Skip to content

WSUS Issues – Part 2

May 25, 2007

Little did I know when I wrote the last entry on WSUS Issues that my troubles were not yet over.

The next morning I discovered that the WSUS 3.0 admin console would not connect. When I selected Connect to Server from the context menu from the Update Services Tree, I got the Connect to Server dialog into which I enter the server name and port (8530). I then get an error dialog saying I "do not have permissions necessary to access the WSUS server. To connect to the server you must be a member of the WSUS Administrators or WSUS Reporters security groups." I added the administrator account I logged on with WSUS Administrators group but the problem remained. I uninstalled and reinstalled WSUS 3.0 and was able to connect again with the admin console, but my clients were not.

So I took the steps I had taken before to get the clients to connect (I had also previously has to manually install the updated AU client for the client PCs, but obviously did not repeat that): reset the
password for the IUSR_LEORA user used for anonymous access
and making sure the integrated windows authentication box had a check in it for the directories comprising the WSUS Administration web site in IIS. Now the clients were connecting (as I was seeing from the still running WSUS 3.0 admin console), so I closed the admin console and tried opening it again. The problem described in the initial paragraph was back!

I tried many things over the next few days, left messages is the WSUS newsgroup, posted on, but received no help.

Finally I figured it out. The problem lay in part of the italicized text above. I went into Internet Information Server (IIS), the WSUS Administration site, the APIRemoting30 subdirectory, and unchecked "allow anonymous access" in the Directory Security tab for that directory. The console worked (hopefully flawlessly!). A quick check revealed that the clients were still able to connect

I am no expert on IIS, but I believe I now understand that by enabling anonymous access to that directory, which is used by the WSUS Admin console, I had prevented the admin console from connecting with high security credentials that those assigned the anonymous accessors. So when the console connected, it was given only guest privileges which weren’t enough to do anything and generated the errors I described above. This theory seems to be bourne out by KB 324274.

I’ve certainly learned something new about IIS, and makes me wish there was some sort of Small Business Server basic theory site to visit to understand things like this.

I wonder if Home Server will be completely devoid of these issues.



From → SBS

Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: