none
Error 0x800710dd

    Question

  • The clients does not report to WSUS server, the error 0x800710dd appears. If I run the command sc sdshow wuauserv the following appears:
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    All the configurations are taken by GP. Authenticated users and Domain Users have read permissions on Automatic Updates Service.

    Monday, May 11, 2009 11:37 PM

Answers

  • I'm confused... you had sufficient skills to track down an article containing this command:

    sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    So:
    [1] Does the article apply to your machines? If you think it might.. (I do!)
    [2] Have you run that SC SDSET command to verify the proper configuration of the Security Descriptor on the affected machines is applied?

    Second, I trust you're able to check the BUILTIN\Users group to verify that the NT AUTHORITY\Authenticated Users group is listed,
    and to check the IIS_WPG group to verify that the IIS_machinename account is listed.

    If all of that works, then assuming you can find the IIS_machinename account in Local Users and Groups,
    and the password field for the IIS_machinename account in the IIS Administration security dialog,
    it should be trivial to set those passwords to be identical, just to be sure that's not the cause.

    Also, it shouldn't take too much to determine if dcpromo has been run on this machine: [a] Is it a Domain Controller? [b] Has it ever been a Domain Controller?

    Finally, unless you suspect somebody has been changing permissions to system groups (IIS_WPG), while that's a possible cause, it's not a very likely one.

    So, what exactly is is that you need assistance with?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Friday, May 22, 2009 1:48 AM
    Moderator

All replies

  • How is is that a group has READ permissions on a =SERVICE= ??? Can you clarify that statement please?

    The typical cause for 0x800710dd errors, other than the security descriptor being incorrect (in which case  you should reset the security descriptor to the correct value -- and a search for 0x800710dd at http:/www.wsuswiki.com will turn up that command), is that the security configuration of the WSUS Server has been modified. This is typically caused when the NT AUTHORITY\Authenticated Users object has been removed from the BUILTIN\Users group on the WSUS Server.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Wednesday, May 13, 2009 5:47 PM
    Moderator
  • Is the command :
    sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) ??

    because if a compare with the other one is the same configuration. Actually this is the continues of a past thread that i started and you writed this:

    Run Following command to set security descriptor.(PLS run commandProperly).

     

    sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

     

    IF Grroup policy is present follow this below path (Or ask Client to give access).

     

    Start->Administrative Tools->Active Directory Users and Computers->Right Click on domain -> Select Properties-> Select Group Policy

     

    In Group Policy Snap-in open folowing

    Computer Configuration -> Windows Settings -> Security Settings -> System Services

     

    Select Service named Authomatic Updates and click properties.

     

    Click Edit Security and Just add Authenticated Users with read permissions to Group or user names.

     

    Don't forget run gpupdate on your target computer

     
    So i did that, but i still have the problem. Inside IIS these are the enabled values:

    Web Sites Folder --> anonymous access
    Default Web Sites --> anonymous access and Integrated Windows Authentication
    ApiRemoting30 --> Integrated Windows Authentication and Digest Authentication
    ClienWebService --> anonymous access
    Content --> anonymous access
    DssAuthWebService --> anonymous access
    Inventory --> anonymous access
    ReportingWebService --> anonymous access
    Selfupdate --> anonymous access
    ServerSyncWebService --> anonymous access
    SimpleAuthWebService --> anonymous access
    Aspnet_client --> anonymous access and Integrated Windows Authentication

    If i try to connect to this link http://192.168.1.3/iuident.cab asks for credentials and after put the same user and password that i use to log into the PC i can see options to open, save or save the file.

    Please help me to fix this issue, because the last month i had to install all the patches manually on each PC.
    Thursday, May 14, 2009 12:01 AM
  • > Default Web Sites --> anonymous access and Integrated Windows Authentication

    The "Integrated Windows Authentication" on the Default Web Site is the cause of the credentials prompt.

    You need to determine why this option is enabled, and if not needed, or no determination can be made, it should be disabled.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Thursday, May 14, 2009 6:09 AM
    Moderator
  • Now default Web Site has only enabled anonymous access, but the issue still exist.
    Thursday, May 14, 2009 11:28 PM
  • Okay, go back to my original reply and respond to my points included there, which you've not yet addressed.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Friday, May 15, 2009 2:56 PM
    Moderator
  • Mkay .... Seems to me the solution is two different Default Websites. One for anonymous access and one for authenticated. One that points (e.g.) to .../index.* and another that points to .../main.*.

    Shems
    Information is the most valuable commodity I know off.
    Monday, May 18, 2009 10:47 PM
  • Yeah, but that's not a functional option in Internet Information Server.

    Nor is it appropriate at this point to speculate on possible solutions,
    since we've not yet identified what the problem might be.

    The only thing we've identified is a symptom of a problem, which is that user(s) are being prompted for authentication.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Tuesday, May 19, 2009 3:35 AM
    Moderator
  • Now default Web Site has only enabled anonymous access, but the issue still exist.

    One other question.. did you run IISRESET, or reboot the server, after you unchecked the "Integrated Windows Authentication" checkbox?
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Tuesday, May 19, 2009 3:35 AM
    Moderator
  • Who am I to argue with a MVP ... Since the treatment is symptomatic, it would be appropriate to re-install WSUS. The error typically involves a serious break in BCP's on IIS; removing a builtin group. The security of the server has already been manually manipulated. It stands to reason that this alone could have caused the problem. The propagation of permissions has been broken at (at least) two levels from what I gather. The server was not reset or the system didn't correctly update the registry. To cancel out these possibilities, WSUS should be re-installed. Start with a clean slate. If the problem persists ... well...

    Information is the most valuable commodity I know off.
    Tuesday, May 19, 2009 11:26 AM
  • Yes Lawrence i run IISRESET. This is the content of WindowsUpdate.log:

    2009-05-19 10:58:39:937  172 5f8 AU Triggering AU detection through DetectNow API
    2009-05-19 10:58:39:937  172 5f8 AU Triggering Online detection (non-interactive)
    2009-05-19 10:58:39:937  172 5b8 AU #############
    2009-05-19 10:58:39:937  172 5b8 AU ## START ##  AU: Search for updates
    2009-05-19 10:58:39:937  172 5b8 AU #########
    2009-05-19 10:58:39:937  172 5b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {007C31C7-92D9-439F-A59D-36C7ECAEE340}]
    2009-05-19 10:58:39:937  172 88c Agent *************
    2009-05-19 10:58:39:937  172 88c Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2009-05-19 10:58:39:937  172 88c Agent *********
    2009-05-19 10:58:39:937  172 88c Agent   * Online = Yes; Ignore download priority = No
    2009-05-19 10:58:39:937  172 88c Agent   * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
    2009-05-19 10:58:39:937  172 88c Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
    2009-05-19 10:58:39:937  172 88c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wuident.cab:
    2009-05-19 10:58:39:953  172 88c Misc  Microsoft signed: Yes
    2009-05-19 10:58:40:046  172 88c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://192.168.1.3/selfupdate/wuident.cab>. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://192.168.1.3/selfupdate/wuident.cab>. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://192.168.1.3/selfupdate/wuident.cab>. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x800710dd
    2009-05-19 10:58:40:046  172 88c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x800710dd
    2009-05-19 10:58:40:375  172 88c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2009-05-19 10:58:40:375  172 88c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://192.168.1.3/selfupdate/wuident.cab>. error 0x800710dd
    2009-05-19 10:58:40:375  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x800710dd
    2009-05-19 10:58:40:375  172 88c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x800710dd
    2009-05-19 10:58:40:375  172 88c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x800710dd
    2009-05-19 10:58:40:375  172 88c Misc WARNING: DownloadFileInternal failed for http://192.168.1.3/selfupdate/wuident.cab: error 0x800710dd
    2009-05-19 10:58:40:375  172 88c Setup FATAL: IsUpdateRequired failed with error 0x800710dd
    2009-05-19 10:58:40:375  172 88c Setup WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x800710dd
    2009-05-19 10:58:40:375  172 88c Setup WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error = 0x800710DD
    2009-05-19 10:58:40:375  172 88c Agent   * WARNING: Skipping scan, self-update check returned 0x800710DD
    2009-05-19 10:58:41:000  172 88c Agent   * WARNING: Exit code = 0x800710DD
    2009-05-19 10:58:41:000  172 88c Agent *********
    2009-05-19 10:58:41:000  172 88c Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2009-05-19 10:58:41:000  172 88c Agent *************
    2009-05-19 10:58:41:000  172 88c Agent WARNING: WU client failed Searching for update with error 0x800710dd
    2009-05-19 10:58:41:000  172 138 AU >>##  RESUMED  ## AU: Search for updates [CallId = {007C31C7-92D9-439F-A59D-36C7ECAEE340}]
    2009-05-19 10:58:41:000  172 138 AU   # WARNING: Search callback failed, result = 0x800710DD
    2009-05-19 10:58:41:000  172 138 AU   # WARNING: Failed to find updates with error code 800710DD
    2009-05-19 10:58:41:000  172 138 AU #########
    2009-05-19 10:58:41:000  172 138 AU ##  END  ##  AU: Search for updates [CallId = {007C31C7-92D9-439F-A59D-36C7ECAEE340}]
    2009-05-19 10:58:41:000  172 138 AU #############
    2009-05-19 10:58:41:000  172 138 AU AU setting next detection timeout to 2009-05-19 19:13:20
    2009-05-19 10:58:41:000  172 138 AU Setting AU scheduled install time to 2009-05-19 21:00:00
    2009-05-19 10:58:45:375  172 88c Report REPORT EVENT: {050D9D5A-E3FC-4905-8CA2-7667638038A2} 2009-05-19 10:58:40:375-0500 1 148 101 {D67661EB-2423-451D-BF5D-13199E37DF28} 0 800710dd SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x800710dd.
    2009-05-19 10:58:46:187  172 88c PT WARNING: Cached cookie has expired or new PID is available
    2009-05-19 10:58:46:187  172 88c PT Initializing simple targeting cookie, clientId = d065c5ec-37b3-4017-8fe8-c24674822630, target group = , DNS name = 22hw000167.tcsjci.com
    2009-05-19 10:58:46:187  172 88c PT   Server URL = http://192.168.1.3/SimpleAuthWebService/SimpleAuth.asmx
    2009-05-19 10:58:46:203  172 88c Misc WARNING: SendRequest failed with hr = 800710dd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2009-05-19 10:58:46:203  172 88c PT   + Last proxy send request failed with hr = 0x800710DD, HTTP status code = 401
    2009-05-19 10:58:46:203  172 88c PT   + Caller provided credentials = No
    2009-05-19 10:58:46:203  172 88c PT   + Impersonate flags = 2
    2009-05-19 10:58:46:203  172 88c PT   + Possible authorization schemes used =
    2009-05-19 10:58:46:203  172 88c PT WARNING: GetAuthorizationCookie failure, error = 0x800710DD, soap client error = 5, soap error code = 0, HTTP status code = 200
    2009-05-19 10:58:46:203  172 88c PT WARNING: Failed to initialize Simple Targeting Cookie: 0x800710dd
    2009-05-19 10:58:46:203  172 88c PT WARNING: PopulateAuthCookies failed: 0x800710dd
    2009-05-19 10:58:46:203  172 88c PT WARNING: RefreshCookie failed: 0x800710dd
    2009-05-19 10:58:46:203  172 88c PT WARNING: RefreshPTState failed: 0x800710dd
    2009-05-19 10:58:46:203  172 88c PT WARNING: PTError: 0x800710dd
    2009-05-19 10:58:46:203  172 88c Report WARNING: Reporter failed to upload events with hr = 800710dd.

    Above you said that i have not answered some questions, what are those questions?

    Tuesday, May 19, 2009 4:21 PM
  • In the second post of this thread I enumerated two possible causes for the 0x800710dd errors, and implied a third.

    1. The security descriptor you originally cited is incorrect and needs to be reset on the client machine(s).

    2. The NT AUTHORITY\Authenticated Users group has been removed from BUILTIN\Users.

    3. Other security changes have been made on the server that are inconsistent with the operation of WSUS, including, possibly, application of a security template with the Security Configuration Wizard that is inconsistent with the requirements of an ASP.NET application.

    In addition, other possibilities, affecting the functionality of the anonymous account for IIS include:
    a. Changing the password for the IUSR_machine account, or the password configured in IIS.
    b. Removing the IUSR_machine account from the IIS_WPG group.
    c. Changing the ACLs for the IIS_WPG group (see #3 above).
    d. Running dcpromo on an IIS/WSUS server.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Tuesday, May 19, 2009 11:31 PM
    Moderator
  • OK, but i need your help to do that, becuase i am a network engineer and i don't know much about windows server. In the past another person was in charge of the servers, but that person quit so meanwhile another person is hired i am in charge of both network and server administration. So i'll appreciate if you explain all the steps in an easy way so i can understand it.
    Thursday, May 21, 2009 10:34 PM
  • I'm confused... you had sufficient skills to track down an article containing this command:

    sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    So:
    [1] Does the article apply to your machines? If you think it might.. (I do!)
    [2] Have you run that SC SDSET command to verify the proper configuration of the Security Descriptor on the affected machines is applied?

    Second, I trust you're able to check the BUILTIN\Users group to verify that the NT AUTHORITY\Authenticated Users group is listed,
    and to check the IIS_WPG group to verify that the IIS_machinename account is listed.

    If all of that works, then assuming you can find the IIS_machinename account in Local Users and Groups,
    and the password field for the IIS_machinename account in the IIS Administration security dialog,
    it should be trivial to set those passwords to be identical, just to be sure that's not the cause.

    Also, it shouldn't take too much to determine if dcpromo has been run on this machine: [a] Is it a Domain Controller? [b] Has it ever been a Domain Controller?

    Finally, unless you suspect somebody has been changing permissions to system groups (IIS_WPG), while that's a possible cause, it's not a very likely one.

    So, what exactly is is that you need assistance with?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Friday, May 22, 2009 1:48 AM
    Moderator