itcok
asked on
WSUS 3.0 Synchronization Error with Upstream Server
I have 3 servers setup running WSUS 3.0.
One of the servers is setup to sync with Microsoft, the other 2 are setup as
replicas. I am unable to sync the replicas to the master.
Error:
----------
The upstream server dows not allow an anonymous downstream server to
synchronize. This particular server has not been registered on this upstream
server, or the upstream server Web services needs authentication.
WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protoc ols.SoapHt tpClientPr otocol.Rea dResponse( SoapClient Message message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protoc ols.SoapHt tpClientPr otocol.Inv oke(String
methodName, Object[] parameters)
at
Microsoft.UpdateServices.S erverSyncW ebServices .ServerSyn c.ServerSy ncProxy.Ge tAuthConfi g()
at
Microsoft.UpdateServices.S erverSync. ServerSync Lib.Intern etGetServe rAuthConfi g(ServerSy ncProxy proxy, WebServiceCommunicationHel per webServiceHelper)
at
Microsoft.UpdateServices.S erverSync. ServerSync Lib.Authen ticate(Aut horization Manager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHel per webServiceHelper)
at
Microsoft.UpdateServices.S erverSync. CatalogSyn cAgentCore .SyncConfi gUpdatesFr omUSS()
at
Microsoft.UpdateServices.S erverSync. CatalogSyn cAgentCore .ExecuteSy ncProtocol (Boolean allowRedirect)
----------
I am trying to sync on port 8530 (non SSL). Any suggestions?
One of the servers is setup to sync with Microsoft, the other 2 are setup as
replicas. I am unable to sync the replicas to the master.
Error:
----------
The upstream server dows not allow an anonymous downstream server to
synchronize. This particular server has not been registered on this upstream
server, or the upstream server Web services needs authentication.
WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protoc
at System.Web.Services.Protoc
methodName, Object[] parameters)
at
Microsoft.UpdateServices.S
at
Microsoft.UpdateServices.S
at
Microsoft.UpdateServices.S
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHel
at
Microsoft.UpdateServices.S
at
Microsoft.UpdateServices.S
----------
I am trying to sync on port 8530 (non SSL). Any suggestions?
Looks like the IIS permissions on the upstream server are incorrect.
http://technet.microsoft.com/en-us/updatemanagement/bb245871.aspx
Step 1: Create an authentication list
WSUS setup creates a configuration file that enables you to add an explicit list of computers that have access to WSUS. You can find this file in the file system of the WSUS server at:
%ProgramFiles%\Update Services\WebServices\Serve rsyncwebse rvice\Web. config
Use the <authorization> element to define an authentication list. You must add the <authorization> element below the <configuration> and <system.web> elements.
Consider the example below:
<configuration>
<system.web>
<authorization>
<allow users="domain\computer_nam e,domain\c omputer_na me" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Within opening and closing authorization tags, you specify a list of computers that are allowed a connection to the Web service. You must enter these computers as Domain\computer_name. If you want multiple computers, use a comma to separate the names. You can also specify an explicit list of computers that are denied access. Order in this list is important, as the evaluation stops with the first item that applies to the user.
The XML schema for this list can be found on an MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=47691.
Step 2: Configure IIS
The next step is to configure IIS to disable anonymous access to the ServerSyncWebService virtual directory and enable Integrated Windows authentication.
To configure IIS to disable anonymous access and enable Integrated Windows authentication for the WSUS ServerSynchWebService
1. On the Star menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
2. Expand the local computer node.
3. Expand the WSUS Web site node.
4. Right-click SeverSyncWebService, and then click Properties.
5. On the Directory Security tab, under Authentication and access control, click Edit.
6. In the Authentication Methods dialog box, clear the Enable anonymous access check box and select the Integrated Windows authentication check box.
7. Click OK twice.
Step 1: Create an authentication list
WSUS setup creates a configuration file that enables you to add an explicit list of computers that have access to WSUS. You can find this file in the file system of the WSUS server at:
%ProgramFiles%\Update Services\WebServices\Serve
Use the <authorization> element to define an authentication list. You must add the <authorization> element below the <configuration> and <system.web> elements.
Consider the example below:
<configuration>
<system.web>
<authorization>
<allow users="domain\computer_nam
<deny users="*" />
</authorization>
</system.web>
</configuration>
Within opening and closing authorization tags, you specify a list of computers that are allowed a connection to the Web service. You must enter these computers as Domain\computer_name. If you want multiple computers, use a comma to separate the names. You can also specify an explicit list of computers that are denied access. Order in this list is important, as the evaluation stops with the first item that applies to the user.
The XML schema for this list can be found on an MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=47691.
Step 2: Configure IIS
The next step is to configure IIS to disable anonymous access to the ServerSyncWebService virtual directory and enable Integrated Windows authentication.
To configure IIS to disable anonymous access and enable Integrated Windows authentication for the WSUS ServerSynchWebService
1. On the Star menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
2. Expand the local computer node.
3. Expand the WSUS Web site node.
4. Right-click SeverSyncWebService, and then click Properties.
5. On the Directory Security tab, under Authentication and access control, click Edit.
6. In the Authentication Methods dialog box, clear the Enable anonymous access check box and select the Integrated Windows authentication check box.
7. Click OK twice.
ASKER
Hi tsuzuhara,
I tried the suggestion which I had also found in the operations guide. This did not resolve the issue... I also went through and verified the IIS and NTFS permissions per the documentation and all were set correctly. I can browse to the website with authentication enabled or disabled as well.
I tried the suggestion which I had also found in the operations guide. This did not resolve the issue... I also went through and verified the IIS and NTFS permissions per the documentation and all were set correctly. I can browse to the website with authentication enabled or disabled as well.
Are you using a proxy inbetween the servers?
ASKER
No proxy.
ASKER
The 2 servers that I wanted to configure as Replicas can sync to each other but can not sync the the server I had designated as primary source.
It seems that you have trouble connecting to the main server from every IP on your network. Have you tried connecting to the clients to the primary server through a GPO just for testing purposes?
ASKER
Turns out the IUSR account on the server was not working correctly (not being managed by IIS). We're good now...
I am having the same issue as described.. I made the changes requested in here... still no dice.. Any advice?
ASKER
IIS Permissions:
Open Internet Services Manager, IIS and make sure you have Anonymous Access on the following Virtual Directories viz;
i. You have Anonymous Access on Default Website,
ii. You have Anonymous Access on selfupdate,
iii. You have Anonymous Access on autoupdate and
iv. Also, Anonymous Access should be granted on content virtual directories.
NTFS permissions:
Make sure you have READ permission on the folders where you have installed SUS viz;
i. C:\SUS Content: EVERYONE should at least have READ Permission.
ii. C:\SUS Content: Web Anonymous User must have READ & EXECUTE, LIST FOLDER CONTENTS.
iii. C:\SUS Content: IUSR & IWAM Users must have READ & EXECUTE, LIST FOLDER CONTENTS
Use FQDN when synching via SSL.
IIS Codes
http://support.microsoft.com/kb/318380
Verifying WSUS Server Settings
http://technet2.microsoft.com/windowsserver/en/library/aae0c0a0-0bc7-46f8-b3ea-bc441a3796b41033.mspx?mfr=true
Open Internet Services Manager, IIS and make sure you have Anonymous Access on the following Virtual Directories viz;
i. You have Anonymous Access on Default Website,
ii. You have Anonymous Access on selfupdate,
iii. You have Anonymous Access on autoupdate and
iv. Also, Anonymous Access should be granted on content virtual directories.
NTFS permissions:
Make sure you have READ permission on the folders where you have installed SUS viz;
i. C:\SUS Content: EVERYONE should at least have READ Permission.
ii. C:\SUS Content: Web Anonymous User must have READ & EXECUTE, LIST FOLDER CONTENTS.
iii. C:\SUS Content: IUSR & IWAM Users must have READ & EXECUTE, LIST FOLDER CONTENTS
Use FQDN when synching via SSL.
IIS Codes
http://support.microsoft.com/kb/318380
Verifying WSUS Server Settings
http://technet2.microsoft.com/windowsserver/en/library/aae0c0a0-0bc7-46f8-b3ea-bc441a3796b41033.mspx?mfr=true
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.