Re: V5.WindowsUpdate problem on ISA 2000
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 26 Aug 2004 10:23:12 -0700
Stefaan also provided me some interesting captures.
I've forwarded this and his WU configuration to them as well.
There's a very real bug here and the only current workaround is to use source
address limitations for this destination for now.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 26, 2004 09:56
Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000
http://www.ISAserver.org
This is the final response I got from Microsoft.
I thought the would send you the logs that I sent them, since he said he
knew you and said he would forward them to you.
And for the record, I never blamed ISA, just that something new wouldn't
work through ISA.
I also cant just add the group Everybody to the security for internet
access, since I don't want just anybody going there.
I just hope the fix they issue, which I guess would be another push of
the update client, will work through ISA in the first place to get it
installed.
>From PSS:
After browsing the ISA logs, we found that in our case the WU client
2.0 does not properly authenticate with the ISA server. During
authentication, the WU client identifies itself as "Domain\" instead of
"Domain\UserName". Authentication fails and then Windows Update fails
and issues the error code 0x80244021. Of course WU is still working
fine on all other versions of Windows 2000. We were able to bypass this
problem by creating a rule in ISA which would allow the client to get
out without authentication on the ISA server. This is not an ideal fix
of course, but it appears that in our case this seems to be the cause
and fix.
This has been passed on to our support staff and we will be making
efforts to resolve this.
END
Jeff
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, August 23, 2004 7:56 PM
To: ISALists
Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000
http://www.ISAserver.org
The error code in the screen shot actually resolves to 12152; a WinInet
error complaining about "invalid server response". Between that and the
12209 in your logs, it's clear that WindowsUpdate.v5 doesn't like
authenticating proxies.
Call PSS and bitch loud and clear; they should be using WinHTTP, not
WinInet in their AX controls.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Mon, 23 Aug 2004 22:14:40 +0200
"Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> wrote:
http://www.ISAserver.org
Hi Jim,
I made another test and you can download a screenshot of the error, an
excerpt from the web proxy log file and an Ethereal trace at
http://users.skynet.be/spouseele/download/WindowsUpdateV5.zip.
Thanks,
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: zondag 22 augustus 2004 17:46
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000
http://www.ISAserver.org
see; this is why I wanted to see logs...
:-)
Do you also have captures of this event?
That would go a long way to help sort out the "what "& why" of this
problem...
Nice catch, Stephen!
You should contact PSS and scream loud and long about this...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Sun, 22 Aug 2004 11:38:59 +0200
"Stefaan Pouseele" <Stefaan.Pouseele@xxxxxxx> wrote:
http://www.ISAserver.org
Hey guys,
There seems to be a problem with the new V5.WindowsUpdate and a
site&content rule who applies to a user/group based membership. Here is
an excerpt of the Web Proxy log on an ISA 2000 server:
172.31.1.2, anonymous, Microsoft WU Client/2.0, N, 8/21/2004, 15:27:10,
w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0,
SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 12209,
0x0, PR-SPECIAL, - 172.31.1.2, anonymous, Microsoft WU Client/2.0, N,
8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com,
-, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443,
-, Inet, 0, 0x0, PR-SPECIAL, - 172.31.1.2, INTRANET\, Microsoft WU
Client/2.0, Y, 8/21/2004, 15:27:10, w3proxy, GWISA, -,
v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -,
v5.windowsupdate.microsoft.com:443, -, Inet, 12202, 0x0, PR-SPECIAL, -
172.31.1.2, INTRANET\SP, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.1.4322), Y, 8/21/2004, 15:27:11, w3proxy, GWISA, -,
v5.windowsupdate.microsoft.com, 64.4.21.188, 80, 188, 898, 6519, http,
TCP, GET,
http://v5.windowsupdate.microsoft.com/v5consumer/errorinformation.aspx?e
rror=-2145107935&ln=en-us, text/html; charset=utf-8, Inet, 200,
0x40020001, PR-SPECIAL, SCR-USERS
When the Microsoft WU Client/2.0 tries to connect he doesn't
authenticate with the full user name (domain\user) but only with the
domain part. Turning of the user/group based membership in the
site&content rule and apply the rule to any request or a client address
set seems to solve the problem.
Is this a known problem?
HTH,
Stefaan
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
