none
HTTP status 403: The client does not have sufficient access rights to the requested server object - Event ID 364

    Question

  • I've searched on the WSUS issue i am receiving and did find the following thread

    http://social.technet.microsoft.com/forums/en-us/winserverwsus/thread/C2E6B642-4372-46B4-B129-1A88521E32B8

    Thought that would crack it, but it hasnt. Let me explain my setup and post the details. Hopefully someone can help me on this.

    I run Windows Server 2008 R2 with WSUS service enabled but the data resides on the E drive. I've found that approved updates are not downloading the files.

    Event ID: 10032: The server is failing to download some update
    Event ID: 364: Access is denied.

    Full event 364 details states

    Content file download failed. Reason: HTTP status 403: The client does not have sufficient access rights to the requested server object.

    Source File: /msdownload/update/software/secu/2010/05/publisher_0921578964f6939355b418fa3b510ea983a42916.cab Destination File: e:\WSUS\WsusContent\16\0921578964F6939355B418FA3B510EA983A42916.cab.


    On the other thread it indicated to ensure permissions were set correctly. I believe the NETWORK SERVICE should have read from the root of E. I set that before but as a test i gave it FULL access. This is set and i've confirmed the effective permissions of NETWORK SERVICE for the directory e:\WSUS\WsusContent\16 is FULL.

    Can someone confirm that NETWORK SERVICE is the required object that needs permissions to the E drive plaese?
    Any pointers of where to go now :/

    Thanks in advance

    Thursday, September 09, 2010 11:01 AM

Answers

  • HTTP 403 errors are almost always traced to one of two causes, when they occur at the client:

    1. The proxy configuration for the client is incorrect:

    • either the client is not configured to use a required proxy server
    • the client is configured to use an invalid proxy server, or
    • the proxy server is denying access to the requested resource (which can also happen if the client has an incorrect URL for the WSUS Server).

    2. The WSUS server has improperly implemented SSL and the WSUS Server's IIS is denying access due to SSL requirements. (i.e. in most cases, the SSL certificate has not been installed on the client.)

    Option #1 is also a possible cause when encountering HTTP 403 errors on the WSUS server attempting to access Internet-based resources.

    In the scenario where the NETWORK SERVICE account does not have correct permissions, this mainfests as a local Access Denied error, not an HTTP 403. This is generally an issue related to .NET Framework v2.0 on Windows Server 2003, and was due to a defect in the NET20 installer failing to create those permissions. I'm not aware that the defect exists in the Windows Server 2008 R2 environment, where NET30 is installed by default, but, yes, the NETWORK SERVICE account does need READ access to the root of the volume containing the ~\WSUSContent folder.

    More likely, though, you are getting the HTTP 403 errors from an external device that is blocking the content download. Either the WSUS Server needs to be properly configured to use a proxy server (bypassed entirely would be the preferable option), or the proxy server needs to be configured to permit the WSUS server to download content .. most notably CAB and EXE files, which are quite often blocked by default in many proxy server implementations.

    Either way, the first step is to identify the device that is returning the HTTP 403 error, and this may involve some logfile research on the intervening network devices, and maybe even some packet sniffing to find out where the packets are going, and where they're being blocked.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, September 09, 2010 3:53 PM

All replies

  • HTTP 403 errors are almost always traced to one of two causes, when they occur at the client:

    1. The proxy configuration for the client is incorrect:

    • either the client is not configured to use a required proxy server
    • the client is configured to use an invalid proxy server, or
    • the proxy server is denying access to the requested resource (which can also happen if the client has an incorrect URL for the WSUS Server).

    2. The WSUS server has improperly implemented SSL and the WSUS Server's IIS is denying access due to SSL requirements. (i.e. in most cases, the SSL certificate has not been installed on the client.)

    Option #1 is also a possible cause when encountering HTTP 403 errors on the WSUS server attempting to access Internet-based resources.

    In the scenario where the NETWORK SERVICE account does not have correct permissions, this mainfests as a local Access Denied error, not an HTTP 403. This is generally an issue related to .NET Framework v2.0 on Windows Server 2003, and was due to a defect in the NET20 installer failing to create those permissions. I'm not aware that the defect exists in the Windows Server 2008 R2 environment, where NET30 is installed by default, but, yes, the NETWORK SERVICE account does need READ access to the root of the volume containing the ~\WSUSContent folder.

    More likely, though, you are getting the HTTP 403 errors from an external device that is blocking the content download. Either the WSUS Server needs to be properly configured to use a proxy server (bypassed entirely would be the preferable option), or the proxy server needs to be configured to permit the WSUS server to download content .. most notably CAB and EXE files, which are quite often blocked by default in many proxy server implementations.

    Either way, the first step is to identify the device that is returning the HTTP 403 error, and this may involve some logfile research on the intervening network devices, and maybe even some packet sniffing to find out where the packets are going, and where they're being blocked.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, September 09, 2010 3:53 PM
  • Lawerence


    Apologies for the delay in replying to this but other projects took over. Finally got some time to revisit my potential WSUS replacement server. I wanted to reply to your suggestions in the hope you maybe be able to give me more direction.

    Looks like a proxy problem...

    We have a successfull running w2k3 server based wsus service which talks/downloads updates from the Proxy server running ISA 2004 ver4. So we know the proxy server can handle these kind of requests for Cab/Exe etc. I've ran monitoring on the firewall and can see the requests being passed to the firewall. Monitoring the ISA proxy i can see the Client Agent Microsoft BITS / 6.6 requests coming in successfully. There is a "A connection was abortively closed after one of the peers sent a RST segment" message but downloads do come down. So thats the existing working machine.

    The problem machine is running w2k8. Again on the firwall i can see the requests being passed to the proxy. On the proxy i can see the Client Agent Microsoft BITS / 7.5 requests coming in successfully and again there is a Closed Connection status showing "A connection was abortively closed after one of the peers sent a RST segment"

    I've connected the W2K8 machine directly to net access (so bypass proxy) and it works fine. So that puts a tick in the Server is setup ok box. Wouldnt you agree?

    Comparing the old to the new proxy....all settings are setup the same especially the proxy section. Monitoring the proxy out to the firewall and there is nothing being blocked.

    Sunday, October 03, 2010 12:32 PM
  • To make this one short and sweet, I would recommend configuring the WSUS server to bypass the proxy permanently.

    There is no value in pushing WSUS content through the proxy cache of an ISA server, and all it does is clog up the proxy cache with useless content that clients will never request, and prevent the retention of useful content in the proxy cache that clients will request.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, October 04, 2010 2:17 AM
  • Lol. I like that solution...or should i say workaround. Proxy's are a pain in the backside!

    Do you know what that error message on ISA is about? Or is that your field of knowledge?

    Monday, October 04, 2010 11:50 AM
  • Lol. I like that solution...or should i say workaround.
    I consider it a solution.
    Do you know what that error message on ISA is about? Or is that your field of knowledge?
    An HTTP 403 coming from an ISA2004 server is most likely being triggered because the proxy rule permitting that machine or user account to download is configured to explicitly block EXE and/or CAB files.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, October 04, 2010 7:27 PM