locked
2003 servers failing with 80072EFE after SSL implementation RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello.

    I recently changed our WSUS implementation to utilize SSL and created a new downstream WSUS server on 2008 R2 from scratch for this purpose. All windows 7 x64 and 2008 servers work fine using the new SSL server via SSL.

    All 2003 servers fail with 80072EFE. They are receiving the exact same WSUS group policy settings as the clients that work. If I attempt to access https://<wsusserver FQDN>/selfupdate/wuident.cab from a 2003 server, it fails with "page cannot be displayed". If I access http://<wsusserver FQDN>, it comes up with the IIS 7 homepage. 

    80072EFE means "connection aborted". So I assume there is some reason the 2008 IIS is terminating the SSL connections from 2003 servers. 

    I have searched and found others with the same problem, such as https://social.technet.microsoft.com/Forums/windowsserver/en-US/8d51f26f-d5fb-415c-8055-f2edb795bf3f/some-clients-not-registering-with-wsus-server-with-error-0x80072efe?forum=winserverwsus and https://social.technet.microsoft.com/Forums/fr-FR/e227fcc1-b613-4a00-8f42-d56c7fbc085c/wsus-server-does-not-show-up-in-windows-update-services-80072efe-error-as-well?forum=winserverwsus, and others, however, none have resolved my situation.

    I have installed KB2992611 because I read someone else had solved it after installing this. It did not fix my situation. I need help in understanding why my 2003 servers are unable to connect via SSL to my WSUS with error 80072efe, when windows 7 and 2008 clients connect fine. Again, if I attempt to access https://<wsusserver FQDN>/selfupdate/wuident.cab from a 2003 server, it fails with "page cannot be displayed", whereas browsing to that same URL from a windows 7 or 2008 server works.

    Please help


    Wednesday, September 30, 2015 4:08 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Lawrence Garvin where you @? Holla at an MCSE!

    Thursday, October 1, 2015 1:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    >>Again, if I attempt to access https://<wsusserver FQDN>/selfupdate/wuident.cab from a 2003 server, it fails with "page cannot be displayed", whereas browsing to that same URL from a windows 7 or 2008 server works.

    Have you enabled SSL on the selfupdate? If yes, please disable it.

    For detailed information, please refer to the link below:

    https://technet.microsoft.com/en-us/library/dd939849%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#ssl

    Also, please make sure that the 2003 server trusts the certificate used by the WSUS server.

    If issue persists, please try to enable SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 on the 2003 server.

    If it still doesn't work, please post the windowsupdate.log here, it may give some hints.

    Best Regards.

     

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, October 7, 2015 6:32 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Steven,


    I do not have SSL enabled on the selfupdate, and everything was set up wrt SSL enabled/disabled per the article you linked to. The 2003 server has the public key portion of the cert in its "Trusted Root Certification Authorities" and everything seems fine there.

    I have enabled SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 on the 2003 (both client and server) via registry settings per KB245030 using the "DisabledByDefault" DWORD value set to 0, and I also enabled them on the 2008 R2 WSUS (both client and server) using the "Enabled" DWORD set to 0xffffffff.

    I still am getting the same.

    I also should note that the certificate being used by this WSUS uses SHA256. I installed KB968730 which addresses an issue with 2003 servers being unable to autoenroll for certs using SHA256 or higher, but that seemed to make no difference.

    2015-10-07	09:50:51:812	 836	104	Misc	===========  Logging initialized (build: 7.0.6000.374, tz: -0400)  ===========
2015-10-07	09:50:51:812	 836	104	Misc	  = Process: C:\WINDOWS\System32\svchost.exe
2015-10-07	09:50:51:812	 836	104	Misc	  = Module: C:\WINDOWS\system32\wuaueng.dll
2015-10-07	09:50:51:812	 836	104	Service	*************
2015-10-07	09:50:51:812	 836	104	Service	** START **  Service: Service startup
2015-10-07	09:50:51:812	 836	104	Service	*********
2015-10-07	09:50:52:234	 836	104	Misc	Registering binary: C:\WINDOWS\system32\regsvr32.exe  /s "C:\WINDOWS\system32\wups.dll"
2015-10-07	10:07:25:121	 836	104	Misc	Registering binary: C:\WINDOWS\system32\regsvr32.exe  /s "C:\WINDOWS\system32\wups2.dll"
2015-10-07	10:07:26:261	 836	104	Agent	  * WU client version 7.0.6000.374
2015-10-07	10:07:26:261	 836	104	Agent	  * Base directory: C:\WINDOWS\SoftwareDistribution
2015-10-07	10:07:26:261	 836	104	Agent	  * Access type: No proxy
2015-10-07	10:07:26:261	 836	104	Agent	  * Network state: Connected
2015-10-07	10:02:14:201	 836	104	Report	***********  Report: Initializing static reporting data  ***********
2015-10-07	10:02:14:201	 836	104	Report	  * OS Version = 5.2.3790.2.0.196882
2015-10-07	10:02:14:295	 836	104	Report	  * Computer Brand = VMware, Inc.
2015-10-07	10:02:14:295	 836	104	Report	  * Computer Model = VMware Virtual Platform
2015-10-07	10:02:14:295	 836	104	Report	  * Bios Revision = 6.00
2015-10-07	10:02:14:295	 836	104	Report	  * Bios Name = PhoenixBIOS 4.0 Release 6.0     
2015-10-07	10:02:14:295	 836	104	Report	  * Bios Release Date = 2012-06-22T00:00:00
2015-10-07	10:02:14:295	 836	104	Report	  * Locale ID = 1033
2015-10-07	10:02:14:467	 836	104	AU	###########  AU: Uninitializing Automatic Updates  ###########
2015-10-07	10:02:15:420	 836	104	Service	*********
2015-10-07	10:02:15:420	 836	104	Service	**  END  **  Service: Service exit [Exit code = 0x240001]
2015-10-07	10:02:15:420	 836	104	Service	*************
2015-10-07	10:02:24:433	 836	be4	Misc	===========  Logging initialized (build: 7.0.6000.374, tz: -0400)  ===========
2015-10-07	10:02:24:433	 836	be4	Misc	  = Process: C:\WINDOWS\System32\svchost.exe
2015-10-07	10:02:24:433	 836	be4	Misc	  = Module: C:\WINDOWS\system32\wuaueng.dll
2015-10-07	10:02:24:433	 836	be4	Service	*************
2015-10-07	10:02:24:433	 836	be4	Service	** START **  Service: Service startup
2015-10-07	10:02:24:433	 836	be4	Service	*********
2015-10-07	10:02:24:433	 836	be4	Agent	  * WU client version 7.0.6000.374
2015-10-07	10:02:24:433	 836	be4	Agent	  * Base directory: C:\WINDOWS\SoftwareDistribution
2015-10-07	10:02:24:433	 836	be4	Agent	  * Access type: No proxy
2015-10-07	10:02:24:433	 836	be4	Agent	  * Network state: Connected
2015-10-07	10:02:52:457	 836	760	Agent	***********  Agent: Initializing Windows Update Agent  ***********
2015-10-07	10:02:52:457	 836	760	Agent	***********  Agent: Initializing global settings cache  ***********
2015-10-07	10:02:52:457	 836	760	Agent	  * WSUS server: https://<WSUS FQDN>
2015-10-07	10:02:52:457	 836	760	Agent	  * WSUS status server: https://<WSUS FQDN>
2015-10-07	10:02:52:457	 836	760	Agent	  * Target group: Servers critical
2015-10-07	10:02:52:457	 836	760	Agent	  * Windows Update access disabled: No
2015-10-07	10:02:52:614	 836	be4	Report	***********  Report: Initializing static reporting data  ***********
2015-10-07	10:02:52:614	 836	be4	Report	  * OS Version = 5.2.3790.2.0.196882
2015-10-07	10:02:52:692	 836	be4	Report	  * Computer Brand = VMware, Inc.
2015-10-07	10:02:52:692	 836	be4	Report	  * Computer Model = VMware Virtual Platform
2015-10-07	10:02:52:692	 836	be4	Report	  * Bios Revision = 6.00
2015-10-07	10:02:52:692	 836	be4	Report	  * Bios Name = PhoenixBIOS 4.0 Release 6.0     
2015-10-07	10:02:52:692	 836	be4	Report	  * Bios Release Date = 2012-06-22T00:00:00
2015-10-07	10:02:52:692	 836	be4	Report	  * Locale ID = 1033
2015-10-07	10:02:52:879	 836	760	DnldMgr	Download manager restoring 0 downloads
2015-10-07	10:02:52:989	 836	760	AU	###########  AU: Initializing Automatic Updates  ###########
2015-10-07	10:02:53:004	 836	760	AU	  # WSUS server: https://<WSUS FQDN>
2015-10-07	10:02:53:004	 836	760	AU	  # Detection frequency: 1
2015-10-07	10:02:53:004	 836	760	AU	  # Target group: Servers critical
2015-10-07	10:02:53:004	 836	760	AU	  # Approval type: Pre-install notify (Policy)
2015-10-07	10:02:53:004	 836	760	AU	  # Auto-install minor updates: No (User preference)
2015-10-07	10:02:53:067	 836	760	AU	AU finished delayed initialization
2015-10-07	10:02:53:067	 836	760	AU	Triggering AU detection through DetectNow API
2015-10-07	10:02:53:067	 836	760	AU	Triggering Online detection (non-interactive)
2015-10-07	10:02:53:067	 836	be4	AU	#############
2015-10-07	10:02:53:067	 836	be4	AU	## START ##  AU: Search for updates
2015-10-07	10:02:53:067	 836	be4	AU	#########
2015-10-07	10:02:53:067	 836	be4	AU	<<## SUBMITTED ## AU: Search for updates [CallId = {FD03796D-4D20-4A79-9C33-B548463B5CE5}]
2015-10-07	10:02:53:067	 836	974	Agent	*************
2015-10-07	10:02:53:067	 836	974	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2015-10-07	10:02:53:067	 836	974	Agent	*********
2015-10-07	10:02:53:067	 836	974	Agent	  * Online = Yes; Ignore download priority = No
2015-10-07	10:02:53:067	 836	974	Agent	  * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
2015-10-07	10:02:53:067	 836	974	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2015-10-07	10:02:53:598	 836	974	Misc	WARNING: Send failed with hr = 80072efe.
2015-10-07	10:02:53:598	 836	974	Misc	WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-10-07	10:02:53:598	 836	974	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <https://<WSUS FQDN>/selfupdate/wuident.cab>. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: Send failed with hr = 80072efe.
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <https://<WSUS FQDN>/selfupdate/wuident.cab>. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: Send failed with hr = 80072efe.
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <https://<WSUS FQDN>/selfupdate/wuident.cab>. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: Send failed with hr = 80072efe.
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <https://<WSUS FQDN>/selfupdate/wuident.cab>. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efe
2015-10-07	10:02:53:613	 836	974	Misc	WARNING: DownloadFileInternal failed for https://<WSUS FQDN>/selfupdate/wuident.cab: error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Setup	FATAL: IsUpdateRequired failed with error 0x80072efe
2015-10-07	10:02:53:613	 836	974	Setup	WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x80072efe
2015-10-07	10:02:53:613	 836	974	Setup	WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error = 0x80072EFE
2015-10-07	10:02:53:613	 836	974	Agent	  * WARNING: Skipping scan, self-update check returned 0x80072EFE
2015-10-07	10:02:53:629	 836	974	Agent	  * WARNING: Exit code = 0x80072EFE
2015-10-07	10:02:53:629	 836	974	Agent	*********
2015-10-07	10:02:53:629	 836	974	Agent	**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2015-10-07	10:02:53:629	 836	974	Agent	*************
2015-10-07	10:02:53:629	 836	974	Agent	WARNING: WU client failed Searching for update with error 0x80072efe
2015-10-07	10:02:53:629	 836	c18	AU	>>##  RESUMED  ## AU: Search for updates [CallId = {FD03796D-4D20-4A79-9C33-B548463B5CE5}]
2015-10-07	10:02:53:629	 836	c18	AU	  # WARNING: Search callback failed, result = 0x80072EFE
2015-10-07	10:02:53:629	 836	c18	AU	  # WARNING: Failed to find updates with error code 80072EFE
2015-10-07	10:02:53:629	 836	c18	AU	#########
2015-10-07	10:02:53:629	 836	c18	AU	##  END  ##  AU: Search for updates [CallId = {FD03796D-4D20-4A79-9C33-B548463B5CE5}]
2015-10-07	10:02:53:629	 836	c18	AU	#############
2015-10-07	10:02:53:629	 836	c18	AU	AU setting next detection timeout to 2015-10-07 14:58:51
2015-10-07	10:02:57:691	 836	974	Report	REPORT EVENT: {00D64DFB-86F8-4B24-9F3F-BAF7D043BD41}	2015-10-07 10:02:53:613-0400	1	148	101	{D67661EB-2423-451D-BF5D-13199E37DF28}	0	80072efe	SelfUpdate	Failure	Software Synchronization	Windows Update Client failed to detect with error 0x80072efe.

    The other thing I noticed is that Windows 7 clients can connect to both https://<wsusserver FQDN>/selfupdate/wuident.cab and http://<wsusserver FQDN>/selfupdate/wuident.cab successfully and download the file from either even though SSL is not enabled for the selfupdate in IIS. 

    The 2003 servers are still getting "page cannot be displayed" when attempting https://<wsusserver FQDN>/selfupdate/wuident.cab via browser. However, http://<wsusserver FQDN>/selfupdate/wuident.cab works fine. Unfortunately as you can see, the windows update agent attempts https://<wsusserver FQDN>/selfupdate/wuident.cab (presumably because it pulled that from the GPO).

    Another test I did was just creating a simple "test" directory within IIS on the WSUS server, with a "test.txt", directory browsing enabled, and SSL required. I can access it fine via Windows 7. However, the 2003 server gives "page cannot be displayed" on this simple "test" directory as well. The properties of the page when loaded in windows 7 shows it using TLS 1.0. So the root of the problem seems to be the 2003 servers unable to establish a basic TLS 1.0 connection with the IIS on the 2008 R2 WSUS server.



    • Edited by KCSteele Wednesday, October 7, 2015 3:36 PM
    Wednesday, October 7, 2015 2:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Sorry for the delay.

    >>So the root of the problem seems to be the 2003 servers unable to establish a basic TLS 1.0 connection with the IIS on the 2008 R2 WSUS server.

    Totally agree.

    >>2015-10-07 10:02:53:613 836 974 Misc WARNING: DownloadFileInternal failed for https://<WSUS FQDN>/selfupdate/wuident.cab: error 0x80072efe
    2015-10-07 10:02:53:613 836 974 Setup FATAL: IsUpdateRequired failed with error 0x80072efe

    Error 0x80072efe means that the connection with the server was terminated abnormally.

    In most cases, this issue occurs because the server doesn't support the cipher suits supported by clients.

    If capture the session between client and server, we will find that the server sends a reset after receiving the Client Hello packet. We can check the detailed information of the Client Hello, the protocol and cipher suits supported by clients are logged there.

    To find the detailed reason why this connection is terminated, we can check the event log of server.

    Best Regards.

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, October 20, 2015 9:52 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Steven,

    Thanks for the reply. I am getting lots of errors from source SCHANNEL, the same two repeat over and over: 36888 and 36874. 

    36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    36888: The following fatal alert was generated: 40. The internal error state is 1205.

    Currently, I have the following registry keys set on the WSUS server to disable TLS 1.1 and TLS 1.2 as those apparently are not supported by 2003 server:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

	- "DisabledByDefault" = 00000000

	- "Enabled" = 00000000

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

	- "DisabledByDefault" = 00000000

	- "Enabled" = 00000000

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

	- "DisabledByDefault" = 00000000

    I initially had a self-signed cert that was created with makecert and using SHA256. I have replaced it with one using SHA1, however, 2003 servers still are unable to connect.

    What you mentioned about the packet capture I also have seen detailed in a couple blog posts about similar issues. In this technet forum post the person recommends :

    "you can try to generate the certificate request using the CNG Key template in the custom certificate request wizard."


    Here is another discussion about similar.

    If the certificate being used on the server was generated using the Legacy Key option in the certificate request form, the private key for that certificate will be stored in Microsoft's legacy Cryptographic API framework. When the web server tries to process requests using its new, Cryptographic Next Generation (CNG) framework, it appears that something related to the RSA private key stored in the legacy framework is unavailable to the new framework. As a result, the use of the RSA cipher suites is severely limited.

Solution:
 Generate the certificate request using the CNG Key template in the custom certificate request wizard. 


MMC | Local Computer Certificate Manager | Personal Certificates Folder | (right click) | All Tasks -> Advanced Operations | Create Custom Request | "Proceed without enrollment policy" | select "(no template) CNG key" | proceed to complete the certificate request according to your needs.
    However, I am unsure how to do this with a self-signed certificate and makecert. 


    • Edited by KCSteele Thursday, October 22, 2015 2:35 PM
    Thursday, October 22, 2015 2:34 PM