Hi all,
Yesterday I found out the cause to a problem we're seeing with all our SCCM Clients that install their Windows Updates using Software Updates Management.
Update scans fails showing these messages in the log files:
WindowsUpdate.log
2009-09-09 06:10:11:037 12 337c PT Initializing simple targeting cookie, clientId = b4c21078-188b-4d9d-9999-0cde7aefb1bf, target group = , DNS name = fqdn name
2009-09-09 06:10:11:037 12 337c PT Server URL = http://<FQDN>:8530/SimpleAuthWebService/SimpleAuth.asmx
2009-09-09 06:10:11:362 12 337c PT WARNING: GetAuthorizationCookie failure, error = 0x8024401B, soap client error = 10, soap error code = 0, HTTP status code = 407
2009-09-09 06:10:11:363 12 337c PT WARNING: Failed to initialize Simple Targeting Cookie: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: PopulateAuthCookies failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: RefreshCookie failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: RefreshPTState failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: StartCategoryScan failed : 0x8024401b
2009-09-09 06:10:11:586 12 337c Agent * WARNING: Exit code = 0x8024401B
WUAHandler.log
Its a WSUS Update Source type ({1E9D84CB-2E82-4745-BDAF-B03F48BA1A37}), adding it. WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Existing WUA Managed server was already set (http://<FQDN>:8530), skipping Group Policy registration. WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Added Update Source ({1E9D84CB-2E82-4745-BDAF-B03F48BA1A37}) of content type: 2 WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Async searching of updates using WUAgent started. WUAHandler 6/28/2009 7:50:51 PM 5296 (0x14B0)
Async searching completed. WUAHandler 6/28/2009 7:50:55 PM 1728 (0x06C0)
OnSearchComplete - Failed to end search job. Error = 0x8024401b. WUAHandler 6/28/2009 7:50:55 PM 5296 (0x14B0)
Scan failed with error = 0x8024401b. WUAHandler 6/28/2009 7:50:55 PM 5296 (0x14B0)
Now Http error 407 = "Proxy Authentication Required" error, however this is a intranet server, and the client has direct access to it.
The WU Server url is registered via local policy (set by SCCM Client) in UPPERCASE, like this: http://SCCMSERVER.DOMAIN.COM:8530
Our SCCM Servers are also SUP's working on port 8530.
What did I check first before finding the cause of error 407:
- We don't force a WU Server policy by GPO, this is to allow SCCM Clients sets the WUServer policy by local policy itself because we have Proxy MP's acting also as SUP's as we want dynamic assignment to (Proxy) MP's and SUP's
- There is no proxy setting set anywhere, verified with proxycfg.exe and als used it to set to Direct Access (just in case)
- IIS on SCCM box is setup perfect, Anonymous access is granted, added System account with read access... just about all the thinkable accounts were given access... no change, problem remains.
At some moment, I read the documentation for SCCM again... and it said to enter the "hostname" for the WU Server. Hmm, hostname is like without the domain suffix. I entered the hostname in lowercase, so like this: http://sccmserver:8530 , did an "wuauclt.exe /detectnow" and it works again!
Okay, now I tried to do the same with lowercase fqdn, so like this: http://sccmserver.domain.com:8530 , did an "wuauclt.exe /detectnow" and what do you think: IT WORKS!
Somehow when uppercase is used in the WUServer GPO, the WU Agent wants to go through our Proxy server where it has to authenticate, apparantly. When using lowercase url, it goes straight to the SCCM Server.
Now, the problem is... it seems that I am unable to get SCCM to set it's Clients to use a lowercase url for the WUServer entry to point to the SUP. Then I remembered that when you installed a role, the site server intranet fqdn is shown in uppercase. I changed it to lowercase, but apparantly the policies are not renewed so SCCM Clients still receive the uppercase policy. I have checked this and confirmed that it didn't change it.
What can I now do? I need to get the url to lowercase without setting a GPO up for it.
Is it possible to let SCCM server create a new policy with the right (lowercase) url for the SUP's?
Some help is really appreciated!
Herman van Drie
Getronics
HE-M@n
Yesterday I found out the cause to a problem we're seeing with all our SCCM Clients that install their Windows Updates using Software Updates Management.
Update scans fails showing these messages in the log files:
WindowsUpdate.log
2009-09-09 06:10:11:037 12 337c PT Initializing simple targeting cookie, clientId = b4c21078-188b-4d9d-9999-0cde7aefb1bf, target group = , DNS name = fqdn name
2009-09-09 06:10:11:037 12 337c PT Server URL = http://<FQDN>:8530/SimpleAuthWebService/SimpleAuth.asmx
2009-09-09 06:10:11:362 12 337c PT WARNING: GetAuthorizationCookie failure, error = 0x8024401B, soap client error = 10, soap error code = 0, HTTP status code = 407
2009-09-09 06:10:11:363 12 337c PT WARNING: Failed to initialize Simple Targeting Cookie: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: PopulateAuthCookies failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: RefreshCookie failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: RefreshPTState failed: 0x8024401b
2009-09-09 06:10:11:363 12 337c PT WARNING: StartCategoryScan failed : 0x8024401b
2009-09-09 06:10:11:586 12 337c Agent * WARNING: Exit code = 0x8024401B
WUAHandler.log
Its a WSUS Update Source type ({1E9D84CB-2E82-4745-BDAF-B03F48BA1A37}), adding it. WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Existing WUA Managed server was already set (http://<FQDN>:8530), skipping Group Policy registration. WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Added Update Source ({1E9D84CB-2E82-4745-BDAF-B03F48BA1A37}) of content type: 2 WUAHandler 6/28/2009 7:50:50 PM 5296 (0x14B0)
Async searching of updates using WUAgent started. WUAHandler 6/28/2009 7:50:51 PM 5296 (0x14B0)
Async searching completed. WUAHandler 6/28/2009 7:50:55 PM 1728 (0x06C0)
OnSearchComplete - Failed to end search job. Error = 0x8024401b. WUAHandler 6/28/2009 7:50:55 PM 5296 (0x14B0)
Scan failed with error = 0x8024401b. WUAHandler 6/28/2009 7:50:55 PM 5296 (0x14B0)
Now Http error 407 = "Proxy Authentication Required" error, however this is a intranet server, and the client has direct access to it.
The WU Server url is registered via local policy (set by SCCM Client) in UPPERCASE, like this: http://SCCMSERVER.DOMAIN.COM:8530
Our SCCM Servers are also SUP's working on port 8530.
What did I check first before finding the cause of error 407:
- We don't force a WU Server policy by GPO, this is to allow SCCM Clients sets the WUServer policy by local policy itself because we have Proxy MP's acting also as SUP's as we want dynamic assignment to (Proxy) MP's and SUP's
- There is no proxy setting set anywhere, verified with proxycfg.exe and als used it to set to Direct Access (just in case)
- IIS on SCCM box is setup perfect, Anonymous access is granted, added System account with read access... just about all the thinkable accounts were given access... no change, problem remains.
At some moment, I read the documentation for SCCM again... and it said to enter the "hostname" for the WU Server. Hmm, hostname is like without the domain suffix. I entered the hostname in lowercase, so like this: http://sccmserver:8530 , did an "wuauclt.exe /detectnow" and it works again!
Okay, now I tried to do the same with lowercase fqdn, so like this: http://sccmserver.domain.com:8530 , did an "wuauclt.exe /detectnow" and what do you think: IT WORKS!
Somehow when uppercase is used in the WUServer GPO, the WU Agent wants to go through our Proxy server where it has to authenticate, apparantly. When using lowercase url, it goes straight to the SCCM Server.
Now, the problem is... it seems that I am unable to get SCCM to set it's Clients to use a lowercase url for the WUServer entry to point to the SUP. Then I remembered that when you installed a role, the site server intranet fqdn is shown in uppercase. I changed it to lowercase, but apparantly the policies are not renewed so SCCM Clients still receive the uppercase policy. I have checked this and confirmed that it didn't change it.
What can I now do? I need to get the url to lowercase without setting a GPO up for it.
Is it possible to let SCCM server create a new policy with the right (lowercase) url for the SUP's?
Some help is really appreciated!
Herman van Drie
Getronics
HE-M@n