asked on

WSUS 3.0 Synchronization Error with Upstream Server

I have 3 servers setup running WSUS 3.0.

One of the servers is setup to sync with Microsoft, the other 2 are setup as
replicas. I am unable to sync the replicas to the master.

Error:
----------
The upstream server dows not allow an anonymous downstream server to
synchronize. This particular server has not been registered on this upstream
server, or the upstream server Web services needs authentication.

WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at
Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHelper webServiceHelper)
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

----------

I am trying to sync on port 8530 (non SSL). Any suggestions?

tsuzuhara

Looks like the IIS permissions on the upstream server are incorrect.

tsuzuhara

http://technet.microsoft.com/en-us/updatemanagement/bb245871.aspx

Step 1: Create an authentication list

WSUS setup creates a configuration file that enables you to add an explicit list of computers that have access to WSUS. You can find this file in the file system of the WSUS server at:

%ProgramFiles%\Update Services\WebServices\Serversyncwebservice\Web.config

Use the <authorization> element to define an authentication list. You must add the <authorization> element below the <configuration> and <system.web> elements.

Consider the example below:

<configuration>

<system.web>

<authorization>

<allow users="domain\computer_name,domain\computer_name" />

<deny users="*" />

</authorization>

</system.web>

</configuration>

Within opening and closing authorization tags, you specify a list of computers that are allowed a connection to the Web service. You must enter these computers as Domain\computer_name. If you want multiple computers, use a comma to separate the names. You can also specify an explicit list of computers that are denied access. Order in this list is important, as the evaluation stops with the first item that applies to the user.

The XML schema for this list can be found on an MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=47691.
Step 2: Configure IIS

The next step is to configure IIS to disable anonymous access to the ServerSyncWebService virtual directory and enable Integrated Windows authentication.

To configure IIS to disable anonymous access and enable Integrated Windows authentication for the WSUS ServerSynchWebService

1. On the Star menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
2. Expand the local computer node.
3. Expand the WSUS Web site node.
4. Right-click SeverSyncWebService, and then click Properties.
5. On the Directory Security tab, under Authentication and access control, click Edit.
6. In the Authentication Methods dialog box, clear the Enable anonymous access check box and select the Integrated Windows authentication check box.
7. Click OK twice.

itcok

ASKER

Hi tsuzuhara,
I tried the suggestion which I had also found in the operations guide. This did not resolve the issue... I also went through and verified the IIS and NTFS permissions per the documentation and all were set correctly. I can browse to the website with authentication enabled or disabled as well.

tsuzuhara

Are you using a proxy inbetween the servers?

itcok

ASKER

No proxy.

itcok

ASKER

The 2 servers that I wanted to configure as Replicas can sync to each other but can not sync the the server I had designated as primary source.

tsuzuhara

It seems that you have trouble connecting to the main server from every IP on your network. Have you tried connecting to the clients to the primary server through a GPO just for testing purposes?

itcok

ASKER

Turns out the IUSR account on the server was not working correctly (not being managed by IIS). We're good now...

orjso

I am having the same issue as described.. I made the changes requested in here... still no dice.. Any advice?

itcok

ASKER

IIS Permissions:

Open Internet Services Manager, IIS and make sure you have Anonymous Access on the following Virtual Directories viz;

i. You have Anonymous Access on Default Website,
ii. You have Anonymous Access on selfupdate,
iii. You have Anonymous Access on autoupdate and
iv. Also, Anonymous Access should be granted on content virtual directories.

NTFS permissions:

Make sure you have READ permission on the folders where you have installed SUS viz;

i. C:\SUS Content: EVERYONE should at least have READ Permission.
ii. C:\SUS Content: Web Anonymous User must have READ & EXECUTE, LIST FOLDER CONTENTS.
iii. C:\SUS Content: IUSR & IWAM Users must have READ & EXECUTE, LIST FOLDER CONTENTS

Use FQDN when synching via SSL.

IIS Codes
http://support.microsoft.com/kb/318380

Verifying WSUS Server Settings
http://technet2.microsoft.com/windowsserver/en/library/aae0c0a0-0bc7-46f8-b3ea-bc441a3796b41033.mspx?mfr=true

ASKER CERTIFIED SOLUTION

Computer101

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial