locked
WSUS Database SUSDB authentication via SQL RRS feed

  • General discussion

  • 1) Just setup your frontend IIS and backend MSSQL server as described in Appendix C. http://www.microsoft...f7ad0cd638.mspx
    2) Create a SQL user, for example susdbuser and give it dbowner rights to the SUSDB database
    3) Setup the registry on the frontend iis server:
    Key: HKLM\Software\Microsoft\Update Services\Server\Setup
    Values:
    SqlAuthenticationMode SqlAuthentication (mind the case)
    SqlServerName <your sqlservername>
    SqlDatabaseName SUSDB
    SqlUserName <your sql-account>
    SqlEncryptedPassword <see below>
    4) compile it yourself, the source is below to C:\Program Files\Update Services\service\bin and run it from the commandline to determine your encryption string. Just run the program and give the "clear text" password as an argument and it will return an encrypted string. Paste the output in the SqlEncryptedPassword registry value.
    You need to run it in the mentioned directory, else you'll get an error...it needs a dll from that dir.
    5) Reset IIS (iisreset) and the "Windows Updates Services" service, and things should work !

    using System;
    using Microsoft.UpdateServices.Internal;

    // For compile add microsoft.updateservices.utils.dll to References from "C:\Program Files\Update Services\service\bin"

    namespace WsusEncryptString
    {
       
    /// <summary>
       
    /// Summary description for Class1.
       
    /// </summary>
       
    class Class1
       
    {
           
    /// <summary>
           
    /// The main entry point for the application.
           
    /// </summary>
           
    [STAThread]
           
    static void Main(string[] args)
           
    {
               
    try
               
    {
                   
    int c = args.Length;
                   
    if (c > 0)
                   
    {
                       
    System.Security.SecureString secureStringPwd = EncryptionUtilities.StringToSecureString(args[0]);
                       
    string resultEncryptPwd = EncryptionUtilities.Encrypt(secureStringPwd);
                       
    Console.WriteLine(resultEncryptPwd.ToString());
                   
    }
                   
    else throw new Exception("Need one argument!");
               
    }
               
    catch (Exception e)
               
    {
                   
    Console.WriteLine(e.Message);
               
    }
           
    }
       
    }

    }


    Ganapathy

    Monday, July 7, 2014 4:12 PM

All replies

  • What is the purpose of this?

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, July 8, 2014 1:46 AM
  • In some case we have to use SQL Authentication instead of Windows Authentication & this helped me. This scenario is useful if WSUS is in DMZ(within firewall) & SQL is in NON-DMZ environment (behind firewall). In my case we have lot of WSUS Servers in different VLANs & small offices preparing manual report was very tough, so wrote few SQL queries to pull compliance report from all WSUS SQL DBs (moved few WSUS DB (this WSUS DB uses SQL (for DMZ Servers) & Windows Authentication (for reporting purpose)) to centralized NON-DMZ Server where i do had other WSUS Server for internal purpose (which uses Windows Authentication (for WSUS & reporting purposes))).

    Ganapathy


    Wednesday, July 9, 2014 11:32 PM
  • In some case we have to use SQL Authentication instead of Windows Authentication

    SQL Authentication is NOT supported for use with WSUS (for very good authentication reasons, never mind the *security* reasons).

    This scenario is useful if WSUS is in DMZ(within firewall) & SQL is in NON-DMZ environment (behind firewall).

    This configuration is totally unnecessary for this scenario. Furthermore, I would argue that a WSUS server in a DMZ ought to have a LOCAL database and thus completely ignore this entire consideration.

    The only thing that is *required* to support access to the remote SQL inside the firewall is that the WSUS server in the DMZ and the SQL Server inside the firewall belong to the same Active Directory Domain, and that's actually required even if there isn't a firewall between the two servers!

    So, if they're both members of the same domain (required), ALL authentication can be done with domain accounts, completely eliminating the need for SQL Authentication.

    But thanks for sharing yet another way for somebody to screw up their WSUS installation. :-)


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, July 10, 2014 11:36 PM
  • I tried the code I keep getting Exception Encryption Missing. Am I missing anything?
    Thursday, August 21, 2014 7:09 AM
  • I tried the code I keep getting Exception Encryption Missing. Am I missing anything?
    Other than you shouldn't be using this procedure? :)

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, August 21, 2014 3:31 PM