Common WSUS Errors Codes - Decoded and Resolved

Author
Lawrence Garvin, WSUS MVP

Common WSUS Error Codes
Decoded & Resolved

Agenda
 Part 1
» HTTP errors
 Part 2
» Configuration errors
» Security errors
» Other errors

Modify This Footer: View -> Header & Footer - Slide 2 -

HTTP Errors
 Finding subcodes in IIS logs
 401 – 0x80190191 / 0x80244017
 403 – 0x80190193 / 0x80244018
 404 – 0x80190194 / 0x80244019
 407 – 0x80190197 / 0x8024401B

IIS Logfiles
 2010-11-09 00:14:51 ::1 POST /reportingwebservice/reportingwebservice.asmx - 80 - ::1 Mozilla/4.0+
(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0

 2010-11-09 00:14:51 ::1 POST /ApiRemoting30/WebService.asmx - 80 ONSITECHIS$ ::1
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0

 2010-11-09 00:14:51 ::1 POST /ServerSyncWebService/serversyncwebservice.asmx - 80 - ::1
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 10

 2010-11-09 00:14:51 ::1 POST /ClientWebService/Client.asmx - 80 - ::1 Mozilla/4.0+(compatible;
+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0

 2010-11-09 00:14:51 ::1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - ::1 Mozilla/4.0+
(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 10

IIS Logfiles
 Remote console session failure (Authentication failure)
» 2010-11-09 00:14:51 ::1 POST
/ApiRemoting30/WebService.asmx - 80
ONSITECHNoAdmin ::1 Mozilla/4.0+(compatible;
+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.40
16) 401 1 0 0

 Windows Update Agent detection failure (Anonymous Access
removed)
» 2010-11-09 00:14:51 ::1 POST /ClientWebService/Client.asmx -
80 - ::1 Mozilla/4.0+(compatible;
+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.40
16) 401 2 0 0

IIS Logfiles
 2010-01-16 01:26:15 ::1 POST
/ApiRemoting30/WebService.asmx - 80 - ::1 Mozilla/4.0+
(compatible;
+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50
727.4016) 401 1 5 941

 2010-01-16 01:26:17 ::1 POST
/ApiRemoting30/WebService.asmx - 80
ONSITECHIS$ ::1 Mozilla/4.0+(compatible;
+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50
727.4016) 200 0 0 2463.

HTTP Errors
Error Code 0x80190191/0x80244017 (HTTP 401)

Caused by missing or removed Anonymous Access
permissions on:
» Default Web Site
» WSUS Administration
» Virtual directories

Caused by missing Integrated Windows Authentication
on APIRemoting30

HTTP Errors
 Error Code
 0x80190191/0x80244017 (HTTP 401)
 401.1 Access denied due to invalid credentials
» Attempt to connect WSUS console with account credential that is not
a member of WSUS Administrators or BUILTINAdministrators

 401.2 Access denied due to server authentication method
» Website or virtual directory does not have anonymous access
enabled
» APIRemoting30 virtual directory does not have Integrated Windows
Authentication enabled

 401.3 Access denied due to ACL on resource
» Filesystem permissions have been modified
» Security Configuration Wizard template has been applied

HTTP Errors

Error Code
0x80190193/0x80244018 (HTTP 403)

Typically caused by a proxy server or firewall interfering with
access to the WSUS Server.

» Verify correct proxy client configuration for WinHTTP
» Verify correct proxy server configuration
» Verify correct firewall rules (80, 443, 8530, 8531)
» Also caused when SSL is improperly enabled on the
WSUS Server

HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)

403 All access is denied
» Proxy server is blocking access to the target URL

403.1 Execute access denied
» The virtual directories do not have Execute: Scripts
Only permissions

403.2 Read access denied
» Rarely seen, but would be caused by removing
READ permissions from the web resource

HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)

403.4 SSL is required
» Attempt to connect to port 80 or 8530 when SSL is
required
» Connect using port 443 or 8531

403.7 Client SSL certificate is required
» SSL is enabled for WSUS, but the SSL certificate is
not installed on the client system

HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)

403.6 Client IP Address is rejected
» Web resource is blocking access based on source
IP address

403.8 Client DNS name is rejected
» Web resource is blocking access based on source
DNS name

HTTP Errors
Error Code
0x80190194/0x80244019 (HTTP 404)

Typically caused by a missing self-update virtual directory
or a missing update file in the store, depending on the
context in which the error is encountered:

» Verify presence of selfupdate virtual directories
» Verify presence of physical file in ~WSUSContent
Run wsusutil reset to download missing content

HTTP Errors
Error Code
0x80190194/0x80244019 (HTTP 404)

404 Resource not found
» Content file is missing from filesystem

404.1 Web site does not exist or is inaccessible on specified
port
» Port suffix of configured URL does not match the installation
port.

404.2 Web service extension lockdown policy prevents request
» IIS Web Service Extensions are misconfigured (e.g. ASP.NET
v1.1 is enabled instead of ASP.NET v2.0)

404.3 MIME map policy prevents request
» MIME mappings for website are not correct for EXE or CAB

HTTP Errors
Error Code
0x80190197/0x8024401B (HTTP 407)

Caused by a proxy server refusing access because of
invalid proxy credentials

» The proxy credentials are missing or incorrect on
the client
» The proxy credentials configured on the client do
not have access to use the proxy server
» The proxy credentials configured on the client are
explicitly blocked from accessing the target URL

Agenda
 Part 1
» HTTP errors
 Part 2
» Configuration errors
» Security errors
» Other errors

Configuration Errors
 Error Code - 0x80072ee5
 Invalid URL
 Most common cause is the presence of trailing slashes
in the URL resulting in a double slash in the URL sent in
the HTTP request.
 Remediation is to inspect and correct the URL; the
correct URL format is:
» http://wsusservername
» http://wsusservername:8530

 Unrecognized Scheme
 Intranet Update server URL(s) have missing or
invalid characters

 Most common causes:
» using backslashes instead of forward slashes
(http:wsusserver)
» using UNC pathnames in the URL (wsusserver)

 Remediation is to inspect and correct the URL

 Name Not Resolved
 WSUS Servername is not resolvable to an IP
Address
» An entry error in the URL
» The hostname is not in DNS
» The client is not querying the correct DNS server(s)

 Error Code - 0x80072efd
 Cannot Connect
 The WUAgent gets no response from the targeted
URL; this can be caused by a number of
infrastructure defects:
» Incorrect hostname in URL resulting in return of
incorrect IP Address
» Incorrect DNS entries resulting in return of incorrect
IP Address
» Invalid/Incorrect IP Address in URL
» Incorrect gateway or routing tables
» WSUS server is offline

Security Errors
 Error Code - 0x800710dd
 Removal of the NT AUTHORITYAuthenticatedUsers
group from the BUILTINUsers group on the WSUS
Server
 IUSR_machinename password does not match
 On some early Windows XP/2003 systems, a defective
security descriptor for the Automatic Updates service or
BITS could cause this
» If the Automatic Updates service or BITS was ever
DISABLED, the security descriptor is corrupted

Other Errors

 Error Code
 0x8024400E/SOAP 0x190
 most commonly caused by a metadata defect in the
Office 2003 Service Pack 1 update package for WSUS
 Remediation:
» Upgrade to WSUS 3 Service Pack 1
» Install KB954960

Other Errors
 Error Code
 0x8024400E/SOAP 0x190
 Just today!! I saw this error logged when the Network
Service account was unable to access a locally installed
instance of SQL Server® where the WSUS database was
migrated from W.I.D. to SQL Server.
 Remediation:
» On a locally installed instance, manually create a SQL
Login for the NT AUTHORITYNetwork Service account
and assign it to the database user that is a member of
the webservice database role
» On a remote instance, manually create a SQL Login for
the DOMAINMACHINES account of the front-end
server, assign it to the MACHINES database user or
create a MACHINES database user account, and assign
that database user to the webservice database role

Other Errors
 Error Code
 0x8024400D/0x80244015/SOAP 0x12c
 Primary documented cause: misconfiguration of a load
balancing scenario
» Not using a common back-end database server for the
nodes of the load balancing cluster
» http://blogs.technet.com/b/sus/archive/2008/10/29/wsus-clients
» In the real world, this most often occurs where duplicate
SusClientIDs exist
 May also occur
» In a misconfigured DNS Round Robin scenario, or
» Where duplicate hostnames are inadvertently configured
in DNS

Helpful Resources
Hope these tips help you decode common
WSUS errors. To free up more of your time, try
SolarWinds Patch Manager

Watch Video Test Drive Live Demo

Ask Our Community Download 30-day Free Trial

Click any of the links above

- Slide 32 -

Author: Lawrence Garvin, WSUS MVP

Thank You!

Feedback or questions
lawrence.garvin@solarwinds.com

Common WSUS Errors Codes - Decoded and Resolved

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Common WSUS Errors Codes - Decoded and Resolved

Similar a Common WSUS Errors Codes - Decoded and Resolved (20)

Más de SolarWinds

Más de SolarWinds (20)

Último

Último (20)

Common WSUS Errors Codes - Decoded and Resolved

Notas del editor