?
Solved

WSUS 3.0 Synchronization Error with Upstream Server

Posted on 2007-07-19
12
Medium Priority
?
4,198 Views
Last Modified: 2008-09-17
I have 3 servers setup running WSUS 3.0.

One of the servers is setup to sync with Microsoft, the other 2 are setup as
replicas. I am unable to sync the replicas to the master.

Error:
----------
The upstream server dows not allow an anonymous downstream server to
synchronize. This particular server has not been registered on this upstream
server, or the upstream server Web services needs authentication.

WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
   at
Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHelper webServiceHelper)
   at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
   at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

----------

I am trying to sync on port 8530 (non SSL). Any suggestions?

0
Comment
Question by:itcok
11 Comments
 
LVL 5

Expert Comment

by:tsuzuhara
ID: 19527686
Looks like the IIS permissions on the upstream server are incorrect.
0
 
LVL 5

Expert Comment

by:tsuzuhara
ID: 19527743
http://technet.microsoft.com/en-us/updatemanagement/bb245871.aspx

Step 1: Create an authentication list

WSUS setup creates a configuration file that enables you to add an explicit list of computers that have access to WSUS. You can find this file in the file system of the WSUS server at:

%ProgramFiles%\Update Services\WebServices\Serversyncwebservice\Web.config

Use the <authorization> element to define an authentication list. You must add the <authorization> element below the <configuration> and <system.web> elements.

Consider the example below:

<configuration>

<system.web>

<authorization>

<allow users="domain\computer_name,domain\computer_name" />

<deny users="*" />

</authorization>

</system.web>

</configuration>

Within opening and closing authorization tags, you specify a list of computers that are allowed a connection to the Web service. You must enter these computers as Domain\computer_name. If you want multiple computers, use a comma to separate the names. You can also specify an explicit list of computers that are denied access. Order in this list is important, as the evaluation stops with the first item that applies to the user.

The XML schema for this list can be found on an MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=47691.
Step 2: Configure IIS

The next step is to configure IIS to disable anonymous access to the ServerSyncWebService virtual directory and enable Integrated Windows authentication.

To configure IIS to disable anonymous access and enable Integrated Windows authentication for the WSUS ServerSynchWebService

   1. On the Star menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.
   2. Expand the local computer node.
   3. Expand the WSUS Web site node.
   4. Right-click SeverSyncWebService, and then click Properties.
   5. On the Directory Security tab, under Authentication and access control, click Edit.
   6. In the Authentication Methods dialog box, clear the Enable anonymous access check box and select the Integrated Windows authentication check box.
   7. Click OK twice.
0
 
LVL 2

Author Comment

by:itcok
ID: 19528719
Hi tsuzuhara,
I tried the suggestion which I had also found in the operations guide. This did not resolve the issue... I also went through and verified the IIS and NTFS permissions per the documentation and all were set correctly. I can browse to the website with authentication enabled or disabled as well.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 5

Expert Comment

by:tsuzuhara
ID: 19529154
Are you using a proxy inbetween the servers?
0
 
LVL 2

Author Comment

by:itcok
ID: 19530483
No proxy.
0
 
LVL 2

Author Comment

by:itcok
ID: 19531561
The 2 servers that I wanted to configure as Replicas can sync to each other but can not sync the the server I had designated as primary source.
0
 
LVL 5

Expert Comment

by:tsuzuhara
ID: 19534807
It seems that you have trouble connecting to the main server from every IP on your network. Have you tried connecting to the clients to the primary server through a GPO just for testing purposes?
0
 
LVL 2

Author Comment

by:itcok
ID: 19576385
Turns out the IUSR account on the server was not working correctly (not being managed by IIS). We're good now...
0
 

Expert Comment

by:orjso
ID: 20824000
I am having the same issue as described.. I made the changes requested in here... still no dice.. Any advice?
0
 
LVL 2

Author Comment

by:itcok
ID: 21042088
IIS Permissions:
 
Open Internet Services Manager, IIS and make sure you have Anonymous Access on the following Virtual Directories viz;
 
i. You have Anonymous Access on Default Website,
ii. You have Anonymous Access on selfupdate,
iii. You have Anonymous Access on autoupdate and
iv. Also, Anonymous Access should be granted on content virtual directories.

NTFS permissions:
 
Make sure you have READ permission on the folders where you have installed SUS viz;
 
i. C:\SUS  Content: EVERYONE should at least have READ Permission.
ii. C:\SUS  Content: Web Anonymous User must have READ & EXECUTE, LIST FOLDER CONTENTS.
iii. C:\SUS  Content: IUSR & IWAM Users must have READ & EXECUTE, LIST FOLDER CONTENTS


Use FQDN when synching via SSL.

IIS Codes
http://support.microsoft.com/kb/318380

Verifying WSUS Server Settings
http://technet2.microsoft.com/windowsserver/en/library/aae0c0a0-0bc7-46f8-b3ea-bc441a3796b41033.mspx?mfr=true
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22505701
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Screencast - Getting to Know the Pipeline
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question