locked
WSUS SSL - GetCookie failure: 0x80244019 HTTP status code = 404 RRS feed

  • Question

  • Hi,

    I have a rather nasty problem that i cannot seem to solve. As of now I spent a whopping 2 days of work but I simply cannot get this to work:

    My setup:

    - A Windows Server 2012 R2 as Domain Controller with WSUS role installed (made it DC to have a CA and issue proper certifcates)
    - All clients are servers (2008, 2012 R2) and NOT in the domain (customer machines, not possible)
    - WSUS Settings on Clients are configured manually via registry key.
    (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate)
    - Communication to WSUS Server without SSL on the default port 8530 works fine.
    - Opening the https:// URLs on clients works just fine

    Now, I have to use SSL with WSUS since it is a security police here, but can't get it to work and after hours of searching can't seem to find a solution, since everybody who has this error seems to have just misconfigured the server url (missing the port). I did not.

    I set up everything using this guide http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/ (except the GPO part since clients are not in the domain)

    I post the log file at the end but the weird thing is it tells me it cannot connect to https://FQDN_of_WSUS_Server:8531/SimpleAuthWebService/SimpleAuth.asmx but when I open that URL in the internet explorer it works just fine, without certificate warning or anything.

    So why do I get this error on all clients :(

    windowsupdate.log:

    2016-09-27    10:56:39:224     368    a1c    AU    #############
    2016-09-27    10:56:39:224     368    a1c    AU    ## START ##  AU: Search for updates
    2016-09-27    10:56:39:224     368    a1c    AU    #########
    2016-09-27    10:56:39:224     368    a1c    AU    <<## SUBMITTED ## AU: Search for updates [CallId = {BCC86536-3FB9-46CA-AA3B-C74B485F6318}]
    2016-09-27    10:56:39:224     368    c08    Agent    *************
    2016-09-27    10:56:39:224     368    c08    Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2016-09-27    10:56:39:224     368    c08    Agent    *********
    2016-09-27    10:56:39:224     368    c08    Agent      * Online = Yes; Ignore download priority = No
    2016-09-27    10:56:39:224     368    c08    Agent      * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2016-09-27    10:56:39:224     368    c08    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2016-09-27    10:56:39:224     368    c08    Agent      * Search Scope = {Machine}
    2016-09-27    10:56:39:224     368    c08    Setup    Checking for agent SelfUpdate
    2016-09-27    10:56:39:224     368    c08    Setup    Client version: Core: 7.6.7601.23453  Aux: 7.6.7601.23453
    2016-09-27    10:56:39:239     368    c08    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab with dwProvFlags 0x00000080:
    2016-09-27    10:56:39:239     368    c08    Misc     Microsoft signed: NA
    2016-09-27    10:56:39:239     368    c08    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\TMPA6BE.tmp with dwProvFlags 0x00000080:
    2016-09-27    10:56:39:255     368    c08    Misc     Microsoft signed: NA
    2016-09-27    10:56:39:255     368    c08    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab with dwProvFlags 0x00000080:
    2016-09-27    10:56:39:255     368    c08    Misc     Microsoft signed: NA
    2016-09-27    10:56:39:271     368    c08    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab with dwProvFlags 0x00000080:
    2016-09-27    10:56:39:271     368    c08    Misc     Microsoft signed: NA
    2016-09-27    10:56:39:286     368    c08    Setup    Determining whether a new setup handler needs to be downloaded
    2016-09-27    10:56:39:286     368    c08    Setup    SelfUpdate handler is not found.  It will be downloaded
    2016-09-27    10:56:39:286     368    c08    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-09-27    10:56:39:286     368    c08    Setup    Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-09-27    10:56:39:286     368    c08    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-09-27    10:56:39:302     368    c08    Setup    Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-09-27    10:56:39:302     368    c08    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-09-27    10:56:39:333     368    c08    Setup    Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-09-27    10:56:39:333     368    c08    Setup    SelfUpdate check completed.  SelfUpdate is NOT required.
    2016-09-27    10:56:39:551     368    c08    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
    2016-09-27    10:56:39:551     368    c08    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = https://FQDN_of_WSUS_Server:8531/ClientWebService/client.asmx
    2016-09-27    10:56:39:567     368    c08    PT    WARNING: Cached cookie has expired or new PID is available
    2016-09-27    10:56:39:567     368    c08    PT    Initializing simple targeting cookie, clientId = a212ab4f-823e-4255-9706-2ce20dd55f51, target group = Server, DNS name = <Client>
    2016-09-27    10:56:39:567     368    c08    PT      Server URL = https://FQDN_of_WSUS_Server:8531/SimpleAuthWebService/SimpleAuth.asmx
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: GetCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: PTError: 0x80244019
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: GetCookie_WithRecovery failed : 0x80244019
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: RefreshCookie failed: 0x80244019
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: RefreshPTState failed: 0x80244019
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: Sync of Updates: 0x80244019
    2016-09-27    10:56:39:629     368    c08    PT    WARNING: SyncServerUpdatesInternal failed: 0x80244019
    2016-09-27    10:56:39:629     368    c08    Agent      * WARNING: Failed to synchronize, error = 0x80244019
    2016-09-27    10:56:39:629     368    c08    Agent      * WARNING: Exit code = 0x80244019
    2016-09-27    10:56:39:629     368    c08    Agent    *********
    2016-09-27    10:56:39:629     368    c08    Agent    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2016-09-27    10:56:39:629     368    c08    Agent    *************
    2016-09-27    10:56:39:629     368    c08    Agent    WARNING: WU client failed Searching for update with error 0x80244019
    2016-09-27    10:56:39:629     368    85c    AU    >>##  RESUMED  ## AU: Search for updates [CallId = {BCC86536-3FB9-46CA-AA3B-C74B485F6318}]
    2016-09-27    10:56:39:629     368    85c    AU      # WARNING: Search callback failed, result = 0x80244019
    2016-09-27    10:56:39:629     368    85c    AU      # WARNING: Failed to find updates with error code 80244019
    2016-09-27    10:56:39:629     368    85c    AU    #########
    2016-09-27    10:56:39:629     368    85c    AU    ##  END  ##  AU: Search for updates [CallId = {BCC86536-3FB9-46CA-AA3B-C74B485F6318}]
    2016-09-27    10:56:39:629     368    85c    AU    #############
    2016-09-27    10:56:39:629     368    85c    AU    Successfully wrote event for AU health state:0
    2016-09-27    10:56:39:629     368    85c    AU    AU setting next detection timeout to 2016-09-27 13:56:39
    2016-09-27    10:56:39:629     368    85c    AU    Successfully wrote event for AU health state:0
    2016-09-27    10:56:39:629     368    85c    AU    Successfully wrote event for AU health state:0
    2016-09-27    10:56:39:629     368    704    AU    Getting featured update notifications.  fIncludeDismissed = true
    2016-09-27    10:56:39:629     368    704    AU    No featured updates available.
    2016-09-27    10:56:44:637     368    c08    Report    REPORT EVENT: {BE51503B-A03E-4068-B220-94C3476769F6}    2016-09-27 10:56:39:629+0200    1    148    101    {00000000-0000-0000-0000-000000000000}    0    80244019    AutomaticUpdates    Failure    Software Synchronization    Windows Update Client failed to detect with error 0x80244019.
    2016-09-27    10:56:44:653     368    c08    Report    CWERReporter::HandleEvents - WER report upload completed with status 0x8
    2016-09-27    10:56:44:653     368    c08    Report    WER Report sent: 7.6.7601.23453 0x80244019(0) 0000000-0000-0000-0000-000000000000 Scan 0 1 AutomaticUpdates {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} 0






    • Edited by bonk3rs Tuesday, September 27, 2016 9:26 AM
    Tuesday, September 27, 2016 9:22 AM

Answers

  • Oh, apparently I forgot to mention that, silly me. Of course I put the server root certificate in the local machines certificate store. Thanks for the hint though.

    Nevertheless I found the solution.

    Behold: A Microsoft Update fucks things up. I guess since I solved it yesterday evening, today I can already laugh about it.

    For everybody else who tries to set up WSUS on a recently patched 2012R2 (update in question: KB3159706) you need to do the following:

    - You need to install the HTTP-Activation server role (.NET 4.5 -> WCF ->)
    - You need to edit the file C:\Program Files\Update Services\WebServices\ClientWebService\Web.config (you need to take ownership of the file to edit it)
    the following section can be found inside the file. You need to edit the "BindingConfiguration" 2 times as stated below:

    <endpoint address=““
    binding=“basicHttpBinding“
    bindingConfiguration=“SSL
    contract=“Microsoft.UpdateServices.Internal.IClientWebService“ />
    <endpoint address=“secured“
    binding=“basicHttpBinding“
    bindingConfiguration=“SSL
    contract=“Microsoft.UpdateServices.Internal.IClientWebService“ />
    <endpoint address=“

    and add multipleSiteBindingsEnabled=“true“ to the line below

    <serviceHostingEnvironment aspNetCompatibilityEnabled=“true“ multipleSiteBindingsEnabled=“true“ />

    - restart the server

    All this is necessary for everybody that wants to use SSL with a WSUS on Server 2012 with the mentioned KB installed. Good to know Microsoft!

    • Marked as answer by bonk3rs Wednesday, September 28, 2016 6:22 AM
    Wednesday, September 28, 2016 6:22 AM

All replies

  • Hi bonk2rs,

    >All clients are servers (2008, 2012 R2) and NOT in the domain

    What is the certificate used by the WSUS IIS site?

    I notice your clients are not domain-joined, if you use the certificate issued by your ADCA server, then, you need to check if the clients store trusted root certificate of the CA server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 5:38 AM
  • Oh, apparently I forgot to mention that, silly me. Of course I put the server root certificate in the local machines certificate store. Thanks for the hint though.

    Nevertheless I found the solution.

    Behold: A Microsoft Update fucks things up. I guess since I solved it yesterday evening, today I can already laugh about it.

    For everybody else who tries to set up WSUS on a recently patched 2012R2 (update in question: KB3159706) you need to do the following:

    - You need to install the HTTP-Activation server role (.NET 4.5 -> WCF ->)
    - You need to edit the file C:\Program Files\Update Services\WebServices\ClientWebService\Web.config (you need to take ownership of the file to edit it)
    the following section can be found inside the file. You need to edit the "BindingConfiguration" 2 times as stated below:

    <endpoint address=““
    binding=“basicHttpBinding“
    bindingConfiguration=“SSL
    contract=“Microsoft.UpdateServices.Internal.IClientWebService“ />
    <endpoint address=“secured“
    binding=“basicHttpBinding“
    bindingConfiguration=“SSL
    contract=“Microsoft.UpdateServices.Internal.IClientWebService“ />
    <endpoint address=“

    and add multipleSiteBindingsEnabled=“true“ to the line below

    <serviceHostingEnvironment aspNetCompatibilityEnabled=“true“ multipleSiteBindingsEnabled=“true“ />

    - restart the server

    All this is necessary for everybody that wants to use SSL with a WSUS on Server 2012 with the mentioned KB installed. Good to know Microsoft!

    • Marked as answer by bonk3rs Wednesday, September 28, 2016 6:22 AM
    Wednesday, September 28, 2016 6:22 AM
  • I installed KB3159706 before I needed SSL for WSUS. Months later, when I need SSL and it doesn't work, shame on me for forgetting the solution was part of that KB page! Maybe it warrants its own KB page so it's easier to find.

    I struggled for only one day thankfully before I mercifully came across your post. Thank you!







    • Edited by netadmin03 Thursday, March 9, 2017 7:51 PM
    Thursday, March 9, 2017 4:10 PM