1 Reply Latest reply on Sep 29, 2016 8:45 PM by rdavidson

    ssl conflict

    Scott.Leach Rookie

      Hi All!

       

      I have the latest Shavlik Patch installed into the latest SCCM build.

      I configured IIS to use SSL connections on my WSUS server as per Shavlik instructions, using a self signed cert. I exported and set it all up ok, then sent certs to clients via GP.

      Now my auto deployment rule for MS updates is failing with "0X80244017 Same as HTTP status 401 -  the requested resource requires user authentication". I know Shavlik don't support Microsoft, but what about when the instructions cause it to break?

      I have an inkling of what to do to move forward but would appreciate some direction.

      Do I need to look at bindings in IIS on WSUS again? Do I need to use GP to deliver some proxy bypass addresses? Do I need to modify my ADR somehow to use SSL?

      If any changes I make in the near future don't work, I will have no option but to reverse what has been done and seek a refund on the product for all 300 nodes.

      Any help here is most definitely appreciated!

       

      Scotty Leach.

        • 1. Re: ssl conflict
          rdavidson SupportEmployee

          It sounds like you might be mixing together two different things - Code signing certs, and SSL configuration.

           

          Publishing updates requires a code signing certificate. This can be a "WSUS Self Signed" certificate. This is the cert that needs to reside on the client machines.

           

          Using SSL uses a separate, SSL certificate, which IIS needs to be configured to accept. This certificate needs to reside on the WSUS Server, and on the SCCM Server. This doesn't need to be on client machines unless you require all connections use SSL.

           

          One thing to try in IIS is to go to the WSUS Administration Site > Client Web Service > SSL Settings, and uncheck the box to "Require SSL". If there's an issue with client authentication related to SSL, then unchecking that box should allow client to access the resource. SSL connections can still be made with this box unchecked. If unchecking the box doesn't change anything, there may be an internal proxy/firewall authentication issue.

           

          The self signed cert is explained here:Creating, Exporting And Importing A WSUS Self-Signed Certificate With The Shavlik Patch Plugin

           

          Our SSL guide is here: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate

           

          SSL is not strictly required (though recommended by MS)