Re: Client Detect Failure
![Lawrence Garvin [MVP]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Lawrence Garvin [MVP]
Wally, the '401' error on the SimpleAuth web service is an "Access Denied"
error, and it's most likely triggered either because the virtual server or the
/SimpleAuthWebService application directory does not have anonymous access
enabled. Double check those two settings, to be sure. Incorrect NTFS
permissions on
%ProgramFiles%\Update Services\webservices\SimpleAuthWebService
or anything upward in that pathname could also cause issues.
A quick test is to see if IE can access the URL from the workstation while
logged onto a non-admin user account.
You should get back a screen display in IE enumerating the two methods
available in SimpleAuth.asmx
If you don't, it's definitely a permissions issue.
This might also happen if the NT AUTHORITY\Network Service account has been
removed from the Users local group (Domain Users if the WSUS server is a DC).
But you'll also get other errors recorded in the WindowsUpdate.log as well.
If the above does not provide a fix, then please post the WindowsUpdate.log
segment from this client for the same time frame that these '401' errors were
recorded by IIS.
"WallyJ" <Wal...@discussions.microsoft.com> wrote in message
news:5B0905FB-1D43-4A73...@microsoft.com...
> Some bumbling fingers on our web server hosting WSUS has resulted in all
> client detect sequences being rejected.
>
> This is II6 on 2003 server.
> I have reset all virtual and NTSF directories according to the .016 htm help
> file but still get
>
> POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.170.131
> Windows-Update-Agent 401 3 5
> POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.170.131
> Windows-Update-Agent 401 1 0
> POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.170.131
> Windows-Update-Agent 401 1 5
>
> when a client checks in for new updates.
> Any idea what to try next?
>
WallyJ
The IUSR_xxxx account is NOT on the \update services folder or tree is this
needed?
Otherwise I forced a client handshake and this is the WindowsUpdate.Log entry
1360 2fe0 Agent *********** Agent: Initializing global settings cache
***********
1360 2fe0 Agent * WSUS server: http://HARMONICA
1360 2fe0 Agent * WSUS status server: http://HARMONICA
1360 2fe0 Agent * Target group: (Unassigned Computers)
1360 2fe0 Agent * Windows Update access disabled: No
1360 2fe0 DnldMgr Download manager restoring 0 downloads
1360 2fe0 AU ########### AU: Initializing Automatic Updates ###########
1360 2fe0 AU # WSUS server: http://HARMONICA
1360 2fe0 AU # Detection frequency: 12
1360 2fe0 AU # Approval type: Scheduled (Policy)
1360 2fe0 AU # Scheduled install day/time: Every day at 3:00
1360 2fe0 AU # Auto-install minor updates: Yes (Policy)
1360 c6c PT Initializing simple targeting cookie, clientId =
ef0ac5a1-b793-4780-9b56-a5971fa11bbc, target group = , DNS name =
ccrst-5lgrz71.hcgg.fr.co.hennepin.mn.us
1360 c6c PT Server URL =
http://HARMONICA/SimpleAuthWebService/SimpleAuth.asmx
1360 c6c PT WARNING: GetAuthorizationCookie failure, error = 0x80244017,
soap client error = 10, soap error code = 0, HTTP status code = 401
1360 c6c Report WARNING: Reporter failed to upload events with hr = 80244017.
1360 c6c PT Initializing simple targeting cookie, clientId =
ef0ac5a1-b793-4780-9b56-a5971fa11bbc, target group = , DNS name =
ccrst-5lgrz71.hcgg.fr.co.hennepin.mn.us
1360 c6c PT Server URL =
http://HARMONICA/SimpleAuthWebService/SimpleAuth.asmx
1360 c6c PT WARNING: GetAuthorizationCookie failure, error = 0x80244017,
soap client error = 10, soap error code = 0, HTTP status code = 401
1360 c6c Report WARNING: Reporter failed to upload events with hr = 80244017.
---------------
The corresponding web server log entry was
POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.178.24
Windows-Update-Agent 401 3 5
POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.178.24
Windows-Update-Agent 401 1 2148074252
POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.178.24
Windows-Update-Agent 401 3 5
POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 137.70.178.24
Windows-Update-Agent 401 1 2148074252
------------------
Simutaneously the server security log posted
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: CCRST-5LGRZ71$
Domain: HCGG.FR.CO.HENNEPIN.MN.US
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 137.70.178.24
Source Port: 4412
for user NT AUTHORITY\USER
Lawrence Garvin [MVP]
See the article at
http://wsusinfo.onsitechsolutions.com/articles/016.htm
"What are the correct IIS and NTFS permissions for WSUS?"
for the answer to your questions.
But the short answer is that IUSR_machinename should not appear in any NTFS
ACL, if it has properly configured group memberships.
> 1360 c6c PT Server URL =
> http://HARMONICA/SimpleAuthWebService/SimpleAuth.asmx
> 1360 c6c PT WARNING: GetAuthorizationCookie failure, error = 0x80244017,
> soap client error = 10, soap error code = 0, HTTP status code = 401
The '401' error is being caused because the IIS permissions are incorrect.
> Logon Failure:
> Reason: The user has not been granted the requested
> logon type at this machine
This would confirm that your client is trying to authenticate using Integrated
Authentication, and is failing because the account does not have access (and
should not). The client should be able to use Anonymous access.
"WallyJ" <Wal...@discussions.microsoft.com> wrote in message
news:0AA99346-9A77-44F4...@microsoft.com...
WallyJ
"But the short answer is that IUSR_machinename should not appear in any NTFS
ACL, if it has properly configured group memberships."
what is the correct group memberships for IUSR_machinename?
By default and on our systems we don't put it as a member of any group.
What have I missed?
Lawrence Garvin [MVP]
If the IIS system is a DC, then the DOMAIN\IUSR_machinename account should be
a member of Domain Users.
By default -- IIS installation places this account in the proper groups. If
you've not made any changes, then the group memberships should be correct.
"WallyJ" <Wal...@discussions.microsoft.com> wrote in message
news:D82E414A-4FB8-4BC5...@microsoft.com...