Consider the following scenario:
A web server is published by using Microsoft Forefront Unified Access Gateway (UAG) 2010.
Forefront UAG 2010 uses Kerberos Constrained Delegation (KCD) tickets to delegate user credentials to the published web server.
The published web server rejects the KCD ticket that is provided by Forefront UAG 2010, and returns a 401 error.
In this scenario, Forefront UAG 2010 enters into a request/retry loop. Additionally, the following conditions may occur for the Forefront UAG w3wp.exe worker process during the request/retry loop:
A rapid increase in memory consumption
High CPU usage
This problem is typically caused by either an issue that affects the KCD setup or an issue that exists on the published web server.
If Forefront UAG has authenticated the user and has successfully obtained a KCD ticket to the published server, the program does not expect to receive a 401 error from the published web server during the KCD negotiation with the published server. Under these conditions, Forefront UAG tries to handle the 401 error by obtaining a new KCD ticket, and then resubmitting the request to the published web server. This activity causes the request/retry loop to occur.
Important The request/retry loop problem is fixed in Forefront Unified Access Gateway 2010 Service Pack 3 (SP3). Forefront UAG 2010 SP3 does not address the underlying authentication issue because that issue does not occur in Forefront UAG. If Forefront UAG receives the unexpected 401 error from the published web server because the KCD negotiation with the published web server failed, the 401 error is returned to the client. The client then receives an authentication prompt. However, the client will be unable to complete the authentication because of the underlying issue.
Note See the "More Information" section for more information about some of the causes of the unexpected authentication failure to the published web server.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2744025 Description of Forefront Unified Access Gateway 2010 Service Pack 3
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Microsoft Customer Support has recorded several occurrences of this issue in Outlook Anywhere publishing scenarios. In these cases, the issue caused the KCD authentication to the Client Access server (CAS) to fail for RPC over HTTP traffic. For more information about a similar issue, click the following article number to go to the article in the Microsoft Knowledge Base:
2545850 Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2Notes
The hotfix that is discussed in KB 2545850 should be installed on the CAS, not on the Forefront UAG server.
To work around this issue without installing hotfix 2545850, restart the CAS. This workaround will remain in effect until the next time that this issue is encountered.
The web server may also return a 401 error because of a permissions issue or if KCD is not set up correctly. For example, the Service Principal Name (SPN) that Forefront UAG delegates may not be registered against the target web server account or the process service account. For more information about Kerberos Constrained Delegation setup, go to following Microsoft TechNet website:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates