Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Friday, April 5, 2019 3:00 PM
Followed this: /en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus
and this http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/ for setup SSL on WSUS.
Assigned/Bind a cert in IIS which was issued by our in house Microsoft Enterprise Root CA. Currently only one server to which I am trying to deploy updates/patches Server 2016. Our RootCA certificate is present in the Local Computer Trusted Root CA Store on the test server 2016 and also in the same location on WSUS server.
Client server 2016 is visible/reporting in the WSUS Unassigned Computers Group under Status "**Not yet reported" ** but not moving to the WSUS Group I created for WSUS_TestServers. The GPO is setup correctly for client side targeting.
This is what I see in the windowslog file on the client/server 2016:
https://fqdn.local:8531/ClientWebService/client.asmx'.
2019/04/05 09:21:08.3073227 1364 1836 WebServices WS error: The server returned HTTP status code '500 (0x1F4)' with text 'System.ServiceModel.ServiceActivationException'.
2019/04/05 09:21:08.3073232 1364 1836 WebServices WS error: The server was unable to process the request.
2019/04/05 09:21:08.3073335 1364 1836 WebServices Web service call failed with hr = 8024401f.
2019/04/05 09:21:08.3073338 1364 1836 WebServices Current service auth scheme=0.
2019/04/05 09:21:08.3073341 1364 1836 WebServices Current Proxy auth scheme=0.
2019/04/05 09:21:08.3073422 1364 1836 ProtocolTalker PTError: 0x8024401f
2019/04/05 09:21:08.3073425 1364 1836 ProtocolTalker SyncUpdates_WithRecovery failed. 0x8024401f
2019/04/05 09:21:08.3073467 1364 1836 ProtocolTalker SyncUpdates round trips: 1
2019/04/05 09:21:08.3073471 1364 1836 ProtocolTalker Sync of Updates 0x8024401f
2019/04/05 09:21:08.3073530 1364 1836 ProtocolTalker SyncServerUpdatesInternal failed 0x8024401f
2019/04/05 09:21:08.3106381 1364 1836 Agent Failed to synchronize, error = 0x8024401F
2019/04/05 09:21:08.3244305 1364 1836 Agent Exit code = 0x8024401F
2019/04/05 09:21:08.3244314 1364 1836 Agent * END * Finding updates CallerId = UpdateOrchestrator Id = 1
2019/04/05 09:21:08.3327902 1364 1584 ComApi *RESUMED* Search ClientId = UpdateOrchestrator
2019/04/05 09:21:08.3334744 1364 1584 ComApi Updates found = 0
2019/04/05 09:21:08.3334751 1364 1584 ComApi Exit code = 0x00000000, Result code = 0x8024401F
2019/04/05 09:21:08.3334755 1364 1584 ComApi * END * Search ClientId = UpdateOrchestrator
2019/04/05 09:21:08.3340164 1364 7288 ComApi ISusInternal:: DisconnectCall failed, hr=8024000C
2019/04/05 09:28:39.2998832 1364 8100 Agent Refreshing global settings cache
2019/04/05 09:28:39.2998843 1364 8100 Agent WSUS server: https://fqdn.local:8531 (Unchanged)
2019/04/05 09:28:39.2998849 1364 8100 Agent WSUS status server: https://fqdn.local:8531 (Unchanged)
2019/04/05 09:28:39.2998852 1364 8100 Agent Alternate Download Server: NULL (Changed)
2019/04/05 09:28:39.2998855 1364 8100 Agent Fill Empty Content Urls: No (Unchanged)
2019/04/05 09:28:39.2998858 1364 8100 Agent Target group: WSUS_TestServers (Unchanged)
2019/04/05 09:28:39.2998861 1364 8100 Agent Windows Update access disabled: No (Unchanged)
2019/04/05 09:29:08.3558987 1364 8128 Misc Got WSUS Client/Server URL: https://fqdn.local:8531/ClientWebService/client.asmx""
2019/04/05 09:29:08.3559563 1364 8128 ProtocolTalker OK to reuse existing configuration
Thank you
Thursday, April 18, 2019 7:54 PM ✅Answered
Changed this from 1740 to 240 seems to have resolved the issue and all machines reported after I made this change. I will monitor this for now by adding more machines little by little
Friday, April 5, 2019 3:31 PM
I think that this is most important entry.
2019/04/05 09:21:08.3073227 1364 1836 WebServices WS error: The server returned HTTP status code '500 (0x1F4)' with text 'System.ServiceModel.ServiceActivationException'.
That says that the client is getting to your WSUS server and it is crashing. On the WSUS server check your eventlogs and also the IIS logs. You may need to enable Failed Request Tracing in IIS to get more detailed info.
You should be able to test connectivity on the client with Powershell.
invoke-webrequest https://fqdn.local:8531/ClientWebService/client.asm
Note, my experience is with IIS, not WSUS.
Friday, April 5, 2019 7:01 PM
Thank you MotoX80
I can open the link successfully using chrome but cannot invoke it via powershell
https://fqdn.local:8531/ClientWebService/client.asmx
Not seeing this anymore in the logs:
WS error: The server returned HTTP status code '500 (0x1F4
Friday, April 5, 2019 7:34 PM
Is everything working now?
If not, what error did Powershell give you? Did you find errors in the logs on the WSUS server? Have you tried running the Windows Update troubleshooter on the client?
Friday, April 5, 2019 7:54 PM
On WSUS > I removed the HTTPS bindings in IIS and re-bind them.
On the Server 2016 Client > Stopped windows update service, delete everything under the
C:\Windows\SoftwareDistribution\ and restarted the windows service and after that things look good now .... I will monitor it for now.
Friday, April 5, 2019 8:34 PM
Try the client diagnostics tool.
Monday, April 8, 2019 6:00 AM | 1 vote
2019/04/05 09:21:08.3073227 1364 1836 WebServices WS error: The server returned HTTP status code '500 (0x1F4)' with text 'System.ServiceModel.ServiceActivationException'.
2019/04/05 09:21:08.3073232 1364 1836 WebServices WS error: The server was unable to process the request.
2019/04/05 09:21:08.3073335 1364 1836 WebServices Web service call failed with hr = 8024401f.
I also think that this is the key to the error, the problem relates to an IIS problem with multiple site binding.
Please note that the WsusPool application pool has stopped when there is a problem. Does the welcome page opened after accessing 'https://fqdn.local:8531/ClientWebService/client.asmx' directly from the client, does it contain an error message?
Regards,
Yic
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Tuesday, April 9, 2019 5:39 PM
I added another server 2016 today and I am getting the same error in the windowsupdate log file. The server is there in the WSUS but last status report is "Not reported yet" since yesterday
Error on the server side:
There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x8024401c)
thoughts?
Tuesday, April 9, 2019 5:42 PM
When I double click on the link https://fqdn.local:8531/ClientWebService/client.asmx' within the log file it opens fine
BUT
When I copy paste the same link in chrome I get an error:
Attackers might be trying to steal your information from fqdn**.local** (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
<label style="display:flex;align-items:flex-start;">
<input id="opt-in-checkbox" style="opacity:0;" type="checkbox" />
</label>
Tuesday, April 9, 2019 6:41 PM
C:\WSUS Diag>ClientDiag.exe
WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is not running. PASS
GetFileVersion(szEngineDir,&susVersion) failed with hr=0x80070002
The system cannot find the file specified.
Tuesday, April 9, 2019 8:19 PM
2019/04/09 15:56:02.3493175 1296 8440 Misc Got WSUS Client/Server URL: https://FQDN:8531/ClientWebService/client.asmx""
2019/04/09 15:56:02.9117767 1296 8440 ProtocolTalker ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = https://FQDN:8531/ClientWebService/client.asmx
2019/04/09 15:56:02.9119377 1296 8440 ProtocolTalker PT: Calling GetConfig on server
2019/04/09 15:56:02.9119606 1296 8440 WebServices Auto proxy settings for this web service call.
2019/04/09 15:56:02.9326520 1296 8440 WebServices WS error: There was an error communicating with the endpoint at 'https://FQDN:8531/ClientWebService/client.asmx'.
2019/04/09 15:56:02.9326529 1296 8440 WebServices WS error: The server returned HTTP status code '500 (0x1F4)' with text 'System.ServiceModel.ServiceActivationException'.
2019/04/09 15:56:02.9326533 1296 8440 WebServices WS error: The server was unable to process the request.
2019/04/09 15:56:02.9326549 1296 8440 WebServices Web service call failed with hr = 8024401f.
I had removed the HTTP bindings but I have put it back now.
STUCK!!!
Tuesday, April 9, 2019 11:00 PM
Something must be wrong in IIS. Enable Failed Request Tracing for "500" errors on the WSUS server. Then browse the error XML files to see where it's crashing.
https://community.ivanti.com/docs/DOC-34708
I no longer have access to a WSUS server to really help you, but my notes say that this is a WSUS Test. On the WSUS server itself, try to browse these.
http://*yourservername*:8530/SimpleAuthWebService/SimpleAuth.asmx
https://*yourservername*:8531/SimpleAuthWebService/SimpleAuth.asmx
Wednesday, April 10, 2019 8:31 AM
2019/04/05 09:21:08.3073335 1364 1836 WebServices Web service call failed with hr = 8024401f.
2019/04/05 09:21:08.3073338 1364 1836 WebServices Current service auth scheme=0.
2019/04/05 09:21:08.3073341 1364 1836 WebServices Current Proxy auth scheme=0.
2019/04/05 09:21:08.3073422 1364 1836 ProtocolTalker PTError: 0x8024401f
2019/04/05 09:21:08.3073425 1364 1836 ProtocolTalker SyncUpdates_WithRecovery failed. 0x8024401f
2019/04/05 09:21:08.3073467 1364 1836 ProtocolTalker SyncUpdates round trips: 1
2019/04/05 09:21:08.3073471 1364 1836 ProtocolTalker Sync of Updates 0x8024401f
2019/04/05 09:21:08.3073530 1364 1836 ProtocolTalker SyncServerUpdatesInternal failed 0x8024401f
2019/04/05 09:21:08.3106381 1364 1836 Agent Failed to synchronize, error = 0x8024401F
2019/04/05 09:21:08.3244305 1364 1836 Agent Exit code = 0x8024401F
2019/04/05 09:21:08.3244314 1364 1836 Agent * END * Finding updates CallerId = UpdateOrchestrator Id = 1
I analyzed the logs provided again, whether the following entries in the GPO for WSUS have been modified:
- [Specify intranet Microsoft update service location]
Modify the two addresses "Set the intranet update service for detecting updates" and "Set the intranet statistics server" to the URL address of the form "**https://fqdn.local:8531**".
Looking forward to the reply.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, April 10, 2019 1:33 PM
Thank you Yic and MotoX80.
@Yic - Yes I have been trying various settings.
I have 2 servers so far in the WSUS both are server 2016 member servers.
ServerA and ServerB. ServerA is in (lets say) GroupA and ServerB in GroupB within WSUS.
ServerA is working fine and downloaded updates this morning without any issues and look perfectly up to date in WSUS. ServerA and ServerB sit in different OU's in AD. GPO's are applied correctly to both servers. I validated.
It seems to be clear that the issue is with ServerB.
Current GPO.
ServerB
Wednesday, April 10, 2019 8:45 PM
I added the domain controller to the WSUS and in it's windowsupdatelog file I see this
https://fqdn.local:8531/ClientWebService/client.asmx'.
2019/04/10 16:27:39.2456967 1520 6404 WebServices WS error: There was an error receiving the HTTP reply.
2019/04/10 16:27:39.2456974 1520 6404 WebServices WS error: The operation did not complete within the time allotted.
2019/04/10 16:27:39.2456978 1520 6404 WebServices WS error: The operation timed out
2019/04/10 16:27:39.2456991 1520 6404 WebServices Web service call failed with hr = 8024401c.
2019/04/10 16:27:39.2456994 1520 6404 WebServices Current service auth scheme=0.
2019/04/10 16:27:39.2456997 1520 6404 WebServices Current Proxy auth scheme=0.
2019/04/10 16:27:39.2457273 1520 6404 ProtocolTalker PTError: 0x8024401c
2019/04/10 16:27:39.2457275 1520 6404 ProtocolTalker SyncUpdates_WithRecovery failed. 0x8024401c
2019/04/10 16:27:39.2457380 1520 6404 ProtocolTalker SyncUpdates round trips: 2
2019/04/10 16:27:39.2457384 1520 6404 ProtocolTalker Sync of Updates 0x8024401c
2019/04/10 16:27:39.2457646 1520 6404 ProtocolTalker SyncServerUpdatesInternal failed 0x8024401c
2019/04/10 16:27:39.2489896 1520 6404 Agent Failed to synchronize, error = 0x8024401C
2019/04/10 16:27:39.2653328 1520 6404 Agent Exit code = 0x8024401C
2019/04/10 16:27:39.2653720 1520 6404 Agent * END * Finding updates CallerId = UpdateOrchestrator Id = 1
________________________
Thursday, April 11, 2019 3:10 AM
2019/04/10 16:27:39.2456978 1520 6404 WebServices WS error: The operation timed out
2019/04/10 16:27:39.2456991 1520 6404 WebServices Web service call failed with hr = 8024401c.
In some threads I noticed that the following solution solves many of the 8044401c problems. For your reference:
- Made the following changes in the IIS Application Pool for the WSUS Page:
- Queue Length: 25000 from 10000
- Limit Interval (minutes): 15 from 5
- "Service Unavailable" Response: TcpLevel from HttpLevel
- Private Memory Limit (KB): 0 from 18342456
- Queue Length: 25000 from 10000
Looking forward to the reply.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Thursday, April 11, 2019 12:44 PM
Thank you Yic.
I already have those settings in place from the time I installed WSUS. You are correct it did solve some of the issues I was having but not this one at hand.
Thursday, April 11, 2019 12:57 PM
(Stop IIS first) Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS:
- Replace <httpRuntime maxRequestLength="4096" /> with <httpRuntime maxRequestLength="204800" executionTimeout="7200"/>
I added the above to the web.config and the DC connected to the WSUS
Friday, April 12, 2019 3:18 PM
Looks like there is not much I can do here to further tweak the WSUS App Pool. 1 out 3 PCs have reported properly.
1 reported right away.
Second reported after a hard fought battle with wsus app pool and web.config settings tweak on WSUS server and third is still not reporting.
Monday, April 15, 2019 5:13 PM
Still server has not reported into WSUS. I see event logged on that server:
Windows Update failed to check for updates with error 0x8024401C - Event ID:25
And on MS site:/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939837(v=ws.10)
0x8024401C WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUTHTTP 408 - the server timed out waiting for the request.
Thoughts?
Monday, April 15, 2019 6:34 PM
In the web site defaults, increase the connection timeout.
What do you see in the IIS logs on the server? Might be a good time to learn about logparser. Use that to analyze your IIS logs.
https://www.microsoft.com/en-us/download/details.aspx?id=24659
**** Basic IIS Log display for current day ****
logparser "SELECT TO_LOCALTIME(TO_TIMESTAMP(date,time)) as [Local Time], cs-host, c-ip, cs-username,sc-status, cs-uri-stem, SUBSTR(cs-uri-query,0,50) FROM 'C:\inetpub\Logs\LogFiles\ex%date:~12,2%%date:~4,2%%date:~7,2%.*' " -rtp:-1 -recurse
*** HTTP ERR LOG ************
logparser "SELECT TO_LOCALTIME(TO_TIMESTAMP(date,time)) as [Local Time], c-ip, cs-version, cs-method, cs-uri, sc-status, s-siteid, s-reason, s-queuename from 'C:\WINDOWS\system32\LogFiles\HTTPERR\httperr*.log' order by [Local Time] " -rtp:-1
Monday, April 15, 2019 8:23 PM
Thank you MotoX80.
This is what I see in the httperr1.log....
#Version: 1.0
#Date: 2019-04-15 18:53:33
#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid sc-status s-siteid s-reason s-queuename
2019-04-15 18:53:32 Client-Server-IP 51787 WSUS-Server-IP 8531 HTTP/1.1 POST /ClientWebService/client.asmx - - 266356563 Connection_Dropped WsusPool
2019-04-15 19:54:32 Client-Server-IP 51947 WSUS-Server-IP 8531 HTTP/1.1 POST /ClientWebService/client.asmx - - 266356563 Connection_Dropped WsusPool
2019-04-15 20:02:05 Client-Server-IP 51968 WSUS-Server-IP 8531 HTTP/1.1 POST /ClientWebService/client.asmx - - 266356563 Connection_Dropped WsusPool
2019-04-15 20:02:37 Client-Server-IP 51974 WSUS-Server-IP 8531 HTTP/1.1 POST /ClientWebService/client.asmx - - 266356563 Connection_Dropped WsusPool
Tuesday, April 16, 2019 12:13 AM
That doesn't tell us anything more than what we knew... that the connection timed out.
I don't know WildPacket, this is really hard to troubleshoot remotely. Does cpu/memory/disk look ok on both client and server when it's connecting?
My next "goto" tool would be Sysinternals process monitor. But that's really a low level monitor and using it is an art. The volume of data can be overwhelming.
Maybe reboot both machines and try again??
Start with Windows resource monitor and see if some process is monopolizing cpu/memory/disk.
Tuesday, April 16, 2019 6:15 PM
From this server when I trigger windows updates right than the CPU on the WSUS goes to 99% usages and this the culprit MSSQLMicrosoft##WID. windows internal database which is used by wsus.
Wednesday, April 17, 2019 2:24 AM
Well at this point in time, I would be walking over to my SQL DBA's desk and asking him to analyze SQL performance. Do the databases need to be reorganized, is he running a DB maintenance plan, does the log need truncated, has he allocated sufficient memory to SQL.
I would also be asking my WSUS admin to analyze the patches that he's downloaded. Does it match our environment, ie: if we don't have any Vista machines, has he downloaded Vista patches that we don't need.
https://searchenterprisedesktop.techtarget.com/tip/Tricks-for-optimizing-WSUS-performance
https://gal.vin/2017/04/29/wsus-config-tweaks/
Thursday, April 18, 2019 1:20 PM
It is the Windows Internal Database (WID) used by WSUS. There is no SQL server running here.
Yesterday I uninstalled WSUS and format the server and built a new WSUS but still the CPU is at 100% usage. This time I am running HTTP to make sure all works well then I go HTTPS
I made the change sto WSUS App Pool
- Queue Length: 25000 from 10000 -
Limit Interval (minutes): 15 from 5 -
"Service Unavailable" Response: TcpLevel from HttpLevel
- Private Memory Limit (KB): 0 from 18342456
Restarted IIS after I made the above changes
Thursday, April 18, 2019 6:47 PM
I will defer to the WSUS experts.
Wednesday, April 24, 2019 4:08 PM
The issue has been resolved and WSUS is now running with HTTPS. Thank you everybody. Hopefully this thread can assist others. It was a great learning.