Activation errors with ADFS trunks

  • Article

If your UAG server has an ADFS trunk, you might run into activation errors, saying:

Failed to run FedUtil from location C:\Microsoft Forefront Unified Access Gateway\Utils\ConfigMgr\Fedutil.exe with parameters /u "C:\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\adfs\web.config".

This issue stems from the fact that UAG allocates a limited time FedUtil to do its work. FedUtil is a utility external to UAG (its part of the Windows Identity Foundation) and is used to generate a meta-data file that’s required as part of creating ADFS trunks. When UAG runs FedUtil, it generates a file called FederationMetadata.xml, which the administrator is supposed to use later to complete the configuration of the relaying party on his ADFS server.

Even though the error indicates that there was a failure, what actually happens is that FedUtil simply took longer to complete than the time allocated by UAGs activation process. In such a case, UAG shows the error, but FedUtil did complete…just a tad too late. This means that you WILL find the Metadata file in the correct place (under the /InternalSite/ADFSv2Sites/<your trunk>/FederationMetadata/2007-06/FederationMetadata.xml) and you can use it to complete the ADFS relaying party configuration. In fact, if you completed this once already when setting up your trunk initially, there’s no need to do it again, unless you made changes to the ADFS configuration itself.

As for fixing the error – usually, there’s no need to fix it at all, as it doesn’t mean anything. Even though it shows up, the activation is actually completed, and the error can be ignored. With UAG SP3, more time is allocated to FedUtil, so this error should not show up. For earlier versions of UAG, it’s possible to suppress the error by replacing the FedUtil executable temporarily with another executable that will run without erroring out (for example, you can use c:\windows\system32\locator.exe).

If you find that the procedure really failed, and there’s no FederationMetadata.xml file under the right folder in InternalSite, then this is more of a problem, because you won’t be able to complete the ADFS setup without the XML file. One thing that could cause FedUtil to not complete, or work slow, is if the UAG server doesn’t have an internet connection. If your internet connection on UAG is supposed to run via a proxy, then you need to configure a system-wide proxy for FedUtil to use. You can achieve this using the NETSH command with the SET PROXY parameter, as detailed here:

https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx

If the outbound connection to the internet is intentionally restricted by some firewall or policy, then FedUtil should still be able to complete, although it could take it a few minutes. If not, consider changing the policy and allowing outbound internet on the UAG server – it would also improve performance of other applications, because if an application has a page that refers to public servers on the internet (for example, if the application runs functions from GPL code, which often list the creators public websites in the code), UAGs inability to resolve these names could slow down its ability to parse application pages.