Cannot get wsus server to sync with downstream server

I cannot get the servers to sync.  When I try to browse to a page from the downstream server to the upstream server, I get a not authorized error.  When I try to connect through the wizard, I get a Status 401 - Unauthorized error message.  When I try to sync, I get WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

The Upstream server is allowing anonymous access throughout the site... Help!
Who is Participating?
TokyoBritConnect With a Mentor Commented:
After browsing through several posts about this error, and many useless responses, I have found a way for you to check which 401 error it is (as there are several).

On the upstream server, open a browser and point to -


This is assuming that you installed the WSUS administration to the default website and you are not using SSL. If you chose a different install, then either connect to https://localhost, http://localhost:8530, or https://localhost:8531.

In any case, the browser will return the full error code, which in my case was -

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

The anonymous account was a member of the Guests group, which was explicitly denied access at the system root and all sub-folders. This was a security setting that existed on the system prior to installing WSUS and was unchanged by the WSUS 3.0 SP1 install, so even following the simple steps in the Deployment Guide gives a failure result.

Removing the IUSR account from Guests and explicity setting the security for the necessary sub folders (C:\Program Files\Update Services\WebServices) fixed the problem. If the security and authorization is correctly set, you will most likely see -

"This type of page is not served."

Rather than the 401 error.

Hope this helps you and others track down and fix this annoying problem.
Normally, the downstream server needs to be in the same domain/forest where there is a trust in place be default.

Is this not occurring?

When you installed the downstream server, during the setup did you select to sync with upstream server?

orjsoAuthor Commented:
I am installing wsus 3.0.  When I was installing it, it never asked to select to sync to upstream server.  After it was installed, i went to options and syn and pointed it to the name of the box and port 80 (which is where it is running)
All Courses

From novice to tech pro — start learning today.