Discussion:
Event Viewer Errors 13042 13002 12002 12042 12052
(too old to reply)
Chris
2007-06-01 14:29:02 UTC
Permalink
I'm running WSUS 3.0, not the beta. These errors are on my WSUS server and
promply show when I run: wsusutil checkhealth

All are source: Windows Server Update
Event IDs in order from older to new, but all appearing in the same second.

13042 - Self-update is not working
13002 - Client computers are installing updates with a higher than 25
percent failure rate. This is not normal.
12002 - The Reporting Web Service is not working.
12032 - The Server Synchronization Web Service is not working.
12022 - The Client Web Service is not working.
12042 - The SimpleAuth Web Service is not working.
12052 - The DSS Authentication Web Service is not working.

---------

The server is 2003 standard with sp2.

Originally I was not getting clients to show. I tweaked some folder and IIS
permissions and the clients started show up, but none are receiving the
updates. I've read several articles from MS to see if I can access certain
.cab files through IIS and I can from client machines.

----------------

Any ideas or help would be appreciated. Oh, I also installed the 3.0 update
agent and applied the KB927891 afterwards on all machines on the domain.
Lawrence Garvin (MVP)
2007-06-01 16:57:54 UTC
Permalink
Post by Chris
I'm running WSUS 3.0, not the beta. These errors are on my WSUS server and
promply show when I run: wsusutil checkhealth
All are source: Windows Server Update
Event IDs in order from older to new, but all appearing in the same second.
13042 - Self-update is not working
13002 - Client computers are installing updates with a higher than 25
percent failure rate. This is not normal.
12002 - The Reporting Web Service is not working.
12032 - The Server Synchronization Web Service is not working.
12022 - The Client Web Service is not working.
12042 - The SimpleAuth Web Service is not working.
12052 - The DSS Authentication Web Service is not working.
I tweaked some folder and IIS
permissions and the clients started show up, but none are receiving the
updates.
My gut feeling is that "tweaked some folder" and "IIS permissions" is
probably the key to your issue.

Can you expand on this statement a bit, please?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Chris
2007-06-01 17:51:05 UTC
Permalink
I'm not sure what to expand on. I messed with IIS permissions and folder
permissions to get some errors to go away that are not listed below. Prior
to do the changes, no clients would show up in the MMC snap in. After
messing with permissions, the clients now show up but have a status of not
reported in yet.

I can access the .cab files on the IIS server that are related to WSUS. But
nothing else is working beyond that. I'm unable to find any articles
explaining any of the errors above that work. Google searches show some
people having similiar problems in beta, but no resolutions.

Thanks for any help you can provide.
Post by Lawrence Garvin (MVP)
Post by Chris
I'm running WSUS 3.0, not the beta. These errors are on my WSUS server and
promply show when I run: wsusutil checkhealth
All are source: Windows Server Update
Event IDs in order from older to new, but all appearing in the same second.
13042 - Self-update is not working
13002 - Client computers are installing updates with a higher than 25
percent failure rate. This is not normal.
12002 - The Reporting Web Service is not working.
12032 - The Server Synchronization Web Service is not working.
12022 - The Client Web Service is not working.
12042 - The SimpleAuth Web Service is not working.
12052 - The DSS Authentication Web Service is not working.
I tweaked some folder and IIS
permissions and the clients started show up, but none are receiving the
updates.
My gut feeling is that "tweaked some folder" and "IIS permissions" is
probably the key to your issue.
Can you expand on this statement a bit, please?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-06-01 21:36:49 UTC
Permalink
Post by Chris
I'm not sure what to expand on.
Exact details would be a good start! :-)
Post by Chris
I messed with IIS permissions and folder permissions
That level of information is totally useless, but absolutely indicates a
potential problem!
Post by Chris
to get some errors to go away that are not listed below.
Specifically which IIS permissions.
Specifically which folder permissions.

What did you change them to?
Post by Chris
Prior to do the changes, no clients would show up in the MMC snap in.
Changing permissions is rarely the solution to such a problem. In fact, in
all of the past two years of working with WSUS, the *only* time changing
permissions has been a solution is when the client is specifically receiving
HTTP '401' errors from the WSUS server, which is almost always because
somebody/something has disabled anonymous access on the IIS virtual server.

I suspect the correct resolution is going to be to put the permissions back
to where they were and troubleshoot the original problem, and implement the
correct solution for that original problem. I'll know that for certain once
I see what you changed.

In addition, what do you have in the way of error codes from the client(s)
concerning the original "will not show up" problem?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Chris
2007-06-04 14:34:00 UTC
Permalink
I guess some back story would help on the permissions thing. :)

Yes, clients were getting 401 errors, I think they were actually 401.1. So
I made sure the anonymous inetusr and domain users had access to all the WSUS
sites and folders listed in IIS. Once I did this, computers started showing
up in the wsus mmc snap in, but they all have a status of "not yet reported."


What's weird is one computer reported in on 6/1/2007 at 2:34am. But that
doesn't explain all the services errors on the server.

From a client, if I goto http://servername/selfupdate/wuident.cab, it asks
me if I want to save the cab file. That's a good sign from online support
articles. There are other cabs and they are all accessible.

Looks like I'm still getting 401, but I'm able access the path. Here's part
of the log.
__________
2007-06-04 08:46:05 1032 84c PT Initializing simple targeting cookie,
clientId = 5ffb03d7-d6b9-4914-b7dd-3efbb43cf492, target group = , DNS name =
clientname.domain.name
2007-06-04 08:46:05 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 08:46:05 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
2007-06-04 08:46:05 1032 84c Report WARNING: Reporter failed to upload
events with hr = 80244017.
2007-06-04 09:03:59 1032 84c PT Initializing simple targeting cookie,
clientId = 5ffb03d7-d6b9-4914-b7dd-3efbb43cf492, target group = , DNS name =
clientname.domain.name
2007-06-04 09:03:59 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 09:03:59 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
2007-06-04 09:03:59 1032 84c Report WARNING: Reporter failed to upload
events with hr = 80244017.
2007-06-04 09:29:15 1032 84c PT Initializing simple targeting cookie,
clientId = 5ffb03d7-d6b9-4914-b7dd-3efbb43cf492, target group = , DNS name =
clientname.domain.name
2007-06-04 09:29:15 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 09:29:15 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
2007-06-04 09:29:15 1032 84c Report WARNING: Reporter failed to upload
events with hr = 80244017.
2007-06-04 09:58:19 1032 9f4 PT Initializing simple targeting cookie,
clientId = 5ffb03d7-d6b9-4914-b7dd-3efbb43cf492, target group = , DNS name =
clientname.domain.name
2007-06-04 09:58:19 1032 9f4 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 09:58:19 1032 9f4 PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
2007-06-04 09:58:19 1032 9f4 Report WARNING: Reporter failed to upload
events with hr = 80244017.
2007-06-04 10:11:23 1032 9f4 PT Initializing simple targeting cookie,
clientId = 5ffb03d7-d6b9-4914-b7dd-3efbb43cf492, target group = , DNS name =
clientname.domain.name
2007-06-04 10:11:23 1032 9f4 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 10:11:23 1032 9f4 PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
2007-06-04 10:11:23 1032 9f4 Report WARNING: Reporter failed to upload
events with hr = 80244017.
__________

So I browsed to http://servername/SimpleAuthWebService/SimpleAuth.asmx and a
page came up that says:

__________
SimpleAuth


The following operations are supported. For a formal definition, please
review the Service Description.

GetAuthorizationCookie

Ping
____________

I can click the GetAuthorizationCookie and Ping links and they come up.

Again, thanks for any help.

Chris
Post by Lawrence Garvin (MVP)
Post by Chris
I'm not sure what to expand on.
Exact details would be a good start! :-)
Post by Chris
I messed with IIS permissions and folder permissions
That level of information is totally useless, but absolutely indicates a
potential problem!
Post by Chris
to get some errors to go away that are not listed below.
Specifically which IIS permissions.
Specifically which folder permissions.
What did you change them to?
Post by Chris
Prior to do the changes, no clients would show up in the MMC snap in.
Changing permissions is rarely the solution to such a problem. In fact, in
all of the past two years of working with WSUS, the *only* time changing
permissions has been a solution is when the client is specifically receiving
HTTP '401' errors from the WSUS server, which is almost always because
somebody/something has disabled anonymous access on the IIS virtual server.
I suspect the correct resolution is going to be to put the permissions back
to where they were and troubleshoot the original problem, and implement the
correct solution for that original problem. I'll know that for certain once
I see what you changed.
In addition, what do you have in the way of error codes from the client(s)
concerning the original "will not show up" problem?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-06-05 02:15:17 UTC
Permalink
Post by Chris
I guess some back story would help on the permissions thing. :)
Yes, clients were getting 401 errors, I think they were actually 401.1.
So
I made sure the anonymous inetusr and domain users had access to all the WSUS
sites and folders listed in IIS.
Okay, let's start by remediating all of the NTFS and IIS permissions.

What are the correct IIS and NTFS permissions for WSUS?
http://wsusinfo.onsitechsolutions.com/articles/016.htm
Post by Chris
2007-06-04 08:46:05 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 08:46:05 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
This '401' error is on the /SimpleAuthWebService virtual directory, which
should have anonymous access enabled on the virtual directory, but not
Integrated Authentication.
Post by Chris
So I browsed to http://servername/SimpleAuthWebService/SimpleAuth.asmx and a
__________
SimpleAuth
The following operations are supported. For a formal definition, please
review the Service Description.
Good.. but here's an important diagnostic consideration...

These v-roots need to have anonymous access. If you're browsing to them from
a console session that has administrator access, then you're getting access
through Integrated Authentication (if it's enabled) by virtue of your admin
status. Make sure you perform these tests from an UNprivileged account.

In the meantime, I'm trying to think of any other obscure scenearios that
have also generated '401' errors that might be slipping my mind.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Chris
2007-06-13 14:10:00 UTC
Permalink
Please revisit the thread, thanks.
Post by Lawrence Garvin (MVP)
Post by Chris
I guess some back story would help on the permissions thing. :)
Yes, clients were getting 401 errors, I think they were actually 401.1.
So
I made sure the anonymous inetusr and domain users had access to all the WSUS
sites and folders listed in IIS.
Okay, let's start by remediating all of the NTFS and IIS permissions.
What are the correct IIS and NTFS permissions for WSUS?
http://wsusinfo.onsitechsolutions.com/articles/016.htm
Post by Chris
2007-06-04 08:46:05 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 08:46:05 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
This '401' error is on the /SimpleAuthWebService virtual directory, which
should have anonymous access enabled on the virtual directory, but not
Integrated Authentication.
Post by Chris
So I browsed to http://servername/SimpleAuthWebService/SimpleAuth.asmx and a
__________
SimpleAuth
The following operations are supported. For a formal definition, please
review the Service Description.
Good.. but here's an important diagnostic consideration...
These v-roots need to have anonymous access. If you're browsing to them from
a console session that has administrator access, then you're getting access
through Integrated Authentication (if it's enabled) by virtue of your admin
status. Make sure you perform these tests from an UNprivileged account.
In the meantime, I'm trying to think of any other obscure scenearios that
have also generated '401' errors that might be slipping my mind.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-06-14 03:48:09 UTC
Permalink
Post by Chris
Please revisit the thread, thanks.
Post by Chris
Yes, clients were getting 401 errors, I think they were actually 401.1.
So
I made sure the anonymous inetusr and domain users had access to all the
WSUS sites and folders listed in IIS.
Okay, let's start by remediating all of the NTFS and IIS permissions.
What are the correct IIS and NTFS permissions for WSUS?
http://wsusinfo.onsitechsolutions.com/articles/016.htm
You've not replied to that message (until today, but still not answered the
questions).

Did you remediate *all* of the NTFS and IIS permissions on this WSUS server
in accordance with the permissions documented in the cited article?


I also pointed out, specifically, what was causing the '401' error, and the
most likely cause.
Post by Chris
Post by Chris
2007-06-04 08:46:05 1032 84c PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-04 08:46:05 1032 84c PT WARNING: GetAuthorizationCookie failure,
error = 0x80244017, soap client error = 10, soap error code = 0, HTTP status
code = 401
This '401' error is on the /SimpleAuthWebService virtual directory, which
should have anonymous access enabled on the virtual directory, but not
Integrated Authentication.
Did you check the /SimpleAuthWebService virtual directory to ensure it had
anonymous access enabled and not Integrated Authentication?
Post by Chris
These v-roots need to have anonymous access. If you're browsing to them from
a console session that has administrator access, then you're getting access
through Integrated Authentication (if it's enabled) by virtue of your admin
status. Make sure you perform these tests from an UNprivileged account.
In the meantime, I'm trying to think of any other obscure scenearios that
have also generated '401' errors that might be slipping my mind.
But without any feedback from you concerning my suggestions and questions,
I'm not going to think real hard of any other "obscure scenarios", since the
likelihood (until you tell me otherwise) is that the IIS or NTFS permissions
*are* misconfigured.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Cecils(MSFT)
2007-06-01 21:51:13 UTC
Permalink
First off it looks like there is an issue with those tweaked IIS settings.
Each of these events points to an issue with several of the Web Services
that are needed to ensure that WSUS is working properly. Which might
explain some of your original issues.
--
Cecil [MSFT]
Deployment, WSUS
Microsoft

This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Chris
I'm running WSUS 3.0, not the beta. These errors are on my WSUS server and
promply show when I run: wsusutil checkhealth
All are source: Windows Server Update
Event IDs in order from older to new, but all appearing in the same second.
13042 - Self-update is not working
13002 - Client computers are installing updates with a higher than 25
percent failure rate. This is not normal.
12002 - The Reporting Web Service is not working.
12032 - The Server Synchronization Web Service is not working.
12022 - The Client Web Service is not working.
12042 - The SimpleAuth Web Service is not working.
12052 - The DSS Authentication Web Service is not working.
---------
The server is 2003 standard with sp2.
Originally I was not getting clients to show. I tweaked some folder and IIS
permissions and the clients started show up, but none are receiving the
updates. I've read several articles from MS to see if I can access certain
.cab files through IIS and I can from client machines.
----------------
Any ideas or help would be appreciated. Oh, I also installed the 3.0 update
agent and applied the KB927891 afterwards on all machines on the domain.
Chris
2007-06-04 14:38:00 UTC
Permalink
Agreed. There were more errors previously until I played with the settings.
I didn't restrict the security on the folders/web access, I allowed more
access to them.

I followed several MS Articles and ran tools against IIS (can't remember
which, I spent like 4-6 hours on it) and all the results were what we were
looking for.

My next thought is to uninstall WSUS and delete all folders. Then uninstall
IIS and delete all folders. Reboot. Reinstall IIS and WSUS.

Thoughts?

Chris
Post by Cecils(MSFT)
First off it looks like there is an issue with those tweaked IIS settings.
Each of these events points to an issue with several of the Web Services
that are needed to ensure that WSUS is working properly. Which might
explain some of your original issues.
--
Cecil [MSFT]
Deployment, WSUS
Microsoft
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Chris
I'm running WSUS 3.0, not the beta. These errors are on my WSUS server and
promply show when I run: wsusutil checkhealth
All are source: Windows Server Update
Event IDs in order from older to new, but all appearing in the same second.
13042 - Self-update is not working
13002 - Client computers are installing updates with a higher than 25
percent failure rate. This is not normal.
12002 - The Reporting Web Service is not working.
12032 - The Server Synchronization Web Service is not working.
12022 - The Client Web Service is not working.
12042 - The SimpleAuth Web Service is not working.
12052 - The DSS Authentication Web Service is not working.
---------
The server is 2003 standard with sp2.
Originally I was not getting clients to show. I tweaked some folder and IIS
permissions and the clients started show up, but none are receiving the
updates. I've read several articles from MS to see if I can access certain
.cab files through IIS and I can from client machines.
----------------
Any ideas or help would be appreciated. Oh, I also installed the 3.0 update
agent and applied the KB927891 afterwards on all machines on the domain.
Lawrence Garvin (MVP)
2007-06-05 02:16:01 UTC
Permalink
Post by Chris
My next thought is to uninstall WSUS and delete all folders. Then uninstall
IIS and delete all folders. Reboot. Reinstall IIS and WSUS.
This would certainly remediate any lingering issues with permissions. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Chris
2007-06-05 12:05:02 UTC
Permalink
When I get a chance, I'll let you guys know.
Post by Lawrence Garvin (MVP)
Post by Chris
My next thought is to uninstall WSUS and delete all folders. Then uninstall
IIS and delete all folders. Reboot. Reinstall IIS and WSUS.
This would certainly remediate any lingering issues with permissions. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Chris
2007-06-07 18:39:00 UTC
Permalink
Ok, I uninstalled WSUS and IIS yesterday, had the server reboot in the middle
of the night and reinstalled IIS then WSUS today.

I've got some great news, the majority of the errors are gone, but the bad
news is I still have one error and it seems be keeping everything from
working. :/

Source: Windows Server Update
Category: System Event
Event ID: 13042
Self-update is not working.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

It's the only error. Clients are showing up in the MMC snap in, but they
all have a status of "not yet reported" and this includes the server itself.

WindowsUpdate.log on the server:

2007-06-07 13:25:34:118 1016 13d8 PT WARNING: Cached cookie has expired or
new PID is available
2007-06-07 13:25:34:118 1016 13d8 PT Initializing simple targeting cookie,
clientId = 90b8f534-cc2e-4e34-b220-c8f9e5fba33e, target group = , DNS name =
servername.domain.name
2007-06-07 13:25:34:118 1016 13d8 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-07 13:25:34:211 1016 13d8 PT WARNING: GetCookie failure, error =
0x8024400D, soap client error = 7, soap error code = 300, HTTP status code =
200
2007-06-07 13:25:34:211 1016 13d8 PT WARNING: SOAP Fault: 0x00012c
2007-06-07 13:25:34:227 1016 13d8 PT WARNING:
faultstring:System.Web.Services.Protocols.SoapException: Fault occurred
at
Microsoft.UpdateServices.Internal.SoapUtilities.ThrowException(ErrorCode
errorCode, String message)
at
Microsoft.UpdateServices.Internal.Authorization.AuthorizationManager.DecryptOldCookie(Cookie oldCookie)
at
Microsoft.UpdateServices.Internal.Authorization.AuthorizationManager.GetCookie(AuthorizationCookie[]
authCookies, Cookie oldCookie, DateTime lastChange, DateTime
currentClientTime, String clientProtocolVersion)
at
Microsoft.UpdateServices.Internal.ClientImplementation.GetCookie(AuthorizationCookie[]
authCookies, Cookie oldCookie, DateTime lastChange, DateTime
currentClientTime, String protocolVersion)
at
Microsoft.UpdateServices.Internal.Client.GetCookie(AuthorizationCookie[]
authCookies, Cookie oldCookie, DateTime lastChange, DateTime currentTime,
String protocolVersion)
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: ErrorCode:InvalidCookie(1)
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: Message:(null)
2007-06-07 13:25:34:227 1016 13d8 PT WARNING:
Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
2007-06-07 13:25:34:227 1016 13d8 PT WARNING:
ID:27cf1729-6550-4cda-99c1-1e08f68cb1ee
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: PTError: 0x80244015
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: GetCookie_WithRecovery failed
: 0x80244015
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: RefreshCookie failed: 0x80244015
2007-06-07 13:25:34:227 1016 13d8 PT WARNING: RefreshPTState failed:
0x80244015
2007-06-07 13:25:35:071 1016 13d8 PT WARNING: Cached cookie has expired or
new PID is available
2007-06-07 13:25:35:102 1016 13d8 PT Initializing simple targeting cookie,
clientId = 90b8f534-cc2e-4e34-b220-c8f9e5fba33e, target group = , DNS name =
servername.domain.name
2007-06-07 13:25:35:102 1016 13d8 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-07 13:25:40:914 1016 13d8 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:25:40:914 1016 13d8 Report Reporter successfully uploaded 1
events.
2007-06-07 13:25:41:024 1016 13d8 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:25:41:024 1016 13d8 Report Reporter successfully uploaded 1
events.
2007-06-07 13:25:41:133 1016 13d8 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:25:41:133 1016 13d8 Report Reporter successfully uploaded 1
events.
2007-06-07 13:25:41:242 1016 13d8 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:25:41:242 1016 13d8 Report Reporter successfully uploaded 1
events.
2007-06-07 13:25:41:336 1016 13d8 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:25:41:336 1016 13d8 Report Reporter successfully uploaded 1
events.

WindowsUpdate.log from a PC not logged in as administrator:

2007-06-07 12:50:44:207 1120 4ac AU AU received policy change subscription
event
2007-06-07 12:56:23:307 1120 514 PT WARNING: Cached cookie has expired or
new PID is available
2007-06-07 12:56:23:307 1120 514 PT Initializing simple targeting cookie,
clientId = b00463fa-9f32-46a5-afcd-bdb16863c8ee, target group = , DNS name =
clientname.domain.name
2007-06-07 12:56:23:307 1120 514 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-07 12:57:15:839 1120 514 PT WARNING: GetAuthorizationCookie failure,
error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status
code = 404
2007-06-07 12:57:15:839 1120 514 PT WARNING: Failed to initialize Simple
Targeting Cookie: 0x80244019
2007-06-07 12:57:15:839 1120 514 PT WARNING: PopulateAuthCookies failed:
0x80244019
2007-06-07 12:57:15:839 1120 514 PT WARNING: RefreshCookie failed: 0x80244019
2007-06-07 12:57:15:839 1120 514 PT WARNING: RefreshPTState failed: 0x80244019
2007-06-07 12:57:15:839 1120 514 PT WARNING: PTError: 0x80244019
2007-06-07 12:57:15:839 1120 514 Report WARNING: Reporter failed to upload
events with hr = 80244019.
2007-06-07 13:26:14:482 1120 f08 PT WARNING: Cached cookie has expired or
new PID is available
2007-06-07 13:26:14:482 1120 f08 PT Initializing simple targeting cookie,
clientId = b00463fa-9f32-46a5-afcd-bdb16863c8ee, target group = , DNS name =
clientname.domain.name
2007-06-07 13:26:14:482 1120 f08 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-07 13:26:14:576 1120 f08 PT WARNING: GetCookie failure, error =
0x8024400D, soap client error = 7, soap error code = 300, HTTP status code =
200
2007-06-07 13:26:14:576 1120 f08 PT WARNING: SOAP Fault: 0x00012c
2007-06-07 13:26:14:576 1120 f08 PT WARNING: faultstring:Fault occurred
2007-06-07 13:26:14:576 1120 f08 PT WARNING: ErrorCode:InvalidCookie(1)
2007-06-07 13:26:14:576 1120 f08 PT WARNING: Message:(null)
2007-06-07 13:26:14:576 1120 f08 PT WARNING:
Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
2007-06-07 13:26:14:576 1120 f08 PT WARNING:
ID:0d9eec4d-7b83-4ff6-bbf7-eedb71fef02e
2007-06-07 13:26:14:576 1120 f08 PT WARNING: PTError: 0x80244015
2007-06-07 13:26:14:576 1120 f08 PT WARNING: GetCookie_WithRecovery failed :
0x80244015
2007-06-07 13:26:14:576 1120 f08 PT WARNING: RefreshCookie failed: 0x80244015
2007-06-07 13:26:14:576 1120 f08 PT WARNING: RefreshPTState failed: 0x80244015
2007-06-07 13:26:15:716 1120 f08 PT WARNING: Cached cookie has expired or
new PID is available
2007-06-07 13:26:15:716 1120 f08 PT Initializing simple targeting cookie,
clientId = b00463fa-9f32-46a5-afcd-bdb16863c8ee, target group = , DNS name =
clientname.domain.name
2007-06-07 13:26:15:716 1120 f08 PT Server URL =
http://servername/SimpleAuthWebService/SimpleAuth.asmx
2007-06-07 13:26:24:123 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:123 1120 f08 Report Reporter successfully uploaded 1
events.
2007-06-07 13:26:24:154 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:169 1120 f08 Report Reporter successfully uploaded 1
events.
2007-06-07 13:26:24:216 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:216 1120 f08 Report Reporter successfully uploaded 1
events.
2007-06-07 13:26:24:248 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:248 1120 f08 Report Reporter successfully uploaded 1
events.
2007-06-07 13:26:24:294 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:294 1120 f08 Report Reporter successfully uploaded 1
events.
2007-06-07 13:26:24:341 1120 f08 Report Uploading 1 events using cached
cookie, reporting URL =
http://servername/ReportingWebService/ReportingWebService.asmx
2007-06-07 13:26:24:341 1120 f08 Report Reporter successfully uploaded 1
events.

I'm going to see what I can figure out, but if you've seen this before, your
help would be appreciated. Thanks.
Post by Chris
When I get a chance, I'll let you guys know.
Post by Lawrence Garvin (MVP)
Post by Chris
My next thought is to uninstall WSUS and delete all folders. Then uninstall
IIS and delete all folders. Reboot. Reinstall IIS and WSUS.
This would certainly remediate any lingering issues with permissions. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Chris
2007-06-07 19:57:01 UTC
Permalink
**************
*My comments are enclosed in the *'s.
*
*Microsoft's online support recommended the following actions for the 13042
event id.
**************

User Action Self Update

Client self-update is not working correctly. WSUS creates a virtual
directory "SelfUpdate" on port 80 that is used by Automatic Update (AU)
clients. The AU client checks its version, and if the version is found to be
out of date, the AU client downloads and installs a new version. This
requires downloading a file used to check the version and then downloading
the client binaries appropriate for that computer and OS. The static content
in this directory and its subdirectories is available via anonymous access.
Note: A second SelfUpdate virtual directory will be created if the "WSUS
Administration" Web site is created on port 8530.
Possible resolutions include:

-Check network connectivity on the WSUS client computer.
Open Internet Explorer.
In the address bar, type http://<WSUSServerName>/iuident.cab where
<WSUSServerName> is the name of your WSUS server. Ensure that you are
prompted to download or open iuident.cab. This verifies network connectivity
from the WSUS client computer and the availability of the iuident.cab file on
the WSUS server.
If there are any boxes prompting you to download or save, click Cancel.

******************
*This did not work, so I looked at the file security and the Internet Guest
Account did not have Read & Execute access, so I granted it. Now I can
access the file. Also, I'm using the default port of 80.
******************

-Check for the existence of the self-update tree on port 80, which is
typically the default Web site.
Open a command window.
Type cscript <WSUSInstallDir>\setup\InstallSelfupdateOnPort80.vbs

******************
*Ran this script, says Success
******************

-Check permissions on the client Web service directory.
Open a command window.
Type cd <WSUSInstallDir>\SelfUpdate
Type cacls
The following ACEs should be set:
-BUILTIN\Users:(OI)(CI)R
-BUILTIN\Administrators:(OI)(CI)F
-NT AUTHORITY\SYSTEM:(OI)(CI)F

******************
*My results of running cacls:
*C:\Program Files\Update Services\Selfupdate>cacls *
*C:\Program Files\Update Services\Selfupdate\AU BUILTIN\Users:(OI)(CI)R
*
BUILTIN\Administrators:(OI)(CI)F
* NT AUTHORITY\SYSTEM:(OI)(CI)F
*C:\Program Files\Update Services\Selfupdate\iuident.cab BUILTIN\Users:R
*
BUILTIN\Administrators:F
* NT AUTHORITY\SYSTEM:F
*C:\Program Files\Update Services\Selfupdate\WSUS3 BUILTIN\Users:(OI)(CI)R
*
BUILTIN\Administrators:(OI)(CI)F
* NT
AUTHORITY\SYSTEM:(OI)(CI)F
*C:\Program Files\Update Services\Selfupdate\wuident.cab BUILTIN\Users:R
*
BUILTIN\Administrators:F
* NT AUTHORITY\SYSTEM:F
*Looks good, the best I can tell. For some reason wuident.cab doesn't show
(OI)(CI), these indicate inherits and the permissions are the same
regardless. When looking at it in the GUI, the *permissions are inherited.
******************

Check the IIS configuration of the reporting Web service using the IIS
script adsutil.vbs (or use the IIS Administration UI Tool). For more
information, see "Appendix C: IIS Settings for Web Services" in the WSUS 3.0
Operations Guide at http://go.microsoft.com/fwlink/?LinkId=81072

******************
*This appendix has you look at IIS vroots and their settings:
*
*ClientWebService
*Directory: %ProgramFiles%Update Services\WebServices\ClientWebService
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*Content
*Directory[the location of the WSUS content directory]
*Security: Anonymous Access Enabled
*Execute Permissions: None
*DssAuthWebService
*Directory: %ProgramFiles%Update Services\WebServices\DssAuthWebService
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*Inventory
*Directory: %ProgramFiles%Update Services\ Inventory
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*ReportingWebService
*Directory: %ProgramFiles%Update Services\WebServices\ReportingWebService
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*ServerSyncWebService
*Directory: %ProgramFiles%Update Services\WebServices\ServerSyncWebService
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*SimpleAuthWebService
*Directory: %ProgramFiles%Update Services\WebServices\SimpleAuthWebService
*Application Pool: WsusPool
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*ApiRemoting30
*Directory: %ProgramFiles%Update Services\Administration
*Application Pool: WsusPool
*Security: Integrated Windows Authentication, Digest Authentication
*Execute Permissions: Scripts Only
*SelfUpdate
*Directory: %ProgramFiles%Update Services\SelfUpdate
*Security: Anonymous Access Enabled
*Execute Permissions: Scripts Only
*
*The only thing I modified was in ApiRemoting30, there was no realm
selected, so I went ahead and selected our domain name.
*****************

If ServerBindings or SecureBindings contains entries of the form X.X.X.X:80,
remove the IP address and leave only the port address, or add another binding
to the local machine 127.0.0.1:80. Type the command
<InetpubDir>\AdminScripts\adsutil.vbs set W3SVC/1/ServerBindings
"127.0.0.1:80"

*****************
*I did the above command and the results are: ServerBindings
: (LIST) "127.0.0.1:80"
*After typing this command, I now get an error in the MMC snapin that says:
*****************

The WSUS administration console was unable to connect to the WSUS Server via
the remote API.

Verify that the Update Services service, IIS and SQL are running on the
server. If the problem persists, try restarting IIS, SQL, and the Update
Services Service.

The WSUS administration console was unable to connect to the WSUS Server via
the remote API.

Verify that the Update Services service, IIS and SQL are running on the
server. If the problem persists, try restarting IIS, SQL, and the Update
Services Service.

System.Net.Sockets.SocketException -- No connection could be made because
the target machine actively refused it

Source
System

Stack Trace:
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot,
SocketAddress socketAddress)
at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure,
Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState
state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
** this exception was nested inside of the following exception **


System.Net.WebException -- Unable to connect to the remote server

Source
Microsoft.UpdateServices.Administration

Stack Trace:
at
Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
at
Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String
serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServerAndPopulateNode(Boolean connectingServerToConsole)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.OnExpandFromLoad(SyncStatus status)

***************
*Well, this is frustrating... I restarted the services, I didn't see a sql
service to restart. I'll reboot
*the server tonight and hope for the best tomorrow.
***************
pharmboy
2007-07-05 15:38:03 UTC
Permalink
I'm getting the same issues. I've checked that the web services all have the
proper settings according to Appendix C here:
http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true

I've also reset the permissions as per article 16 here:
http://wsusinfo.onsitechsolutions.com/articles/016.htm


I am getting the following error in the security log:

The WSUS administration console received a security exception. You do not
have sufficient permissions for this operation.

Verify that you are a member of either the WSUS Administrators or WSUS
Reporters group on the server you are trying to administer, and restart the
administration console.

System.Security.SecurityException -- Request for principal permission failed.

Source
Microsoft.UpdateServices.Administration

Stack Trace:
at
Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
at
Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String
serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()

Surprisingly (to me at least) when I remove Anonymous Access from
APIRemoting30 Properties, the console will start without issue. As soon as I
enable Anonymous access, the admin console fails with the error above.

Thanks for any help you can provide. This has got to be a permission issue
of some sort.
pharmboy
2007-07-05 16:54:06 UTC
Permalink
I'm sorry I failed to mention the following:
I am running WSUS 3 on a Windows 2003 Server. I am running the Admin Console
from my workstation. WSUS has seemingly been working fine for months, and
still is as far as I can see, just that I see these errors in the event log
every day.

I HAVE noticed that exactly 10 minutes after the string of Events 12012,
13042, etc I will see a string of events informing me that these same
services ARE working correctly.
Post by pharmboy
I'm getting the same issues. I've checked that the web services all have the
http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true
http://wsusinfo.onsitechsolutions.com/articles/016.htm
The WSUS administration console received a security exception. You do not
have sufficient permissions for this operation.
Verify that you are a member of either the WSUS Administrators or WSUS
Reporters group on the server you are trying to administer, and restart the
administration console.
System.Security.SecurityException -- Request for principal permission failed.
Source
Microsoft.UpdateServices.Administration
at
Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
at
Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String
serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()
Surprisingly (to me at least) when I remove Anonymous Access from
APIRemoting30 Properties, the console will start without issue. As soon as I
enable Anonymous access, the admin console fails with the error above.
Thanks for any help you can provide. This has got to be a permission issue
of some sort.
Goon64
2007-07-05 17:13:25 UTC
Permalink
pharmboy
2007-07-05 17:54:02 UTC
Permalink
That site is not helpful for this particular problem. It does not have info
on these errors from WSUS.
Post by pharmboy
I am running WSUS 3 on a Windows 2003 Server. I am running the Admin Console
from my workstation. WSUS has seemingly been working fine for months, and
still is as far as I can see, just that I see these errors in theeventlog
every day.
I HAVE noticed that exactly 10 minutes after the string of Events 12012,
13042, etc I will see a string of events informing me that these same
services ARE working correctly.
Post by pharmboy
I'm getting the same issues. I've checked that the web services all have the
http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-...
http://wsusinfo.onsitechsolutions.com/articles/016.htm
The WSUS administration console received a security exception. You do not
have sufficient permissions for this operation.
Verify that you are a member of either the WSUS Administrators or WSUS
Reporters group on the server you are trying to administer, and restart the
administration console.
System.Security.SecurityException -- Request for principal permission failed.
Source
Microsoft.UpdateServices.Administration
at
Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Objec-t[] args)
at
Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String
serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(St-ring serverName, Boolean useSecureConnection, Int32 portNumber)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateSe-rver(PersistedServerSettings settings)
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToSe-rver()
at
Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerT-ools()
Surprisingly (to me at least) when I remove Anonymous Access from
APIRemoting30 Properties, the console will start without issue. As soon as I
enable Anonymous access, the admin console fails with the error above.
Thanks for any help you can provide. This has got to be a permission issue
of some sort.- Hide quoted text -
- Show quoted text -
http://kb.eventlogmanager.com/
They have a great product for event log tracking, and this is a free
service they provide.
Lawrence Garvin (MVP)
2007-07-06 03:39:19 UTC
Permalink
Post by pharmboy
Surprisingly (to me at least) when I remove Anonymous Access from
APIRemoting30 Properties, the console will start without issue. As soon as I
enable Anonymous access, the admin console fails with the error above.
On my freshly installed, and functioning, WSUS 3.0 server, the APIRemoting30
virtual directory does *not* have Anonymous Access, thus, given that
removing it makes the system work -- I'd say you should remove it. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
pharmboy
2007-07-06 19:06:03 UTC
Permalink
Well then...that's a bit odd.

I guess the reason I kept trying to enable Anon access there is the page
here
(http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true)
seemed to indicate it under the Appendix C heading, "Properties of the API
Remoting Web service" unless I am misunderstanding it.

In any case, I seem to have rid myself of the occasional error events (Event
Viewer Errors 13042 13002 12002 12042 12052) by doing a repair install of
.Net 2.0 and rebooting. At least so far I've not seen any errors. If it goes
the entire weekend without trouble then I'll believe it's fixed. We'll see.

Thanks for the reply Lawrence!
Post by Lawrence Garvin (MVP)
Post by pharmboy
Surprisingly (to me at least) when I remove Anonymous Access from
APIRemoting30 Properties, the console will start without issue. As soon as I
enable Anonymous access, the admin console fails with the error above.
On my freshly installed, and functioning, WSUS 3.0 server, the APIRemoting30
virtual directory does *not* have Anonymous Access, thus, given that
removing it makes the system work -- I'd say you should remove it. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Harry Johnston
2007-07-06 20:50:01 UTC
Permalink
Post by pharmboy
I guess the reason I kept trying to enable Anon access there is the page
here
(http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true)
seemed to indicate it under the Appendix C heading, "Properties of the API
Remoting Web service" unless I am misunderstanding it.
The page you reference currently indicates that ApiRemoting30 should *not* have
anonymous access. Either they've corrected it recently (quite possible) or you
were misreading it.

Harry.
pharmboy
2007-07-07 00:28:00 UTC
Permalink
Well it still looks like it is telling me to make anon access true for
ApiRemoting30. Not sure how else to read it.

Properties of the API Remoting Web service
Property Value KeyType


(STRING) "IIsWebVirtualDir" AppRoot


(STRING) "/LM/W3SVC/WebSiteID/ROOT/ApiRemoting30" AppFriendlyName


(STRING) "ApiRemoting30" AppIsolated


(INTEGER) 2 Path (STRING) "<WSUSInstallDir>\WebServices\ApiRemoting30"

AccessFlags(INTEGER) 513

AccessExecute(BOOLEAN) False

AccessSource(BOOLEAN) False

AccessRead (BOOLEAN) True

AccessWrite (BOOLEAN) False

AccessScript (BOOLEAN) True

AccessNoRemoteExecute (BOOLEAN) False

AccessNoRemoteRead (BOOLEAN) False

AccessNoRemoteWrite (BOOLEAN) False

AccessNoRemoteScript (BOOLEAN) False

AccessNoPhysicalDir (BOOLEAN) False

AspScriptErrorSentToBrowser (BOOLEAN) False

AspEnableParentPaths (BOOLEAN) False

AuthFlags (INTEGER) 21

AuthBasic (BOOLEAN) False

[B]AuthAnonymous (BOOLEAN) True[/B]

AuthNTLM (BOOLEAN) True

AuthMD5 (BOOLEAN) True

AuthPassport (BOOLEAN) False

AppPoolId (STRING) "WsusPool"
Post by Harry Johnston
Post by pharmboy
I guess the reason I kept trying to enable Anon access there is the page
here
(http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true)
seemed to indicate it under the Appendix C heading, "Properties of the API
Remoting Web service" unless I am misunderstanding it.
The page you reference currently indicates that ApiRemoting30 should *not* have
anonymous access. Either they've corrected it recently (quite possible) or you
were misreading it.
Harry.
Lawrence Garvin (MVP)
2007-07-07 11:50:01 UTC
Permalink
Post by pharmboy
Well it still looks like it is telling me to make anon access true for
ApiRemoting30. Not sure how else to read it.
This is what's in the document:

ApiRemoting30
Directory: %ProgramFiles%Update Services\Administration

Application Pool: WsusPool

Security: Integrated Windows Authentication, Digest Authentication

Execute Permissions: Scripts Only




I'm confused as to how you're misreading that.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Harry Johnston
2007-07-08 06:40:53 UTC
Permalink
Post by pharmboy
Well it still looks like it is telling me to make anon access true for
ApiRemoting30. Not sure how else to read it.
So it does, in the section titled "Properties of the API Remoting Web service".
I wasn't looking down there; I was looking at the top, in the section titled
"IIS vroots":

ApiRemoting30

Directory: %ProgramFiles%Update Services\Administration

Application Pool: WsusPool

Security: Integrated Windows Authentication, Digest Authentication

Execute Permissions: Scripts Only

Both the security settings and the directory path are different in the two parts
Post by pharmboy
(INTEGER) 2 Path (STRING) "<WSUSInstallDir>\WebServices\ApiRemoting30"
So is the Api Remoting service in WebServices\ApiRemoting30 or is it in
Administration? Or are these two different things?

Harry.
Lawrence Garvin (MVP)
2007-07-08 18:11:50 UTC
Permalink
Post by Chris
Application Pool: WsusPool
Security: Integrated Windows Authentication, Digest Authentication
ApiRemoting30
Directory: %ProgramFiles%Update Services\Administration
So is the Api Remoting service in WebServices\ApiRemoting30 or is it in
Administration? Or are these two different things?
The ~\Update Services\Administration directory cited, doesn't even exist in
an installed WSUS 3.0 deployment.

Let's just assume this Appendix has several errors, some we've probably not
yet found. :-/

At least this entry for "ApiRemoting30" in the detail listing is definitely
incorrect, on at least two points now.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Lawrence Garvin (MVP)
2007-07-07 11:48:51 UTC
Permalink
Post by Harry Johnston
Post by pharmboy
I guess the reason I kept trying to enable Anon access there is the page
here
(http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true)
seemed to indicate it under the Appendix C heading, "Properties of the
API Remoting Web service" unless I am misunderstanding it.
The page you reference currently indicates that ApiRemoting30 should *not*
have anonymous access. Either they've corrected it recently (quite
possible) or you were misreading it.
Ahh.. good point, Harry. While I focused on the potential error in the
*presence* of information, I totally missed the implied absence of anonymous
access. So, to that extent, the documentation is correct. And.. I checked my
server... sonofagun if "Digest Authentication for Domain Servers" isn't
enabled!
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Lawrence Garvin (MVP)
2007-07-07 11:39:16 UTC
Permalink
Post by pharmboy
Well then...that's a bit odd.
I guess the reason I kept trying to enable Anon access there is the page
here
(http://technet2.microsoft.com/windowsserver/en/library/36a1530c-dfad-47df-9a3d-906190038a7a1033.mspx?mfr=true)
seemed to indicate it under the Appendix C heading, "Properties of the API
Remoting Web service" unless I am misunderstanding it.
I don't think you're misunderstanding it; but I do think it's wrong. First
clue: The presence of "Digest Authentication" as a permission setting.
*NOTHING* uses Digest Authentication, especially not in a LAN-based
application environment.

As noted previously (perhaps in another thread), I've not had a chance to
review the Ops Guide in detail (yet), but this issue just stepped that
prioritization up a notch. There are some notable discrepancies in the WSUS3
documentation. Some of it is carryover from WSUS2 documentation that didn't
get updated; some has been previously reported, and never got fixed; some,
like this example, just seems plain wrong.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Lawrence Garvin (MVP)
2007-07-07 12:00:48 UTC
Permalink
Post by Lawrence Garvin (MVP)
I don't think you're misunderstanding it; but I do think it's wrong. First
clue: The presence of "Digest Authentication" as a permission setting.
*NOTHING* uses Digest Authentication, especially not in a LAN-based
application environment.
Apparently, the WSUS3 APIRemoting30 webservice *does* use "Digest
Authentication for Windows domain servers".

This one has me intrigued. I'm going to dig into it a bit deeper. It's also
got me to thinking how this is impacting the "requirement" that a remote
client have a domain trust with the WSUS server. There may be a 'workaround'
in the settings of the permissions for this webservice.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
pharmboy
2007-07-07 16:28:02 UTC
Permalink
Thanks for any light you can shed. Please post if you find out more, as I
am interested, even though the actual problem I was having appears to be
solved.

Thanks again.
Post by Lawrence Garvin (MVP)
Post by Lawrence Garvin (MVP)
I don't think you're misunderstanding it; but I do think it's wrong. First
clue: The presence of "Digest Authentication" as a permission setting.
*NOTHING* uses Digest Authentication, especially not in a LAN-based
application environment.
Apparently, the WSUS3 APIRemoting30 webservice *does* use "Digest
Authentication for Windows domain servers".
This one has me intrigued. I'm going to dig into it a bit deeper. It's also
got me to thinking how this is impacting the "requirement" that a remote
client have a domain trust with the WSUS server. There may be a 'workaround'
in the settings of the permissions for this webservice.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
pharmboy
2007-07-10 12:20:01 UTC
Permalink
This issue is simply bizarre. I haven't seen any errors since on Friday I did
a repair install of .NET 2.0 and rebooted the server in question. Now this
morning I saw the first (and so far only) Event 12012 Error ("The API
Remoting Web Service is not working.")

Looks like it is starting to happen again. Always with these error events
on this server, exactly 10 minutes later, I get a corresponding Event telling
me that "The API Remoting Web Service is working correctly." And I noticed
last time that over a period of a few weeks, these events will increase in
frequency, though always there are corresponding "working correctly" events
10 minutes after them.

It doesn't seem to affect the actual service, as things still appear to be
syncing, updating, working correctly, but mysteries like this tend to drive
me nuts. :-)
Post by pharmboy
Thanks for any light you can shed. Please post if you find out more, as I
am interested, even though the actual problem I was having appears to be
solved.
Thanks again.
Post by Lawrence Garvin (MVP)
Post by Lawrence Garvin (MVP)
I don't think you're misunderstanding it; but I do think it's wrong. First
clue: The presence of "Digest Authentication" as a permission setting.
*NOTHING* uses Digest Authentication, especially not in a LAN-based
application environment.
Apparently, the WSUS3 APIRemoting30 webservice *does* use "Digest
Authentication for Windows domain servers".
This one has me intrigued. I'm going to dig into it a bit deeper. It's also
got me to thinking how this is impacting the "requirement" that a remote
client have a domain trust with the WSUS server. There may be a 'workaround'
in the settings of the permissions for this webservice.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-07-11 01:58:05 UTC
Permalink
Post by pharmboy
Looks like it is starting to happen again. Always with these error events
on this server, exactly 10 minutes later, I get a corresponding Event telling
me that "The API Remoting Web Service is working correctly." And I noticed
last time that over a period of a few weeks, these events will increase in
frequency, though always there are corresponding "working correctly" events
10 minutes after them.
It doesn't seem to affect the actual service, as things still appear to be
syncing, updating, working correctly, but mysteries like this tend to drive
me nuts. :-)
Are there any other events being recorded to the Event Logs (check *all* of
them!) that have the same frequency, or can be correlated with these
APIRemoting errors?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
pharmboy
2007-07-11 12:10:01 UTC
Permalink
No, there really aren't any events in the System or Security logs that would
seem to correspond. No errors, nothing that seems connected. I just checked
the DC logs as well, and nothing there correlates either.

The last time it happened (Event 12012/12010 combo) was 7/9/07 at 3:49PM. It
hasn't happened again yet. I'm sure it will, but the frequency is pretty
erratic.
Post by Lawrence Garvin (MVP)
Post by pharmboy
Looks like it is starting to happen again. Always with these error events
on this server, exactly 10 minutes later, I get a corresponding Event telling
me that "The API Remoting Web Service is working correctly." And I noticed
last time that over a period of a few weeks, these events will increase in
frequency, though always there are corresponding "working correctly" events
10 minutes after them.
It doesn't seem to affect the actual service, as things still appear to be
syncing, updating, working correctly, but mysteries like this tend to drive
me nuts. :-)
Are there any other events being recorded to the Event Logs (check *all* of
them!) that have the same frequency, or can be correlated with these
APIRemoting errors?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-07-12 02:45:10 UTC
Permalink
Post by pharmboy
No, there really aren't any events in the System or Security logs that would
seem to correspond. No errors, nothing that seems connected. I just checked
the DC logs as well, and nothing there correlates either.
The last time it happened (Event 12012/12010 combo) was 7/9/07 at 3:49PM. It
hasn't happened again yet. I'm sure it will, but the frequency is pretty
erratic.
Hmmmm.. I must confess.. I'm out of ideas.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
pharmboy
2007-07-12 13:06:01 UTC
Permalink
Yeah last night I got two strings of all 7
(13042,12002,12012,12022,12032,12042,12052) with the accompanying "working
properly" events 10 minutes later for each.

WSUS is working correctly, in that all of the machines in the domain
correctly downloaded, installed, and reported to WSUS last night.

Don't know why this is happening, but it seems to work, so I guess it isn't
too critical. Just that I hate red X's in my server event logs. Grr. :-)
Post by Lawrence Garvin (MVP)
Post by pharmboy
No, there really aren't any events in the System or Security logs that would
seem to correspond. No errors, nothing that seems connected. I just checked
the DC logs as well, and nothing there correlates either.
The last time it happened (Event 12012/12010 combo) was 7/9/07 at 3:49PM. It
hasn't happened again yet. I'm sure it will, but the frequency is pretty
erratic.
Hmmmm.. I must confess.. I'm out of ideas.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
pharmboy
2007-07-12 13:26:10 UTC
Permalink
Hmm. I wonder. Could you tell me exactly which services under "Application
Server" you have installed? Under Application Server I have checked:

Application Server Console
Enable Network COM+ Access
IIS

Under IIS I have:
Common Files
Internet Information Services Manager
World Wide Web Service

Under World Wide Web Service I have only:
World Wide Web Service

I wonder if I missed something, as I'm pretty sure I cherry-picked the IIS6
services when I originally did this install. I was pretty uncertain at the
time as to which ones to pick.
Post by pharmboy
Yeah last night I got two strings of all 7
(13042,12002,12012,12022,12032,12042,12052) with the accompanying "working
properly" events 10 minutes later for each.
WSUS is working correctly, in that all of the machines in the domain
correctly downloaded, installed, and reported to WSUS last night.
Don't know why this is happening, but it seems to work, so I guess it isn't
too critical. Just that I hate red X's in my server event logs. Grr. :-)
Post by Lawrence Garvin (MVP)
Post by pharmboy
No, there really aren't any events in the System or Security logs that would
seem to correspond. No errors, nothing that seems connected. I just checked
the DC logs as well, and nothing there correlates either.
The last time it happened (Event 12012/12010 combo) was 7/9/07 at 3:49PM. It
hasn't happened again yet. I'm sure it will, but the frequency is pretty
erratic.
Hmmmm.. I must confess.. I'm out of ideas.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://www.microsoft.com/wsus
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-07-13 03:24:37 UTC
Permalink
Post by pharmboy
Hmm. I wonder. Could you tell me exactly which services under "Application
Application Server Console
Enable Network COM+ Access
IIS
Common Files
Internet Information Services Manager
World Wide Web Service
World Wide Web Service
Looking from Control Panel | Add/Remove Programs | Add/Remove Windows
Components:

Under Application Server, you *must* have ASP.NET installed. If that's not
there, lots of things won't work in WSUS. I have everything except "Message
Queuing". This machine also has WSS 2.0 and Team Foundation Server
installed, so the "DTC" may have been installed by those apps. "DTC" is not
required for WSUS 3.0.

Otherwise, the rest of your installation is consistent with the minimum
requirements to run WSUS.
Post by pharmboy
I wonder if I missed something, as I'm pretty sure I cherry-picked the IIS6
services when I originally did this install. I was pretty uncertain at the
time as to which ones to pick.
The *best* way to do the setup is just pick the default "Application Server"
option from the Configure Your Server wizard.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Lawrence Garvin (MVP)
2007-07-07 11:54:49 UTC
Permalink
Post by Chris
Post by pharmboy
Well it still looks like it is telling me to make anon access true for
ApiRemoting30. Not sure how else to read it.
ApiRemoting30
Directory: %ProgramFiles%Update Services\Administration
Application Pool: WsusPool
Security: Integrated Windows Authentication, Digest Authentication
Execute Permissions: Scripts Only
I'm confused as to how you're misreading that.
I misunderstood that you were looking at the detailed listing of settings,
not the table above.


[B]AuthAnonymous (BOOLEAN) True[/B]

The setting in the details section that you cited, appears to be incorrect.
It's certainly inconsistent with the table listing above it.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://www.microsoft.com/wsus

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Loading...