Windows Update and ISA Server 2000

We are currently having the know problem of ISA server 2000 not allowing
Windows Update to complete. We use user authentication and can not change
this. I can make an exception for the windows update site but the only guides
I have saw say that you must allow anoymous access to http and https and that
turns off the user authentication. Is there a way of allowing users to
anonymously access the windows update site while making them authenticate for
every other site?

"uhhuhyea" <> wrote in message
newsB988277-C8F7-4945-8F2F-...
> We are currently having the know problem of ISA server 2000 not allowing
> Windows Update to complete. We use user authentication and can not change
> this. I can make an exception for the windows update site but the only guides
> I have saw say that you must allow anoymous access to http and https and that
> turns off the user authentication.

I think you should challenge the use of the word "must".

My view is that this may be being inferred (falsely) because it happens to work.

I have suggested to others that perhaps they could find a workaround
using the information contained in a related KB article.


<extract>
Have a look at KB842309.

<title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>

Specifically look at the paragraph which begins:
"This problem occurs when all the following conditions are true."
Logically that implies that if you change one of those conditions
that the problem may stop occurring.


For example, it sounds as if you have successfully negated
the third condition:
"The file transfer is performed through a Windows-based server
or a Windows-based Internet Proxy Server that requires
Integrated Windows authentication."
but if instead you wanted to preserve authentication then you
would have to try to make changes to negate one of the other
two conditions.
</extract>


Others I have pointed this out to seem not to understand my point.
So to be clear, I am *not* suggesting that you need the update
that the KB article was written for; I am just pointing out that there
seems to be information in there which could be used to find an
alternate workaround and which would thus contradict the assumption
I want you to challenge.


> Is there a way of allowing users to
> anonymously access the windows update site while making them authenticate for
> every other site?


Perhaps you will be able to tell us...


Good luck

Robert Aldwinckle
---

I tried the advice of that knowledge base and this did not fix the problem.
I created a UseLmCompat registry value in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\BITS subkey, and
then add a DWORD value of 0.
I also set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\LmCompatibilityLevel
equal to 2.
This had to effect.

"Robert Aldwinckle" wrote:

> "uhhuhyea" <> wrote in message
> newsB988277-C8F7-4945-8F2F-...
> > We are currently having the know problem of ISA server 2000 not allowing
> > Windows Update to complete. We use user authentication and can not change
> > this. I can make an exception for the windows update site but the only guides
> > I have saw say that you must allow anoymous access to http and https and that
> > turns off the user authentication.
>
> I think you should challenge the use of the word "must".
>
> My view is that this may be being inferred (falsely) because it happens to work.
>
> I have suggested to others that perhaps they could find a workaround
> using the information contained in a related KB article.
>
>
> <extract>
> Have a look at KB842309.
>
> <title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>
>
> Specifically look at the paragraph which begins:
> "This problem occurs when all the following conditions are true."
> Logically that implies that if you change one of those conditions
> that the problem may stop occurring.
>
>
> For example, it sounds as if you have successfully negated
> the third condition:
> "The file transfer is performed through a Windows-based server
> or a Windows-based Internet Proxy Server that requires
> Integrated Windows authentication."
> but if instead you wanted to preserve authentication then you
> would have to try to make changes to negate one of the other
> two conditions.
> </extract>
>
>
> Others I have pointed this out to seem not to understand my point.
> So to be clear, I am *not* suggesting that you need the update
> that the KB article was written for; I am just pointing out that there
> seems to be information in there which could be used to find an
> alternate workaround and which would thus contradict the assumption
> I want you to challenge.
>
>
> > Is there a way of allowing users to
> > anonymously access the windows update site while making them authenticate for
> > every other site?
>
>
> Perhaps you will be able to tell us...
>
>
> Good luck
>
> Robert Aldwinckle
> ---
>
>
>

The windowsupdate.log shows:
Error: Agent failed detecting with reason: 0x80244021

"Robert Aldwinckle" wrote:

> "uhhuhyea" <> wrote in message
> newsB988277-C8F7-4945-8F2F-...
> > We are currently having the know problem of ISA server 2000 not allowing
> > Windows Update to complete. We use user authentication and can not change
> > this. I can make an exception for the windows update site but the only guides
> > I have saw say that you must allow anoymous access to http and https and that
> > turns off the user authentication.
>
> I think you should challenge the use of the word "must".
>
> My view is that this may be being inferred (falsely) because it happens to work.
>
> I have suggested to others that perhaps they could find a workaround
> using the information contained in a related KB article.
>
>
> <extract>
> Have a look at KB842309.
>
> <title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>
>
> Specifically look at the paragraph which begins:
> "This problem occurs when all the following conditions are true."
> Logically that implies that if you change one of those conditions
> that the problem may stop occurring.
>
>
> For example, it sounds as if you have successfully negated
> the third condition:
> "The file transfer is performed through a Windows-based server
> or a Windows-based Internet Proxy Server that requires
> Integrated Windows authentication."
> but if instead you wanted to preserve authentication then you
> would have to try to make changes to negate one of the other
> two conditions.
> </extract>
>
>
> Others I have pointed this out to seem not to understand my point.
> So to be clear, I am *not* suggesting that you need the update
> that the KB article was written for; I am just pointing out that there
> seems to be information in there which could be used to find an
> alternate workaround and which would thus contradict the assumption
> I want you to challenge.
>
>
> > Is there a way of allowing users to
> > anonymously access the windows update site while making them authenticate for
> > every other site?
>
>
> Perhaps you will be able to tell us...
>
>
> Good luck
>
> Robert Aldwinckle
> ---
>
>
>

"uhhuhyea" <> wrote in message
news:38FC5EF1-2EDF-4F56-AD00-...
>I tried the advice of that knowledge base and this did not fix the problem.
> I created a UseLmCompat registry value in the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\BITS subkey, and
> then add a DWORD value of 0.
> I also set
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\LmCompatibilityLevel
> equal to 2.
> This had to effect.


I guess you would have to have two traces to compare
to really determine that and then to have some clue
as to how to proceed.

Were there at least any differences in the log?
E.g. was that 80244021 you also reported a new symptom?


Another approach that I have wondered about is
changing the Log On accounts for the services which
are involved. E.g. notice that BITS defaults to Local System.


Robert
---


>
> "Robert Aldwinckle" wrote:
>
>> "uhhuhyea" <> wrote in message
>> newsB988277-C8F7-4945-8F2F-...
>> > We are currently having the know problem of ISA server 2000 not allowing
>> > Windows Update to complete. We use user authentication and can not change
>> > this. I can make an exception for the windows update site but the only guides
>> > I have saw say that you must allow anoymous access to http and https and that
>> > turns off the user authentication.
>>
>> I think you should challenge the use of the word "must".
>>
>> My view is that this may be being inferred (falsely) because it happens to work.
>>
>> I have suggested to others that perhaps they could find a workaround
>> using the information contained in a related KB article.
>>
>>
>> <extract>
>> Have a look at KB842309.
>>
>> <title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>
>>
>> Specifically look at the paragraph which begins:
>> "This problem occurs when all the following conditions are true."
>> Logically that implies that if you change one of those conditions
>> that the problem may stop occurring.
>>
>>
>> For example, it sounds as if you have successfully negated
>> the third condition:
>> "The file transfer is performed through a Windows-based server
>> or a Windows-based Internet Proxy Server that requires
>> Integrated Windows authentication."
>> but if instead you wanted to preserve authentication then you
>> would have to try to make changes to negate one of the other
>> two conditions.
>> </extract>
>>
>>
>> Others I have pointed this out to seem not to understand my point.
>> So to be clear, I am *not* suggesting that you need the update
>> that the KB article was written for; I am just pointing out that there
>> seems to be information in there which could be used to find an
>> alternate workaround and which would thus contradict the assumption
>> I want you to challenge.
>>
>>
>> > Is there a way of allowing users to
>> > anonymously access the windows update site while making them authenticate for
>> > every other site?
>>
>>
>> Perhaps you will be able to tell us...
>>
>>
>> Good luck
>>
>> Robert Aldwinckle
>> ---
>>
>>
>>

I tried changing the BITs service to run under a domain account with
administrative privalidge. When I tried starting the service it said it could
not start because the service was not running under the same account as other
services, Same goes for the Automatic updates. I tried them both at the same
time and still no go. The problem is when you go to the windows update site
the WU service tries first to go out anonymously then I see in the logs where
it tries to go out using just the domain\ with no user account. I am sure
that Microsoft is familiar with this as well and to my knowledge the only
workaround they have is to allow anonymous access to the windows update site
but I can not do this (or do not know how to do this) without allowing
anonymous access for all sites. Does anyone know if ISA Server 2004 is having
the same problems and if so can you successfully run a WUS server and get it
to update though an ISA server?

"uhhuhyea" wrote:

> The windowsupdate.log shows:
> Error: Agent failed detecting with reason: 0x80244021
>
> "Robert Aldwinckle" wrote:
>
> > "uhhuhyea" <> wrote in message
> > newsB988277-C8F7-4945-8F2F-...
> > > We are currently having the know problem of ISA server 2000 not allowing
> > > Windows Update to complete. We use user authentication and can not change
> > > this. I can make an exception for the windows update site but the only guides
> > > I have saw say that you must allow anoymous access to http and https and that
> > > turns off the user authentication.
> >
> > I think you should challenge the use of the word "must".
> >
> > My view is that this may be being inferred (falsely) because it happens to work.
> >
> > I have suggested to others that perhaps they could find a workaround
> > using the information contained in a related KB article.
> >
> >
> > <extract>
> > Have a look at KB842309.
> >
> > <title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>
> >
> > Specifically look at the paragraph which begins:
> > "This problem occurs when all the following conditions are true."
> > Logically that implies that if you change one of those conditions
> > that the problem may stop occurring.
> >
> >
> > For example, it sounds as if you have successfully negated
> > the third condition:
> > "The file transfer is performed through a Windows-based server
> > or a Windows-based Internet Proxy Server that requires
> > Integrated Windows authentication."
> > but if instead you wanted to preserve authentication then you
> > would have to try to make changes to negate one of the other
> > two conditions.
> > </extract>
> >
> >
> > Others I have pointed this out to seem not to understand my point.
> > So to be clear, I am *not* suggesting that you need the update
> > that the KB article was written for; I am just pointing out that there
> > seems to be information in there which could be used to find an
> > alternate workaround and which would thus contradict the assumption
> > I want you to challenge.
> >
> >
> > > Is there a way of allowing users to
> > > anonymously access the windows update site while making them authenticate for
> > > every other site?
> >
> >
> > Perhaps you will be able to tell us...
> >
> >
> > Good luck
> >
> > Robert Aldwinckle
> > ---
> >
> >
> >

"uhhuhyea" <> wrote in message
news:51ABE5D7-696F-4FC4-93A8-...
>I tried changing the BITs service to run under a domain account with
> administrative privalidge. When I tried starting the service it said it could
> not start because the service was not running under the same account as other
> services, Same goes for the Automatic updates.
> I tried them both at the same time and still no go.


That's too bad. I guess that's because they all run under the same
svchost.exe. Perhaps if we figured out how to make both run in their
own svchost.exe you could satisfy that constraint.


> The problem is when you go to the windows update site
> the WU service tries first to go out anonymously then I see in the logs where
> it tries to go out using just the domain\ with no user account.


Isn't it just that the svchost.exe is trying to use the account that
shows up in Task Manager?

E.g. try these commands in a command window

sc queryex bits | find "PID"
sc queryex wuauserv | find "PID"

Note the PID. Then open Task Manager's Processes tab
and note the User Name (aka "account") that that PID is running under.

Now with the same PID try this command:

tasklist /svc /fi "PID eq _ _ _"

I see many more services listed than just the two you are trying
to experiment with.

What is interesting is that when you look at each of their properties
you see under Path to executable:
D:\WINDOWS\system32\svchost.exe -k netsvcs

Also there is a subkey called netsvcs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs
which contains some values regarding authentication...

So the tempting thing to consider is that if you cloned that in a new subkey
called, say, ISAsvcs and then changed their Path to executable to be:
D:\WINDOWS\system32\svchost.exe -k ISAsvcs
perhaps you could then give both services their own proper account
the way you were trying.


> I am sure
> that Microsoft is familiar with this as well


Coincidentally I found a link today to an article which may be related
by searching for 80244021 MSFT on the web interface
that you are using:

http://www.microsoft.com/technet/pro...ateauthen.mspx

(Courtesy suraj )

http://www.microsoft.com/windowsxp/e...xp=&sloc=en-us


Good luck

Robert
---


> and to my knowledge the only
> workaround they have is to allow anonymous access to the windows update site
> but I can not do this (or do not know how to do this) without allowing
> anonymous access for all sites. Does anyone know if ISA Server 2004 is having
> the same problems and if so can you successfully run a WUS server and get it
> to update though an ISA server?
>
> "uhhuhyea" wrote:
>
>> The windowsupdate.log shows:
>> Error: Agent failed detecting with reason: 0x80244021
>>
>> "Robert Aldwinckle" wrote:
>>
>> > "uhhuhyea" <> wrote in message
>> > newsB988277-C8F7-4945-8F2F-...
>> > > We are currently having the know problem of ISA server 2000 not allowing
>> > > Windows Update to complete. We use user authentication and can not change
>> > > this. I can make an exception for the windows update site but the only guides
>> > > I have saw say that you must allow anoymous access to http and https and that
>> > > turns off the user authentication.
>> >
>> > I think you should challenge the use of the word "must".
>> >
>> > My view is that this may be being inferred (falsely) because it happens to work.
>> >
>> > I have suggested to others that perhaps they could find a workaround
>> > using the information contained in a related KB article.
>> >
>> >
>> > <extract>
>> > Have a look at KB842309.
>> >
>> > <title>KB842309 - An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP</title>
>> >
>> > Specifically look at the paragraph which begins:
>> > "This problem occurs when all the following conditions are true."
>> > Logically that implies that if you change one of those conditions
>> > that the problem may stop occurring.
>> >
>> >
>> > For example, it sounds as if you have successfully negated
>> > the third condition:
>> > "The file transfer is performed through a Windows-based server
>> > or a Windows-based Internet Proxy Server that requires
>> > Integrated Windows authentication."
>> > but if instead you wanted to preserve authentication then you
>> > would have to try to make changes to negate one of the other
>> > two conditions.
>> > </extract>
>> >
>> >
>> > Others I have pointed this out to seem not to understand my point.
>> > So to be clear, I am *not* suggesting that you need the update
>> > that the KB article was written for; I am just pointing out that there
>> > seems to be information in there which could be used to find an
>> > alternate workaround and which would thus contradict the assumption
>> > I want you to challenge.
>> >
>> >
>> > > Is there a way of allowing users to
>> > > anonymously access the windows update site while making them authenticate for
>> > > every other site?
>> >
>> >
>> > Perhaps you will be able to tell us...
>> >
>> >
>> > Good luck
>> >
>> > Robert Aldwinckle
>> > ---
>> >
>> >
>> >