Article ID: 2811103 - View products that this article applies to.
Consider the following scenario:
This problem is typically caused by either an issue that affects the KCD setup or an issue that exists on the published web server.
If Forefront UAG has authenticated the user and has successfully obtained a KCD ticket to the published server, the program does not expect to receive a 401 error from the published web server during the KCD negotiation with the published server. Under these conditions, Forefront UAG tries to handle the 401 error by obtaining a new KCD ticket, and then resubmitting the request to the published web server. This activity causes the request/retry loop to occur.
Important The request/retry loop problem is fixed in Forefront Unified Access Gateway 2010 Service Pack 3 (SP3). Forefront UAG 2010 SP3 does not address the underlying authentication issue because that issue does not occur in Forefront UAG. If Forefront UAG receives the unexpected 401 error from the published web server because the KCD negotiation with the published web server failed, the 401 error is returned to the client. The client then receives an authentication prompt. However, the client will be unable to complete the authentication because of the underlying issue.
Note See the "More Information" section for more information about some of the causes of the unexpected authentication failure to the published web server.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2744025/ )Description of Forefront Unified Access Gateway 2010 Service Pack 3
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Microsoft Customer Support has recorded several occurrences of this issue in Outlook Anywhere publishing scenarios. In these cases, the issue caused the KCD authentication to the Client Access server (CAS) to fail for RPC over HTTP traffic. For more information about a similar issue, click the following article number to go to the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/2545850/ )Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2
Configuring single sign-on with Kerberos constrained delegation
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 2811103 - Last Review: February 21, 2013 - Revision: 3.0