DSS Authentication Web Service Configuration
Downstream server authentication service is not working end to end. This may be because of configuration issues.
Possible resolutions include:
- First, troubleshoot any issues with SQL Server before proceeding.
- Troubleshoot any general issues with IIS.
- Check permissions.
- Open a command window.
- Type cd <WSUSInstallDir>\WebServices\DssAuthWebService
- Type cacls
- The following ACEs should be set:
- NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R
- BUILTIN\Users:(OI)(CI)R
- NT AUTHORITY\Authenticated Users:(OI)(CI)R
- BUILTIN\Administrators:(OI)(CI)F
- NT AUTHORITY\SYSTEM:(OI)(CI)F
- Check the IIS configuration of the reporting Web service using the IIS script adsutil.vbs (or use the IIS Administration UI Tool).
- Open a command window.
- Locate the adsutil.vbs tool, which is typically in <InetpubDir>\AdminScripts.
- Locate WSUS virtual directories on the IIS server: type <InetpubDir>\AdminScripts\adsutil.vbs find path
- Find the path of the DssAUthWebService (it will look like W3SVC/<WebSiteID>/ROOT/DssAuthWebService).
- Get the properties of the web service: type <InetpubDir>\AdminScripts\adsutil.vbs enum W3SVC/<WebSiteID>/ROOT/DssAuthWebService
- Compare the output with typical values below (this is a partial list): KeyType:”IIsWebVirtualDir” AppRoot:”/LM/W3SVC/<WebSiteID>/ROOT/DssAuthWebService” AppFriendlyName:”DssAuthWebService” AppIsolated:2 Path: “<WSUSInstallDir>\WebServices\DssAuthWebService” AccessFlags:513 AccessExecute:False AccessSource:False AccessRead:True AccessWrite:False AccessScript:True AccessNoRemoteExecute:False AccessNoRemoteRead:False AccessNoRemoteWrite:False AccessNoRemoteScript:False AccessNoPhysicalDir:False AspScriptErrorSentToBrowser:False AspEnableParentPaths:False AuthFlags:1 AuthBasic:False AuthAnonymous:True AuthNTLM:False AuthMD5:False AuthPassport:False AppPoolId:WsusPool”
- Type <InetpubDir>\AdminScripts\adsutil.vbs enum W3SVC/1
- Compare the output with typical values below (this is a partial list).
KeyType:”IIsWebServer” ServerState2 ServerComment:”Default Website” ServerSize:1 ServerBindings:”:80:” SecureBindings:”:443:” ConnectionTimeout:180 DefaultDoc:”Default.htm,Default.asp,index.htm,iisstart.htm” AspBufferingOn:False LogPluginClsid:”{FF160663-DE82-11CF-BC0A-00AA006111E0}” Win32Error:0 AppPoolId:”DefaultAppPool”
- Type <InetpubDir>\AdminScripts\adsutil.vbs enum W3SVC
- Compare output with typical values below. This is a partial listing. For more information, see “Appendix C: IIS Settings for Web Services” in the WSUS 3.0 Operations Guide at http://go.microsoft.com/fwlink/?LinkId=81072Â KeyType:”IIsWebService” MaxConnections:4294967295 AnonymousUserName:”IUSR_<machinename>” AuthFlags:1 AuthBasic:False AuthAnonymous:True AuthNTLM:False AuthMD5:False AuthPassport:False AppPoolId:”DefaultAppPool” IIs5IsolationModeEnabled:False
Verify
Look for the corresponding error event.
- Open a command window.
- Type cd <WSUSInstallDir>\Tools
- Type wsusutil checkhealth
- Type eventvwr
- Review the Application log for the most recent events from source Windows Server Update Services a
|