The Realm of the Verbal Processor

Jarvis's Ramblings

SCCM and WSUS on Server 2008

As part of my reinstall of my SCCM server, I have been beating on a problem for way longer than I should have…and finally got it fixed. It is related to SCCM not being able to sync with WSUS. Background: we are a small environment by SMS/SCCM standards, so we are able to work quite well with all components on the same server. The only thing that is external to “the” SCCM box is that we have SQL off-box.

When I set up WSUS/SCCM as the documentation recommended, I got some crazy errors. I have posted the relevant sections below. The key portion of the wsyncmgr.log was:

Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync

Having dealt with a similar issue before, I was pretty sure that the errors has something to do with the way that SCCM connects as Local System and the internet settings associated with the System account. In particular I had dealt with a proxy issue before that was causing similar errors. In doing my research on the problem I came across a couple of posts that proved helpful. In this one, a Microsoft guy posted that two ways to fix this were to either run IE as Local System or to use the ProxyCfg.exe tool (Server 2003). I’m on Server 2008, so I found another post that showed how to do the proxycfg stuff in Server 2008 using netsh. After doing the second option (netsh), everything looked good as far as the proxy was concerned…it wasn’t using a proxy. That wasn’t the problem.

So…what about starting IE as Local System and looking at those settings? I’ve posted before about how to run an app as Local System. The Vista option in that post works on Server 2008.

Once I did that, I went into IE settings and drilled down through Tools | Internet Options | Connections | LAN Settings. The checkbox for “Automatically detect settings” was checked. I unchecked that box. Just for good measure I rebooted. That was probably not necessary, but I wanted to see the process start fresh after a reboot…easier to track in the log files.

Once that took effect and I triggered a synchronization, SCCM was able to sync with WSUS. Matter of fact…it is still synchronizing as I finish typing up this post. All because of a stupid little checkbox.

>>>>>>>>>   Relevant Log Files    <<<<<<<<<

In the WCM.log file…something is definitely not right:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host~~   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)~~   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~   — End of inner exception stack trace —~~   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)~~   — End of inner exception stack trace —~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)

Remote configuration failed on WSUS Server.

In the WSUSctrl.log were these entries which seemed to indicate that SCCM was configured correctly to talk to WSUS.

Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version…
Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version…
Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version…
The installed WSUS build has the valid and supported WSUS Administration DLL assembly version …
Successfully connected to local WSUS server
Local WSUS Server Proxy settings are correctly configured as Proxy Name  and Proxy Port 80
Successfully connected to local WSUS server
There are no unhealthy WSUS Server components on WSUS Server SCCMserver
Successfully checked database connection on WSUS server SCCMserver

Then in the wsyncmgr.log there is this failure when SCCM tries to run a synchronization:

Performing sync on retry schedule
STATMSG: ID=6701 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCMserver SITE=SITEcode ….
Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync
STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCMserver SITE=SITEcode PID=1212 TID=2992 GMTDATE=Tue Jun 03 17:52:14.874 2008 ISTR0=”CWSyncMgr::DoSync” ISTR1=”WSUS server not configured” …
Sync failed. Will retry in 60 minutes
Sync time: 0d00h05m00s
Waiting 60 minutes for requests…

In the IIS log for WSUS:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2008-06-03 17:47:30 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 401 2 5 7888
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 1886
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 405
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 62
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 0
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 0
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 0
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 0
2008-06-03 17:47:32 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:49:20 IPofSCCMserver POST /reportingwebservice/reportingwebservice.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 5565
2008-06-03 17:49:21 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 401 2 5 15
2008-06-03 17:49:21 IPofSCCMserver POST /ApiRemoting30/WebService.asmx – 8530 DOMAIN\SCCMserver$ IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 15
2008-06-03 17:49:24 IPofSCCMserver POST /ServerSyncWebService/serversyncwebservice.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 2198
2008-06-03 17:49:25 IPofSCCMserver POST /ClientWebService/Client.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 810
2008-06-03 17:49:25 IPofSCCMserver POST /SimpleAuthWebService/SimpleAuth.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 763
2008-06-03 17:49:27 IPofSCCMserver POST /DssAuthWebService/DssAuthWebService.asmx – 8530 – IPofSCCMserver Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1434) 200 0 0 654

Advertisements

June 3, 2008 Posted by | ConfigMgr | | 5 Comments

Password Complexity

This morning I got an email from someone about secure passwords. The email was a link to this article. Before even opening the link I had a good idea of what it was going to say…make your passwords use all four character sets and make them random, but base it on a phrase that you can easily remember. My guess (and I was correct) was that it was going to ignore/gloss over the issue of password length.

In years past I was a strong proponent of passwords that used all four character sets (UPPERCASE, lowercase, 12345, !@#$%^%). I’m really not anymore. Reason being that password length has a much greater effect on whether a password can be cracked than does complexity. One of the best articles I have seen on this issue was an InfoWorld article back in 2006. The author did a great job of mathematically showing how the two factors in password complexity (length and number of possible characters) work together.

In the times that I have done password audits for the ministry I work for, this has proven out every time. I have seen some very complex passwords that were shorter in length get cracked. I have never cracked a long password. That is the primary reason that my non-admin password is currently 20+ characters long. The password for my admin account? Somewhere north of 30 characters. Good luck cracking it while I am still alive.

A few paragraphs from the InfoWorld article above that I most enjoyed…:

For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.

Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

~~~~

And because most users also use dictionary words as the root to their “complex” password, and follow other common conventions (capitalized letters are at the beginning, numbers are at the end), a simple hybrid attack will break most of them in less than a day. Trust me, I know — I do it for a living.

~~~~

So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity. For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity — at 15 characters-plus, they are all but uncrackable.

June 3, 2008 Posted by | computers | , | 8 Comments