Synching a downstream server with the upstream server fails

Discussion:

(too old to reply)

SMS Newbie in the Block

2007-10-18 17:18:00 UTC

Hello,
I just began configuring one upstream server that gets its updates directly
from MS Website and it is working just fine...
Now, I am configuring another server but as a replica of the upstream
server...
All configruation went oaky until I start the synchronization where it fails
all the time...
The installation I used is exactly how it is presented in the Step By Step
Guide...

The message I get is:
====
The upstream server does not allow an anonymous downstream server to
synchronize. This particulat server has not been registered on this upstream
server, or the upstream server Webservice needs authentication.

WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationProxy.GetAuthorizationCookie(String
accountName, String accountGuid, Guid[] programKeys, String location)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationPlugIn.GetAuthorizationCookie(Uri url, String parameter)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationPlugIn.GetAuthorizationCookie(String url, String parameter)
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.Se
====

I'll greatly appreciate any input from anyone who would know how to fix this
one.
I tried uninsalling, re-installing but no luck...
What exact permission does it need to make them communicate successfuly?

Thanks in advanced
:- ) Newbie

Lawrence Garvin [MVP]

2007-10-20 23:29:40 UTC

Permalink

Hmm... I wasn't aware that there was a Step-By-Step guide for configuring a
*replica* server.

I would suggest referring to the WSUS Deployment Guide for the proper
installation/configuration of a replica server.

Post by SMS Newbie in the Block
====
The upstream server does not allow an anonymous downstream server to
synchronize. This particulat server has not been registered on this upstream
server, or the upstream server Webservice needs authentication.
WebException: The request failed with HTTP status 401: Unauthorized.

--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

SMS Newbie in the Block

2007-10-22 15:20:19 UTC

Permalink

The Step by Step guide for WSUS 3.0 has a section how to configure a replica
server...prety small and stright forward though... so, in following that, I
got the message I stated previuosly...
Where can I find the information as to what accounts and respective rights
should be set for the WSUS 3.0 server set up, for upstream servers, fo
rdownstream servers, etc...
I stumbled on the section on hardening the system with some account related
settings which I plan to do later on once I have everything setup and working
smoothly...
But at the moment, I just want to understand the basi req on permissions and
stuff...

Thanks for the reply :-)

Oh, my apologies t throw a different topic here...
You know how on v2.0 I can display the updates (unapproved, approved, etc)
for the last two months?
On 3.0, I tried to create a view to display the last two months of updates
but getting inacurrate list...
What would you recommend on properly creating a view to display only the
last two months of updates...for some reason, using the available settings I
cannot seem to have them show up properly...

Thanks again :-)
Newbie

Post by Lawrence Garvin [MVP]

Hmm... I wasn't aware that there was a Step-By-Step guide for configuring a
*replica* server.
I would suggest referring to the WSUS Deployment Guide for the proper
installation/configuration of a replica server.

Simply stated... the IIS permissions are not properly set on the upstream
server. The key is in the message provided.
The UPSTREAM server does NOT ALLOW an ANONYMOUS downstream server....
Did you enable SSL?
DId you remove anonymous access permissions from the ServerSyncWebService
virtual directory?
Did you remove anonymous access permissions from the v-root of the website?
What else is installed on the upstream server?
--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Lawrence Garvin [MVP]

2007-10-27 21:42:08 UTC

Permalink

Okay.... previous comment stands, though: Best place to reference for
installing/configuring a *replica* server is the WSUS3 Deployment Guide.

Post by SMS Newbie in the Block
Where can I find the information as to what accounts and respective rights
should be set for the WSUS 3.0 server set up, for upstream servers, fo
rdownstream servers, etc...

Well, actually, you'll find very little, except for the documentation (in
the Deployment Guide) on how to enable/configure SSL between
upstream/downstream servers -- which I would not recommend using unless you
need encryption and IPSec is not an option

Post by SMS Newbie in the Block
I stumbled on the section on hardening the system with some account related
settings which I plan to do later on once I have everything setup and working
smoothly...

Good plan. I'd leave that as the very last step in the plan after you've
established that everything else (including SSL or IPSec, if you need
encryption) is working correctly.

Post by SMS Newbie in the Block
But at the moment, I just want to understand the basi req on permissions and
stuff...

The basic requirements are "do nothing". The only time I've seen permissions
be an issue is when a creative (and unfamiliar) admin has tried to
"lockdown" a server previously without understanding the ramifications of
changing default security settings.

Post by SMS Newbie in the Block
You know how on v2.0 I can display the updates (unapproved, approved, etc)
for the last two months?
On 3.0, I tried to create a view to display the last two months of updates
but getting inacurrate list...
What would you recommend on properly creating a view to display only the
last two months of updates...for some reason, using the available settings I
cannot seem to have them show up properly...

Best option is to sort by "Arrival Date" -- You'll need to add the column
to the view -- and scan the list from newest to oldest.

Chris Robson

2011-03-14 05:48:49 UTC

Permalink

Check authentication for the website in IIS. Windows Authentication is not enabled by default on websites.

Go to the website in IIS, expand the folders, click on the folders and double-click Authentication under the IIS heading. You will see the different methods, with Windows Authentication probably being last (and disabled). Click on Windows Authentication and click enable on the right hand menu.

This drove me crazy as I was looking for problems in WSUS, when in fact it is IIS that's the culprit.

You may or may not have to do this on every folder under the website (there's only 6 or 7 anyway). You can also do this on the root folder of the website. The permission doesn't propagate, hence having to do each sub-folder.

Post by SMS Newbie in the Block
Hello,
I just began configuring one upstream server that gets its updates directly
from MS Website and it is working just fine...
Now, I am configuring another server but as a replica of the upstream
server...
All configruation went oaky until I start the synchronization where it fails
all the time...
The installation I used is exactly how it is presented in the Step By Step
Guide...
====
The upstream server does not allow an anonymous downstream server to
synchronize. This particulat server has not been registered on this upstream
server, or the upstream server Webservice needs authentication.
WebException: The request failed with HTTP status 401: Unauthorized.
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationProxy.GetAuthorizationCookie(String
accountName, String accountGuid, Guid[] programKeys, String location)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationPlugIn.GetAuthorizationCookie(Uri url, String parameter)
at
Microsoft.UpdateServices.Internal.Authorization.DownstreamServerAuthorizationPlugIn.GetAuthorizationCookie(String url, String parameter)
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.Se
====
I'll greatly appreciate any input from anyone who would know how to fix this
one.
I tried uninsalling, re-installing but no luck...
What exact permission does it need to make them communicate successfuly?
Thanks in advanced

Post by Lawrence Garvin [MVP]
Hmm... I wasn't aware that there was a Step-By-Step guide for configuring a
*replica* server.
I would suggest referring to the WSUS Deployment Guide for the proper
installation/configuration of a replica server.
Simply stated... the IIS permissions are not properly set on the upstream
server. The key is in the message provided.
The UPSTREAM server does NOT ALLOW an ANONYMOUS downstream server....
Did you enable SSL?
DId you remove anonymous access permissions from the ServerSyncWebService
virtual directory?
Did you remove anonymous access permissions from the v-root of the website?
What else is installed on the upstream server?
--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Post by SMS Newbie in the Block
The Step by Step guide for WSUS 3.0 has a section how to configure a replica
server...prety small and stright forward though... so, in following that, I
got the message I stated previuosly...
Where can I find the information as to what accounts and respective rights
should be set for the WSUS 3.0 server set up, for upstream servers, fo
rdownstream servers, etc...
I stumbled on the section on hardening the system with some account related
settings which I plan to do later on once I have everything setup and working
smoothly...
But at the moment, I just want to understand the basi req on permissions and
stuff...
Thanks for the reply :-)
Oh, my apologies t throw a different topic here...
You know how on v2.0 I can display the updates (unapproved, approved, etc)
for the last two months?
On 3.0, I tried to create a view to display the last two months of updates
but getting inacurrate list...
What would you recommend on properly creating a view to display only the
last two months of updates...for some reason, using the available settings I
cannot seem to have them show up properly...
Thanks again :-)
Newbie

Post by Lawrence Garvin [MVP]
Okay.... previous comment stands, though: Best place to reference for
installing/configuring a *replica* server is the WSUS3 Deployment Guide.
Well, actually, you'll find very little, except for the documentation (in
the Deployment Guide) on how to enable/configure SSL between
upstream/downstream servers -- which I would not recommend using unless you
need encryption and IPSec is not an option
Good plan. I'd leave that as the very last step in the plan after you've
established that everything else (including SSL or IPSec, if you need
encryption) is working correctly.
The basic requirements are "do nothing". The only time I've seen permissions
be an issue is when a creative (and unfamiliar) admin has tried to
"lockdown" a server previously without understanding the ramifications of
changing default security settings.
Best option is to sort by "Arrival Date" -- You'll need to add the column
to the view -- and scan the list from newest to oldest.
--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Submitted via EggHeadCafe
Pass Values Between Windows Forms
http://www.eggheadcafe.com/tutorials/aspnet/a3e1e170-21d9-4a59-a659-3ead05bb36f2/pass-values-between-windows-forms.aspx

Chris Robson

2011-03-14 05:49:19 UTC

Permalink

Post by Chris Robson
Check authentication for the website in IIS. Windows Authentication is not enabled by default on websites.
Go to the website in IIS, expand the folders, click on the folders and double-click Authentication under the IIS heading. You will see the different methods, with Windows Authentication probably being last (and disabled). Click on Windows Authentication and click enable on the right hand menu.
This drove me crazy as I was looking for problems in WSUS, when in fact it is IIS that's the culprit.
You may or may not have to do this on every folder under the website (there's only 6 or 7 anyway). You can also do this on the root folder of the website. The permission doesn't propagate, hence having to do each sub-folder.
Submitted via EggHeadCafe
Using the LINQ Max Operator
http://www.eggheadcafe.com/tutorials/aspnet/a19f2fed-f5a2-43a5-800d-1714a20d4c36/using-the-linq-max-operator.aspx

Chris Robson

2011-03-14 05:49:56 UTC

Permalink

heck authentication for the website in IIS. Windows Authentication is not enabled by default on websites.

Go to the website in IIS, expand the folders, click on the folders and double-click Authentication under the IIS heading. You will see the different methods, with Windows Authentication probably being last (and disabled). Click on Windows Authentication and click enable on the right hand menu.

This drove me crazy as I was looking for problems in WSUS, when in fact it is IIS that's the culprit.

You may or may not have to do this on every folder under the website (there's only 6 or 7 anyway). You can also do this on the root folder of the website. The permission doesn't propagate, hence having to do each sub-folder.

Post by Chris Robson
Check authentication for the website in IIS. Windows Authentication is not enabled by default on websites.
Go to the website in IIS, expand the folders, click on the folders and double-click Authentication under the IIS heading. You will see the different methods, with Windows Authentication probably being last (and disabled). Click on Windows Authentication and click enable on the right hand menu.
This drove me crazy as I was looking for problems in WSUS, when in fact it is IIS that's the culprit.
You may or may not have to do this on every folder under the website (there's only 6 or 7 anyway). You can also do this on the root folder of the website. The permission doesn't propagate, hence having to do each sub-folder.
Submitted via EggHeadCafe
Win a 2 Year Personal Class Hosting Account From Arvixe.com
http://www.eggheadcafe.com/tutorials/aspnet/828f2029-b7be-4d15-877c-0d9e9ab74fc5/win-a-2-year-personal-class-hosting-account-from-arvixecom.aspx

Chris Robson

2011-03-14 05:52:27 UTC

Permalink

Post by Chris Robson
heck authentication for the website in IIS. Windows Authentication is not enabled by default on websites.
Go to the website in IIS, expand the folders, click on the folders and double-click Authentication under the IIS heading. You will see the different methods, with Windows Authentication probably being last (and disabled). Click on Windows Authentication and click enable on the right hand menu.
This drove me crazy as I was looking for problems in WSUS, when in fact it is IIS that's the culprit.
You may or may not have to do this on every folder under the website (there's only 6 or 7 anyway). You can also do this on the root folder of the website. The permission doesn't propagate, hence having to do each sub-folder.
Submitted via EggHeadCafe
Obsessive Defragmentation Disorder (ODD) and You
http://www.eggheadcafe.com/tutorials/aspnet/b5f241d0-4e5d-44f9-aad9-78211fdea4df/obsessive-defragmentation-disorder-odd-and-you.aspx