If you have already installed the URA role on one or more of your servers, you might have selected the easy option of using Kerberos Proxy for authentication, instead of Certificate authentication. Unfortunately, this option is not available for the multisite scenario, and therefore, you are going to have to configure and deploy a certificate infrastructure. To do this, follow these steps:
Install the Certificate Authority role on a server of your choice in your domain.
Configure an auto enrollment policy to issue certificates to clients (either all clients, or at least those which will be using URA).
Verify that clients have received the CA's root certificate (after the clients Group Policy has been updated, you should see the root certificate in the Trusted Root Certification Authorities container on all clients).
Verify that clients have successfully enrolled and received a certificate.
Verify that the URA server itself has been issued a certificate as well.
Then...