Customer has an application protected with Kerberos authentication. User is able to successfully access the application, but when they try to download an .exe file within the application it is generating an error and the download fails. 

Release : ALL

We could see that the browser was sending the SMSESSION cookie when the application download was requested, however, an applet between the browser and IIS was blocking the cookie, and thus the agent was never receiving the session cookie on this request.  This caused the agent to redirect the user to Kerberos authentication, but the applet didn't know how to follow a redirect, so the error occurred.  This is similar to what can happen when MS Office applications attempt to handle HTTP requests.

To get around this, we reverted the IIS permissions for the folder containing the .exe file to Windows Authentication only, and then added the http application folder to the IgnoreURL ACO parameter.  This allowed all of the applications to be downloaded successfully.

When using the IgnoreURL ACO parameter in this manner you want to be sure that the web server itself is providing adequate security for the resource since the web agent will not be enforcing any security on it.