locked
Windows Automatic Update client and Proxy Authentication RRS feed

  • Question

  • Automaic Updates (AU) is client-side service used by Windows Update, Microsoft Update and Windows Server Update Services (WSUS). It runs in svchost.exe process in Local System context. Obviously, it requires Internet access in many scenarios. My quiestion is: how do I enable proxy authentication for this service?

    As far as I know it is neither possible nor supported. The only working way to provide AU client with Internet access is the followintg:

    1. Turn off mandatory proxy authentication (go to Networks -> Internal -> Properties -> Web Proxy -> Authentication -> uncheck "Require all users to authenticate").
    2. Create a Firewall rule that allows HTTP and HTTPS traffic from AU client computers to your update services for "All Users".
    3. (Optional) Use "Authenticated Users" or even more restrictive groups for all other Firewall rules if you want authenticate as many connections as possible.

    I am pretty sure this is the only possible solution though I'm not very happy with it. But recently I found some very confusing information.

    • This thread in a mail list archive. Some users there reported their AU clients actually authenticated as domain computer accounts (DOMAIN\Computer$).
    • A couple of my friends (also very experienced ISA administrators) confurmed they have AU clients successfully authenticating and they performed no special manual configuration steps for it. They said it is native functionality of Firewall Client.

    But as far as I know, FWC purpose is to authenticate user currently logged on to workstation, but not system services running in Local System context. So this sounds very confusing to me and I'd love to find some clarifications.

    Thanks in advance

    Sunday, June 28, 2009 10:38 AM

Answers

All replies

  • You're correct - you can't configure AU to use a specific user account.
    The FWC can be used to authenticate non-prox-aware applications, but the correct methodology is to allow AU connections using anonymous connections.
    This process is described in http://support.microsoft.com/kb/885819

    Jim Harrison Forefront Edge CS
    Tuesday, June 30, 2009 3:36 AM
  • You're correct - you can't configure AU to use a specific user account.
    Thanks Jim, but the goal is not to use a specific user account. To use a machine account would also be OK.

    In my first post here I mentioned several completely independent sources that claim they have AU clients authenticated as domain computer account. Is it result of some misconfiguration?
    Tuesday, June 30, 2009 9:44 AM
  • Not so much misconfiguratoin, but a side effect of some AU behavior that it will try to use the computer account when there is no user context available (and sometimes even when there is).
    You could add the computer accounts to a user group and use that in ISA policies, but there's no guarantee it will work properly.
    Very frequently, the NTLM authentiation includes a null machine name and so cannot be authenticated properly.
    Jim Harrison Forefront Edge CS
    Tuesday, June 30, 2009 8:02 PM
  • Thanks Jim. So as far as I could uderstand from your answers -- it's pretty random and unpredictable behavior. And I can't anyway reliable force AU clients actually use machine account always when authenticating on my ISA proxy.

    Tuesday, June 30, 2009 8:21 PM
  • Yep - you understand correctly.
    Jim Harrison Forefront Edge CS
    Wednesday, July 1, 2009 5:39 PM