- A web server is published by using Microsoft Forefront Unified Access Gateway (UAG) 2010.
- Forefront UAG 2010 uses Kerberos Constrained Delegation (KCD) tickets to delegate user credentials to the published web server.
- The published web server rejects the KCD ticket that is provided by Forefront UAG 2010, and returns a 401 error.
- A rapid increase in memory consumption
- High CPU usage
If Forefront UAG has authenticated the user and has successfully obtained a KCD ticket to the published server, the program does not expect to receive a 401 error from the published web server during the KCD negotiation with the published server. Under these conditions, Forefront UAG tries to handle the 401 error by obtaining a new KCD ticket, and then resubmitting the request to the published web server. This activity causes the request/retry loop to occur.
Important The request/retry loop problem is fixed in Forefront Unified Access Gateway 2010 Service Pack 3 (SP3). Forefront UAG 2010 SP3 does not address the underlying authentication issue because that issue does not occur in Forefront UAG. If Forefront UAG receives the unexpected 401 error from the published web server because the KCD negotiation with the published web server failed, the 401 error is returned to the client. The client then receives an authentication prompt. However, the client will be unable to complete the authentication because of the underlying issue.
Note See the "More Information" section for more information about some of the causes of the unexpected authentication failure to the published web server.
- The hotfix that is discussed in KB 2545850 should be installed on the CAS, not on the Forefront UAG server.
- To work around this issue without installing hotfix 2545850, restart the CAS. This workaround will remain in effect until the next time that this issue is encountered.
ID articolo: 2811103 - Ultima revisione: 21 feb 2013 - Revisione: 1