Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • A web server is published by using Microsoft Forefront Unified Access Gateway (UAG) 2010.

  • Forefront UAG 2010 uses Kerberos Constrained Delegation (KCD) tickets to delegate user credentials to the published web server.

  • The published web server rejects the KCD ticket that is provided by Forefront UAG 2010, and returns a 401 error.

In this scenario, Forefront UAG 2010 enters into a request/retry loop. Additionally, the following conditions may occur for the Forefront UAG w3wp.exe worker process during the request/retry loop:

  • A rapid increase in memory consumption

  • High CPU usage

Cause

This problem is typically caused by either an issue that affects the KCD setup or an issue that exists on the published web server.

If Forefront UAG has authenticated the user and has successfully obtained a KCD ticket to the published server, the program does not expect to receive a 401 error from the published web server during the KCD negotiation with the published server. Under these conditions, Forefront UAG tries to handle the 401 error by obtaining a new KCD ticket, and then resubmitting the request to the published web server. This activity causes the request/retry loop to occur.

Important The request/retry loop problem is fixed in Forefront Unified Access Gateway 2010 Service Pack 3 (SP3). Forefront UAG 2010 SP3 does not address the underlying authentication issue because that issue does not occur in Forefront UAG. If Forefront UAG receives the unexpected 401 error from the published web server because the KCD negotiation with the published web server failed, the 401 error is returned to the client. The client then receives an authentication prompt. However, the client will be unable to complete the authentication because of the underlying issue.

Note See the "More Information" section for more information about some of the causes of the unexpected authentication failure to the published web server.

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2744025 Description of Forefront Unified Access Gateway 2010 Service Pack 3

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Microsoft Customer Support has recorded several occurrences of this issue in Outlook Anywhere publishing scenarios. In these cases, the issue caused the KCD authentication to the Client Access server (CAS) to fail for RPC over HTTP traffic. For more information about a similar issue, click the following article number to go to the article in the Microsoft Knowledge Base:

2545850 Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2Notes

  • The hotfix that is discussed in KB 2545850 should be installed on the CAS, not on the Forefront UAG server.

  • To work around this issue without installing hotfix 2545850, restart the CAS. This workaround will remain in effect until the next time that this issue is encountered.

The web server may also return a 401 error because of a permissions issue or if KCD is not set up correctly. For example, the Service Principal Name (SPN) that Forefront UAG delegates may not be registered against the target web server account or the process service account. For more information about Kerberos Constrained Delegation setup, go to following Microsoft TechNet website:

Configuring single sign-on with Kerberos constrained delegation

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×