For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx
This presentation decodes common WSUS error codes as well as how to resolve them!
Part 1
• HTTP errors
Part 2
• Configuration errors
• Security errors
• Other errors
9. HTTP Errors
Error Code 0x80190191/0x80244017 (HTTP 401)
Caused by missing or removed Anonymous Access
permissions on:
» Default Web Site
» WSUS Administration
» Virtual directories
Caused by missing Integrated Windows Authentication
on APIRemoting30
10. HTTP Errors
Error Code
0x80190191/0x80244017 (HTTP 401)
401.1 Access denied due to invalid credentials
» Attempt to connect WSUS console with account credential that is not
a member of WSUS Administrators or BUILTINAdministrators
401.2 Access denied due to server authentication method
» Website or virtual directory does not have anonymous access
enabled
» APIRemoting30 virtual directory does not have Integrated Windows
Authentication enabled
401.3 Access denied due to ACL on resource
» Filesystem permissions have been modified
» Security Configuration Wizard template has been applied
12. HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)
Typically caused by a proxy server or firewall interfering with
access to the WSUS Server.
» Verify correct proxy client configuration for WinHTTP
» Verify correct proxy server configuration
» Verify correct firewall rules (80, 443, 8530, 8531)
» Also caused when SSL is improperly enabled on the
WSUS Server
13. HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)
403 All access is denied
» Proxy server is blocking access to the target URL
403.1 Execute access denied
» The virtual directories do not have Execute: Scripts
Only permissions
403.2 Read access denied
» Rarely seen, but would be caused by removing
READ permissions from the web resource
14. HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)
403.4 SSL is required
» Attempt to connect to port 80 or 8530 when SSL is
required
» Connect using port 443 or 8531
403.7 Client SSL certificate is required
» SSL is enabled for WSUS, but the SSL certificate is
not installed on the client system
15. HTTP Errors
Error Code
0x80190193/0x80244018 (HTTP 403)
403.6 Client IP Address is rejected
» Web resource is blocking access based on source
IP address
403.8 Client DNS name is rejected
» Web resource is blocking access based on source
DNS name
17. HTTP Errors
Error Code
0x80190194/0x80244019 (HTTP 404)
Typically caused by a missing self-update virtual directory
or a missing update file in the store, depending on the
context in which the error is encountered:
» Verify presence of selfupdate virtual directories
» Verify presence of physical file in ~WSUSContent
Run wsusutil reset to download missing content
18. HTTP Errors
Error Code
0x80190194/0x80244019 (HTTP 404)
404 Resource not found
» Content file is missing from filesystem
404.1 Web site does not exist or is inaccessible on specified
port
» Port suffix of configured URL does not match the installation
port.
404.2 Web service extension lockdown policy prevents request
» IIS Web Service Extensions are misconfigured (e.g. ASP.NET
v1.1 is enabled instead of ASP.NET v2.0)
404.3 MIME map policy prevents request
» MIME mappings for website are not correct for EXE or CAB
20. HTTP Errors
Error Code
0x80190197/0x8024401B (HTTP 407)
Caused by a proxy server refusing access because of
invalid proxy credentials
» The proxy credentials are missing or incorrect on
the client
» The proxy credentials configured on the client do
not have access to use the proxy server
» The proxy credentials configured on the client are
explicitly blocked from accessing the target URL
21. Agenda
Part 1
» HTTP errors
Part 2
» Configuration errors
» Security errors
» Other errors
22. Configuration Errors
Error Code - 0x80072ee5
Invalid URL
Most common cause is the presence of trailing slashes
in the URL resulting in a double slash in the URL sent in
the HTTP request.
Remediation is to inspect and correct the URL; the
correct URL format is:
» http://wsusservername
» http://wsusservername:8530
23. Configuration Errors
Error Code - 0x80072ee6
Unrecognized Scheme
Intranet Update server URL(s) have missing or
invalid characters
Most common causes:
» using backslashes instead of forward slashes
(http:wsusserver)
» using UNC pathnames in the URL (wsusserver)
Remediation is to inspect and correct the URL
24. Configuration Errors
Error Code - 0x80072ee7
Name Not Resolved
WSUS Servername is not resolvable to an IP
Address
» An entry error in the URL
» The hostname is not in DNS
» The client is not querying the correct DNS server(s)
25. Configuration Errors
Error Code - 0x80072efd
Cannot Connect
The WUAgent gets no response from the targeted
URL; this can be caused by a number of
infrastructure defects:
» Incorrect hostname in URL resulting in return of
incorrect IP Address
» Incorrect DNS entries resulting in return of incorrect
IP Address
» Invalid/Incorrect IP Address in URL
» Incorrect gateway or routing tables
» WSUS server is offline
26. Agenda
Part 1
» HTTP errors
Part 2
» Configuration errors
» Security errors
» Other errors
27. Security Errors
Error Code - 0x800710dd
Removal of the NT AUTHORITYAuthenticatedUsers
group from the BUILTINUsers group on the WSUS
Server
IUSR_machinename password does not match
On some early Windows XP/2003 systems, a defective
security descriptor for the Automatic Updates service or
BITS could cause this
» If the Automatic Updates service or BITS was ever
DISABLED, the security descriptor is corrupted
28. Agenda
Part 1
» HTTP errors
Part 2
» Configuration errors
» Security errors
» Other errors
29. Other Errors
Error Code
0x8024400E/SOAP 0x190
most commonly caused by a metadata defect in the
Office 2003 Service Pack 1 update package for WSUS
Remediation:
» Upgrade to WSUS 3 Service Pack 1
» Install KB954960
30. Other Errors
Error Code
0x8024400E/SOAP 0x190
Just today!! I saw this error logged when the Network
Service account was unable to access a locally installed
instance of SQL Server® where the WSUS database was
migrated from W.I.D. to SQL Server.
Remediation:
» On a locally installed instance, manually create a SQL
Login for the NT AUTHORITYNetwork Service account
and assign it to the database user that is a member of
the webservice database role
» On a remote instance, manually create a SQL Login for
the DOMAINMACHINES account of the front-end
server, assign it to the MACHINES database user or
create a MACHINES database user account, and assign
that database user to the webservice database role
31. Other Errors
Error Code
0x8024400D/0x80244015/SOAP 0x12c
Primary documented cause: misconfiguration of a load
balancing scenario
» Not using a common back-end database server for the
nodes of the load balancing cluster
» http://blogs.technet.com/b/sus/archive/2008/10/29/wsus-clients
» In the real world, this most often occurs where duplicate
SusClientIDs exist
May also occur
» In a misconfigured DNS Round Robin scenario, or
» Where duplicate hostnames are inadvertently configured
in DNS
32. Helpful Resources
Hope these tips help you decode common
WSUS errors. To free up more of your time, try
SolarWinds Patch Manager
Watch Video Test Drive Live Demo
Ask Our Community Download 30-day Free Trial
Click any of the links above
- Slide 32 -
33. Author: Lawrence Garvin, WSUS MVP
Thank You!
Feedback or questions
lawrence.garvin@solarwinds.com
Notas del editor
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.