Can't connect after fresh x64 installation

Summary: Authenticated connections to all .asmx URIs are met with a 404
response.

I had my domain controller with WSUS die this weekend so I'm installing
WSUS 3.0 SP1 on my 2nd domain controller running Server 2003 R2 SP2 x64.

I'm already using IIS for a simple internal website so I elected to
install WSUS to the alternate site on port 8530. The default site
continues to serve files fine.

Initially the WSUS 3.0 SP1 installation failed and rolled back because
IIS was running in 32 bit mode. Some googling revealed this command to
run to switch it to 64 bit mode:

cscript c:\inetpub\adminscripts\adsutil.vbs SET
/w3svc/AppPools/Enable32BitAppOnWin64 False

(I checked and it was indeed previously set to True.)

Installation then went to completion but at the end I got a message that
the config wizard failed to connect. Running the administration snap-in,
connection fails.

I checked the IIS logs and I see an initial anonymous connection to
/ApiRemoting30/WebService.asmx met with a 401 (unauthorized) response,
followed by a connection from user mydomain\Administrator met with a 404
response. Later I see other connections to this port also met with 404's
for what appear to be other ASP URIs.

I've also added the domain Administrator user to the WSUS Administrator
group.

At one point I restarted IIS in case the server needed that to switch to
64 bit mode but that didn't help. I'm hoping I don't have to reboot the
whole host.

I completely uninstalled and re-installed WSUS but got the same error at
the end of the installation and still can't get the server to reply with
anything but 404s.

The DB looks like it's getting created, from what I can see in the Event
Viewer.

Found it!

Apparently during installation only the 32-bit version of ASP 2 was added
to the Allow list. I found it by randomly poking around in the IIS Manager
and opening this node:

Application Server
IIS Manager
\\Computername
Web Service Extensions

In that pane I see "ASP.NET v2.0.50727" and "ASP.NET v2.0.50727 (32-bit)"
and only the 32-bit one was set to Allow. I allowed the other one and now
the WSUS Administration snap-in can connect to the server.

Another clue was this in the event log from source ".NET Runtime 2.0
Error":

EventType clr20r3, P1 i41wbvnfm2ht0amgvidw5cwymwccnh0s, P2 3.1.6001.1, P3
4797ef16, P4 system.windows.forms, P5 2.0.0.0, P6 4889dee7, P7 14d2, P8 23,
P9 system.objectdisposedexception, P10 NIL.

"Kenneth Porter" <> wrote in message
news:Xns9C2BB9BDA98EEshivasewingwitchcom@207.46.24 8.16...
> Summary: Authenticated connections to all .asmx URIs are met with a 404
> response.

WSUS does not support "authenticated connections"...

All connections to asmx URIs must be ANONYMOUS
(except console connections to APIRemoting30, which must be
authenticated).

> Installation then went to completion but at the end I got a message that
> the config wizard failed to connect. Running the administration snap-in,
> connection fails.
>
> I checked the IIS logs and I see an initial anonymous connection to
> /ApiRemoting30/WebService.asmx met with a 401 (unauthorized) response,

This is the inverse. Anonymous connections to APIRemoting30 will always
fail.

> followed by a connection from user mydomain\Administrator met with a 404
> response. Later I see other connections to this port also met with 404's
> for what appear to be other ASP URIs.

Make sure that your DOMAIN\Administrator account is functionally a member of
the WSUS Administrators group. Normally this happens by DOMAIN\Domain Admins
being a member of the BUILTIN\Administrators group.

> I've also added the domain Administrator user to the WSUS Administrator
> group.

That should do it, though the preferred method would be Domain Admins in
BUILTIN\Administrators.

Also, make sure both the port 80 and the port 8530 websites have Anonymous
Access enabled, and Authenticated access (all kinds) disabled.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Kenneth Porter" <> wrote in message
news:Xns9C2BBE7D3A363shivasewingwitchcom@207.46.24 8.16...
> Found it!
>
> Apparently during installation only the 32-bit version of ASP 2 was added
> to the Allow list. I found it by randomly poking around in the IIS Manager
> and opening this node:
>
> Application Server
> IIS Manager
> \\Computername
> Web Service Extensions

Oh!.. hehe... that would mess things up too! No ASP.NET and *nothing* that
resembles an asmx will get processed.

Thanks for posting back. I'll add the "ASP.NET 2.0 (32-bit)" point to my
mental tips-n-tricks list for 64-bit troubleshooting scenarios.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Kenneth Porter" <> wrote in message
news:Xns9C2DA1E3BB90shivawellcom@207.46.248.16...

>> Also, make sure both the port 80 and the port 8530 websites have
>> Anonymous Access enabled, and Authenticated access (all kinds)
>> disabled.
>
> I had assumed that WSUS used the underlying HTTP authentication verbs
> (with
> an AD/Kerberos method) to establish who was trying to connect to it, in
> order to decide whether to grant access rights (ie. via the WSUS
> Administrators group). Is this not the case?

This is not the case. The communication between the Windows Update Agent and
the WSUS Server is 100% Anonymous.

> Is the authentication passed
> inside an inner protocol wrapped in HTTP, then? I didn't enable anonymous
> authentication, and it seems to work now.

There is no authentication in the system.

The reason it appears to work is because you have enabled Integrated Windows
Authentication, and your DOMAIN COMPUTERs, by virtue of the computer account
being a member of Authenticated Users, are meeting the requirements for
authentication.

However, a WORKGROUP computer would fail this authentication step and not
update. Machines from other (non-trusted) domains would have the same issue.

WSUS is designed to be a domain-agnostic system, and as such, must support
access to its webservices via anonymous connection. The only webservice that
requires authenticated access is the connection to APIRemoting30 for the
Remote Console connection -- which must be authenticated against the WSUS
Administrators group to determine authorization to administer the WSUS
Server.




--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin