A couple of the things to make sure are in order are:

  1. Proxy settings on the SUP properties are set correctly. (Use it or not, and if so make sure it is pointing to the right place.)
  2. On the SUP component configuration, ensure that the port numbers are correct. If WSUS is installed to the default web site, the ports should be 80/443. If it is using a custom web site, it defaults to 8530/8531…unless you told it something different. Open IIS Administration to check the properties on the WSUS Administration web site to see what it is set to. Make sure the ports in IIS and the SUP component match.

I had all of those settings lined up per the documentation (no proxy required…ports configured correctly), but was still getting errors. I first reported these issues on myITforum.com and a TechNet forum.

Basic gist is that after setting things up per documentation, SCCM was not able to successfully connect to WSUS and manage the WSUS settings. The SMS_WSUS_SYNC_MANAGER log shows that the synchronization failed because of an HTTP 401 “unauthorized” message. This is followed by another log entry that states “SMS WSUS Synchronization failed” because “WSUS Server not configured”. It also gave the incredibly helpful [sarcasm] error code of “214500037: Unspecified error”.

After doing some more digging, I started correlating messages in three log files…WSUS_SYNC_MANAGER, the WSUS IIS log file, and the SCCM server’s Security log. Here is what I found…

When the synchronization starts, an event is logged in the SYNC_MANAGER log stating that a synchronization started (message ID 6701). Exactly five minutes later a 6703 message appears to state that the synchronization failed (that’s the one I referenced above). At the same time as the 6701 message, there are corresponding messages in the IIS and Security logs. In the security log is a success logon audit message. The user name is the SCCMServer$ account. The IP address was listed as the IP of the proxy server. Hey…wait a sec…I told it not to use the proxy. [Edit: Based on my memory, I’m pretty sure the Security Log message is only there the first time it tries to synchronize. I saw it after reboots. Not sure when it would appear again…probably some time period that it needs to re-authenticate. I know it did not appear on subsequent synchronization attempts unless I rebooted. I didn’t give it time to go through any normal process to come up again…it was too easy to reboot and force the entry to appear again. Nice having a lab environment!] Hmmm…on to the IIS logs. Again at the same time as the 6701 message and the security log message comes the following (key parts emphasized):

2007-10-23 16:16:14 W3SVC2097571970 [IP of the SCCM server] POST /ApiRemoting30/WebService.asmx – 8530 – [IP of the proxy server] Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254

From that message (if I interpret it correctly) we can see that the process is trying to connect to the WSUS component on the SCCM server with a client IP address that is the proxy server. We also see that this request is getting the 401 (unauthorized) message.

Now…why the heck is the proxy server being contacted? Yes we have a proxy server, however it is not required on the network segment where the SCCM/WSUS server resides. (It is enabled but not required on that segment for reasons that are beyond the scope of this post.) All checkboxes for using the proxy are unchecked. (SUP and IE settings). Yet it is still using the proxy. Why?

Here is what I think is going on. We know that when SCCM tries to connect to WSUS, it is using the computer account for the SCCM server. This account appears to be doing proxy auto-configuration (even though all checkboxes inside SCCM tell it not to use the proxy). The auto-configuration is setting the proxy to the DNS name of the proxy…i.e. proxy.company.com. This is getting resolved to the IP of the proxy server, and then SCCM is using that proxy IP to connect. This is failing out. Not sure why…probably a misconfiguration on our proxy server. (If I check the proxy boxes in the SUP, it fails there also.)

So, there appears to be a dual problem. First is an issue with our proxy server that helped uncover the second problem…SCCM appears to be getting proxy auto-config info even though the proxy boxes are unchecked.

So…now that I’ve figured out the issue…what can I do about it? I don’t manage the proxy and don’t want to spend the time figuring out what it going on with it. My co-worker XYZ came up with a great idea that ended up being a great workaround. Set up a host file entry for proxy.company.com that points to a bogus IP address. Then when the server gets the auto-config and tries to contact the proxy server, it goes to a dead IP and then goes on to connect without the proxy info. Worked like a charm. Thanks XYZ

So…there you have my forensics of the SCCM/WSUS issue..

Advertisements