Gonkster
asked on
Problem getting WSUS 3.0 working with ISA 2000
I am currently having a nightmare trying to deploy WSUS 3.0 onto a domain for a friend of mine.
To cut a long story short, updates have not been run on any of the domain machines for a very long time and it seems to be due to the ISA 2000 server blocking the automated updates (BITS) service, so a local WSUS server seemed appropriate to help solve the problem...
After installing WSUS 3.0 on a 2003 member server and running a manual synch I get the following error:
WebException: The remote server returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest. GetRequest Stream()
at System.Web.Services.Protoc ols.SoapHt tpClientPr otocol.Inv oke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.S erverSyncW ebServices .ServerSyn c.ServerSy ncProxy.Ge tAuthConfi g()
at Microsoft.UpdateServices.S erverSync. ServerSync Lib.Intern etGetServe rAuthConfi g(ServerSy ncProxy proxy, WebServiceCommunicationHel per webServiceHelper)
at Microsoft.UpdateServices.S erverSync. ServerSync Lib.Authen ticate(Aut horization Manager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHel per webServiceHelper)
at Microsoft.UpdateServices.S erverSync. CatalogSyn cAgentCore .SyncConfi gUpdatesFr omUSS()
at Microsoft.UpdateServices.S erverSync. CatalogSyn cAgentCore .ExecuteSy ncProtocol (Boolean allowRedirect)
All computers on the domain cannot get updates via the BITS service (the icon when downloading auto updates appears but sits at 0% for a while and then disappears), the error in the windows update.log file is as follows:
2007-07-29 09:25:57:788 996 1890 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:57:788 996 1890 DnldMgr Error 0x8024402c occurred while downloading update; notifying dependent calls.
2007-07-29 09:25:58:085 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:085 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:085 996 1238 DnldMgr *********** DnldMgr: New download job [UpdateId = {8E058E91-FA8C-4BB0-B1EE-9 0AC6BF6D7A 3}.102] ***********
2007-07-29 09:25:58:226 996 1238 DnldMgr * BITS job initialized, JobId = {AAE67740-4BEB-4F57-8655-2 AFFE0DC504 4}
2007-07-29 09:25:58:226 996 1238 DnldMgr BITS job {AAE67740-4BEB-4F57-8655-2 AFFE0DC504 4} using proxy = http=Trust me that this entry is correct but I've replaced the text here for security etc, bypass = <NULL>
2007-07-29 09:25:58:335 996 1238 DnldMgr * Downloading from http://download.windowsupdate.com/msdownload/update/v5/psf/windowsserver2003-kb935839-x86-enu_09930c3ae97e3223e787646b4394aede46eecd4c.psf to C:\WINDOWS\SoftwareDistrib ution\Down load\f1921 ba434ee3d4 98f996cf17 f1762e9\do wnload\Win dowsServer 2003-KB935 839-x86-EN U.psf.blob (2 subranges).
2007-07-29 09:25:58:585 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:585 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:601 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
I've got a windows update http and https rule setup for ISA2000 to no avail.
The strange thing is that if I browse to windows update in IE and manually start an update from there, the update works and also the BITS service kicks in and starts to download!
There is something going on here with ISA2000 that is not allowing proxy auth for some reason.
I have also got an anonymous allow rule set up for windows update on the ISA 2000 server and I have tried setting the WSUS server to use no login auth, that also fails as does using domain admin for proxy auth, both give the 407 failed auth error.
Admittedly I have not as yet tried using WSUS v2.
Any help here would be greatly appreciated as this company's domain is a real mess with no updates for a very long time. If you need any other logs/errors etc just let me know.
To cut a long story short, updates have not been run on any of the domain machines for a very long time and it seems to be due to the ISA 2000 server blocking the automated updates (BITS) service, so a local WSUS server seemed appropriate to help solve the problem...
After installing WSUS 3.0 on a 2003 member server and running a manual synch I get the following error:
WebException: The remote server returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.
at System.Web.Services.Protoc
at Microsoft.UpdateServices.S
at Microsoft.UpdateServices.S
at Microsoft.UpdateServices.S
at Microsoft.UpdateServices.S
at Microsoft.UpdateServices.S
All computers on the domain cannot get updates via the BITS service (the icon when downloading auto updates appears but sits at 0% for a while and then disappears), the error in the windows update.log file is as follows:
2007-07-29 09:25:57:788 996 1890 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:57:788 996 1890 DnldMgr Error 0x8024402c occurred while downloading update; notifying dependent calls.
2007-07-29 09:25:58:085 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:085 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:085 996 1238 DnldMgr *********** DnldMgr: New download job [UpdateId = {8E058E91-FA8C-4BB0-B1EE-9
2007-07-29 09:25:58:226 996 1238 DnldMgr * BITS job initialized, JobId = {AAE67740-4BEB-4F57-8655-2
2007-07-29 09:25:58:226 996 1238 DnldMgr BITS job {AAE67740-4BEB-4F57-8655-2
2007-07-29 09:25:58:335 996 1238 DnldMgr * Downloading from http://download.windowsupdate.com/msdownload/update/v5/psf/windowsserver2003-kb935839-x86-enu_09930c3ae97e3223e787646b4394aede46eecd4c.psf to C:\WINDOWS\SoftwareDistrib
2007-07-29 09:25:58:585 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:585 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:601 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-29 09:25:58:647 996 1238 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
I've got a windows update http and https rule setup for ISA2000 to no avail.
The strange thing is that if I browse to windows update in IE and manually start an update from there, the update works and also the BITS service kicks in and starts to download!
There is something going on here with ISA2000 that is not allowing proxy auth for some reason.
I have also got an anonymous allow rule set up for windows update on the ISA 2000 server and I have tried setting the WSUS server to use no login auth, that also fails as does using domain admin for proxy auth, both give the 407 failed auth error.
Admittedly I have not as yet tried using WSUS v2.
Any help here would be greatly appreciated as this company's domain is a real mess with no updates for a very long time. If you need any other logs/errors etc just let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After some major hairpulling, I've installed WSUS v2.0 instead, needless to say it's unsupported now, but then again so is ISA2000 afaik. WSUS 2.0 worked just fine with the ISA2k server, not the ideal set up imho but I suppose it will last long enough to be someone else's problem at a later date :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've set up an auth rule as per the Microsoft guide and even tried making an anonymous access rule to no avail.
As I said, WSUS 2.0 worked just fine.
It's not the ideal solution but then again the entire network is such a dogs dinner it would cost a princely sum to fix things properly. I'll split the points between you guys for having answered me, many thanks guys.
As I said, WSUS 2.0 worked just fine.
It's not the ideal solution but then again the entire network is such a dogs dinner it would cost a princely sum to fix things properly. I'll split the points between you guys for having answered me, many thanks guys.
ASKER
If it was up to me I'd definitely upgrade to ISA 2004 perhaps, alas it's not an option.
Looking at how bad this problem is I think it's worth 500 :)