As we said earlier, URA can work fine without deploying your own certificate infrastructure by using the Kerberos Proxy. There are, however, circumstances where you will not be able to use it. Such a situation is when you need to have Windows 7 clients use URA. The code that runs the connection on Windows 7 computers cannot work with the Kerberos Proxy, and so these clients will require their own certificates in order to launch the IPsec tunnel, and this means that you will have to configure a full PKI infrastructure to support these clients.
Another situation is one with organizations that already have a PKI deployed and would rather use it instead of the self-signed certificates generated by the URA role, or instead of the Kerberos Proxy role. This does complicate things quite a bit, but may serve some organizations better. One reason is control; by having your own PKI infrastructure, you can control exactly which certificates are being created and affect what they can and cannot...