the time allocated by UAGs activation process. In such a case, UAG shows the error, but FedUtil did complete…just a tad too late. This means that you WILL find the Metadata file in the correct place (under the /InternalSite/ADFSv2Sites/<your trunk>/FederationMetadata/2007-06/FederationMetadata.xml) and you can use it to complete the ADFS relaying party configuration. In fact, if you completed this once already when setting up your trunk initially, there’s no need to do it again, unless you made changes to the ADFS configuration itself.

As for fixing the error – usually, there’s no need to fix it at all, as it doesn’t mean anything. Even though it shows up, the activation is actually completed, and the error can be ignored. With UAG SP3, more time is allocated to FedUtil, so this error should not show up. For earlier versions of UAG, it’s possible to suppress the error by replacing the FedUtil executable temporarily with another executable that will run without erroring out (for example, you can use c:\windows\system32\locator.exe).

If you find that the procedure really failed, and there’s no FederationMetadata.xml file under the right folder in InternalSite, then this is more of a problem, because you won’t be able to complete the ADFS setup without the XML file. One thing that could cause FedUtil to not complete, or work slow, is if the UAG server doesn’t have an internet connection. If your internet connection on UAG is supposed to run via a proxy, then you need to configure a system-wide proxy for FedUtil to use. You can achieve this using the NETSH command with the SET PROXY parameter, as detailed here:

If the outbound connection to the internet is intentionally restricted by some firewall or policy, then FedUtil should still be able to complete, although it could take it a few minutes. If not, consider changing the policy and allowing outbound internet on the UAG server – it would also improve performance of other applications, because if an application has a page that refers to public servers on the internet (for example, if the application runs functions from GPL code, which often list the creators public websites in the code), UAGs inability to resolve these names could slow down its ability to parse application pages.

Comments (1)

  1. showbox says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android.
    The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.