WSUS: Clients get HTTP 401 errors - 0x800710DD errors generated in WindowsUpdate.log
If you support a specific product or technology long enough you tend to start seeing the same things over and over again, or you pick up on common themes that seem to run through various issues you encounter. Once such issue I've been running into a lot lately is one where clients are unable to get updates and generate HTTP 401 errors. If you look in the WindowsUpdate.log you may also see stuff like this:
========
2005-07-28 14:33:53 1344 74c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2005-07-28 14:33:53 1344 74c PT + Last proxy send request failed with hr = 0x800710DD, HTTP status code = 401
2005-07-28 14:33:53 1344 74c PT + Caller provided credentials = No
2005-07-28 14:33:53 1344 74c PT + Impersonate flags = 2
2005-07-28 14:33:53 1344 74c PT + Possible authorization schemes used =
2005-07-28 14:33:53 1344 74c PT WARNING: SyncUpdates failure, error = 0x800710DD, soap client error = 5, soap error code = 0, HTTP status code = 200
2005-07-28 14:33:53 1344 74c PT WARNING: Sync of Updates: 0x800710dd
2005-07-28 14:33:53 1344 74c Agent * WARNING: Failed to synchronize, error = 0x800710DD
2005-07-28 14:33:53 1344 74c Agent * WARNING: Exit code = 0x800710DD
========
There can be a few different causes of these errors but more often than not it turns out to be some sort of permissions issue on the Windows folder or a folder within Windows. The easiest way to verify this is by running Process Monitor while a client tries to check in. If it's a permissions issue you'll probably see something like this:
========
7214 10:33:05.5409017 AM w3wp.exe 652 QueryOpen C:WINDOWSMicrosoft.NETFramework ACCESS DENIED
7216 10:33:05.5410857 AM w3wp.exe 652 CreateFile C:WINDOWSMicrosoft.NET ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
7223 10:33:05.5415072 AM w3wp.exe 652 QueryOpen C:WINDOWSMicrosoft.NETFramework ACCESS DENIED
7224 10:33:05.5416119 AM w3wp.exe 652 CreateFile C:WINDOWSMicrosoft.NET ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
========
One of our WSUS Support Escalation Engineers by the name of Joe Tindale ran into one of these issues a couple days ago and that's what he found, although the permissions issue could exist for the Windows directory itself or any other directory that we need access to. So now the question becomes how to fix it. In this example we're getting ACCESS DENIED errors accessing the WindowsMicrosoft.NET directory so we need to ensure that the IUSR_MachineName account has read and execute permissions to this particular folder. This is actually the default because USERS has this right by default and IUSER is a member of USERS.
And of course it follows that if you see access problems on another folder, once you identify the folder having the problem simply ensure that USERS has read and execute permissions to the appropriate folder and that IUSERS is a member of the USERS group.
To verify the default permissions and user rights for IIS 6.0 see https://support.microsoft.com/kb/812614/.
As I mentioned earlier, this is not the sole cause of these 401 and 0x800710DD errors but if you run into this problem it's a good place to start. Based on my experience, the chances are good that this may be the root cause of your issue.
Hope this helps,
J.C. Hornbeck | Manageability Knowledge Engineer