WSUS EULA IIS (Error 401.3)

My current customer has a few SCCM Primary servers with two SUP's each.  The two SUP's share a single SUSDB located on the SQL server, and also sharing a single WSUSContent folder located on SUP02.

The SCCM clients that are reporting to the SUP01 server are failing to install patches that require a EULA.  Remember, the EULA is located in the WSUSContent folder stored on the SUP02 server, so it must be a permissions issue.

I wrote up a quick PowerShell script to identify which servers are not able to access the EULA.

$ServerNames = @("ServerSUP01","ServerSUP02")
$EULA = "Content/23/14D19C27B28CC3990260D7191F6E0FF6C7483623.txt"
ForEach($Server in $ServerNames) {
Try{
$url = "https://"+$Server+":8530/"+$EULA
$Status = (Invoke-WebRequest $url).statuscode
If($Status = '200'){Write-Host $Server "= Success" -ForegroundColor "Green"}
}
Catch {
Write-Host $Server "= Failed to find EULA" -foregroundcolor "Red"}
}

I made sure that the SUP01 server had rights to the WSUSContent folder on SUP01 and that it was able to access the files, but the clients were still getting the 401 3 error in the IIS logs.  Digging into the issue more, I found that the Anonymous Authentication method on the SUP01 server did not have rights to access the SUP02 Content folder to read the EULA.  To resolve the issue, we needed to change the account from IUSER to Application Pool Identity aka: Network Service.

  1. Open IIS and navigate to the WSUS Administration web server, select the Content folder and click on the Authentication icon.  Note: you can do this at the root of the WSUS web page if you want.
  2. Right click on Anonymous Authentication and select Edit
  3. Select Application pool identity and then OK.
  4. Restart the WSUS webpage

Now all the SCCM clients that are reporting to the SUP01 server should be now able to install the patches that require a EULA.