Troubleshooting Windows Update v.5 Authentication Issue

  • Article
On This Page

Summary
Possible Cause
Symptoms
Resolution and Workaround

Summary

You may receive an error message when accessing the Windows Update v.5 Web site, or when using Automatic Updates. This issue only affects users or Automatic Updates behind a proxy server requiring authentication, or when null user requests are not allowed.

Possible Cause

There are two issues affecting Windows Update v.5 when responding to Web proxy requests to access Windows Update:

  • Issue 1: Credentials may be sent on a half-closed connection. This issue occurs when the client sends a HEAD request on a TCP connection that has already been closed by the proxy server. This is a known Internet Explorer issue, as described in article 838893, "The server returned an invalid or unrecognized response" error message in Internet Explorer 6 Service Pack 1 in the Microsoft Knowledge Base.

  • Issue 2: Authentication responses may contain null credentials. (Domain and user name are empty.) This issue occurs because the Windows Update client authenticates with null credentials to the proxy server. If the proxy server does not allow null client requests, the request may be denied.

One or both of these behaviors may be observed during a single client session, but not for the same HTTP request.

Symptoms

Symptoms for Issue 1: Credentials may be sent on a half-closed connection and for Issue 2: Authentication responses may contain null credentials are described in the following sections.

Issue 1 symptoms

This issue may occur when you first connect to the Windows Update site, when the Windows Update component is checking for the latest version of the Windows Update software. A message similar to the following will be displayed, with the error number specified:

  • Windows Update has encountered an error and cannot display the requested page. In the upper right on the page, you will see the following: [Error number: 0x80072F78].

Issue 2 symptoms

With this issue, the initial connection to the site will be successful. The error will occur after the check has been made for the Windows Update component updates, when you select Express Install or Custom Install. The following message may be displayed, with the error number specified:

  • Windows Update has encountered an error and cannot display the requested page. In the upper right on the page, you will see the following: [Error number: 0x80244021].

  • In addition, the null log on may produce a message with error code 0x80244018 or 0x80244019.

Resolution and Workaround

The resolution for Issue 1: Credentials may be sent on a half-closed connection and the workaround for Issue 2: Authentication responses may contain null credentials are described in the following sections.

Issue 1 resolution

To resolve this issue, on all client computers in internal networks using Windows Update v.5, install the update listed in article 871260, An update rollup is available for Internet Explorer versions 5.x and 6.0 in the Microsoft Knowledge Base.

Note that Windows XP Service Pack 2 already contains this fix. If Windows XP is installed on client computers, applying Service Pack 2 will resolve this issue.

Issue 2 workaround

There is not yet a final resolution for this issue. The current workaround is as follows:

  • Do not require authentication for requests to Windows Update sites.

The following destinations should be included when creating an anonymous access policy for Windows Update.

Windows Update Destinations

Item

FQDN

1

*.download.microsoft.com

2

*.windowsupdate.com

3

*.windowsupdate.microsoft.com

4

windowsupdate.microsoft.com

In addition, if you are using a content filtering plug-in application for ISA Server, you may need to configure this software with an appropriate rule that allows anonymous requests to the Windows Update sites.

ISA Server 2000 Considerations

For ISA Server 2000, consider the following:

  • Consider the impact this workaround may have on existing firewall policy. This workaround allows anonymous access to the Windows Update sites. This may conflict with existing allow rules that restrict access to selected users only.

  • Note that the ReturnDeniedIfAuthenticated registry setting described in article 297324 is not the cause of this issue. If you have applied the setting described in this article in the past to solve a specific issue, you should not remove it.

To implement the workaround on ISA Server, follow the instructions for the ISA Server version you require.

Issue 2 Workaround: Configure ISA Server 2000

A workaround for configuring ISA Server 2000 is described in the following sections.

Create a destination set for Windows Update domains

To create a destination set for Windows Update domains, use the following steps.

  1. In ISA Management, click to expand the array name, and then click to expand Policy Elements.

  2. Right-click Destination Sets, click New, and then click Set.

  3. On the New Destination Set page, in Name, type Windows Update.

  4. Click Add, and in Destination, type *.download.microsoft.com. Do not specify anything in Path.

  5. Repeat step 4 for each entry in the Windows Update Destinations table described earlier in this document.

Create an anonymous Site and Content rule for Windows Update requests

To create an anonymous Site and Content rule for Windows Update requests, use the following steps.

  1. In ISA Management, click to expand the array name, and then click to expand Access Policy.

  2. Right-click Site and Content rules, click New, and then click Rule.

  3. On the first page of the New Site and Content Rule Wizard, in Name, type Windows Update. Then click Next.

  4. In Rule Action, click Allow, and then click Next.

  5. In Rule Configuration, click Allow access based on destination, and then click Next.

  6. In Destination Sets, Apply this rule to, select Specified Destination Set.

  7. In Name, select the Windows Update destination set you have just created.

  8. Click Next, and then click Finish.

Create an anonymous HTTP/HTTPS protocol rule

If your existing protocol rules are require authentication (are limited to specific users or groups), you should create an anonymous HTTP/HTTPS protocol rule, as follows:

  1. In ISA Management, click to expand the array name, and then click to expand Access Policy.

  2. Right-click Protocol Rules, click New, and then click Rule.

  3. On the first page of the New Protocol Rule Wizard, in Name, type Windows Update. Then click Next.

  4. In Rule Action, click Allow. Then click Next.

  5. In Protocols, click Selected protocols in Apply this rule to.

  6. In the Protocols list, select HTTP and HTTPS. Then click Next.

  7. In Schedule click Next

  8. In Client Type, click Next. Then click Finish to complete the wizard.

    Note: Changes to ISA Server 2000 access policy do not take effect immediately, and do not affect existing sessions. For more information, see article 281985, ISA Server Changes are not instantaneous, in the Microsoft Knowledge Base.

Configure ISA Server 2004 Standard Edition

A workaround for configuring ISA Server 2004 is described in the following sections.

Create an allow all rule for Windows Update requests

To create an allow all rule for Windows Update requests, use the following steps.

  1. In ISA Server Management, click to expand the server name, right-click Firewall Policy, point to New, and then click Access Rule.

  2. On the first page of the New Access Rule Wizard, in Name, type Windows Update. Then click Next.

  3. In Rule Action, click Allow, and then click Next.

  4. In Protocols, select Selected Protocols in This rule applies to. Then click Add.

  5. In Add Protocols, click to expand Web.

  6. Click HTTP, and then click Add. Select HTTPS, and then click Add. Click Close, and then click Next.

  7. In Access Rule Sources, click Add.

  8. In Add Network Entities, click to expand Networks. Select the Internal network, and then click Add.

  9. Repeat the selection for each network on which you support Web proxy requests. Click Close, and then click Next.

  10. In Access Rule Destinations, click Add.

  11. On the menu of Add Network Entities, click New, and then click Domain Name Set.

  12. In New Domain Name Set Policy Element, type Windows Update in Name.

  13. Click New, and in Domain names included in this set, change the new entry to *.download.microsoft.com.

  14. Repeat step 13 for each remaining entry in the Windows Update Destinations table described earlier in this document. Then click OK.

  15. Click to expand Domain Name Sets, select the Windows Update domain set, click Add, and click Close. Then click Next.

  16. In User Sets, click Next, and then click Finish to complete the wizard.

  17. Click Apply to apply the new changes.

Configure as the first rule in the rule order

To configure the new rule as the first rule in the rule order, use the following steps.

  1. In ISA Server Management, select the Firewall Policy node.

  2. If Windows Update is not the first rule in the list, do the following:

    • In the details pane, select the Windows Update access rule.

    • In the Tasks tab, select Move the selected Selected Rules up until the rule is first in the list.

    • Click Apply to save changes.

    If you prefer to list deny rules first, configure the Windows Update rule as the first rule following the deny rules.

Note: Changes to ISA Server 2004 policies do not affect existing sessions. For more information, see article 841140, Changes to the firewall policy only affect new connections in ISA Server 2004, in the Microsoft Knowledge Base.