WSUS EventID 12002, 12012, 12022, 12032, 12043, 12052, 12072 fresh install

Staman 1 Reputation point
2022-12-22T08:40:00.56+00:00

Hello,

Yes, I'd red all that could be found about this but still no solution for me.

Windows Server 2022 with latest WSUS using SSL.
I followed the Microsoft tutorial about how to set a WSUS to the latest point with one small exception. My SSL certificate is generated from ESET Protect Server certification authority and is valid for 10 years. I've configured everything as requested. My WSUS is located on D:\WSUS and im using WID internal database.

I had setup GPO for my lab, certificate is distributed, test clients are reporting to WSUS, downloading updates, all is working just fine. I don't see any problems whatsoever.

When I'm looking into Event Viewer I can see all 12002-12072 errors regarding WSUS ISS services (ReportingWebService is not working, Server SyncWebService is not working, Self-update is not working.. etc)

I've been reading technet and tons of another google articles about this problem so I digged deeper.
Lets take Reporting web service.. authentification is set to Disabled except anonymous auth (as many of you suggested this solution on technet).. didn't help

Basic settings - Test connection is displaying an error ..

273180-test-connection-error.pngWhen I test the connection

When I select local administrator for Pass-through auth (just for testing) the error is gone

273137-test-connection-success.png

So I restarted the IIS, WSUS and run the command wsusutil.exe checkhealth
Looking at the Event viewer the EventID 12002 is still there, no changes

I had spend over 10 hours on this problem, don't have any luck figure it out and solve it.
I've tried IIS settings without SSL, tried it with self-signed IIS certificate.. I've tried to remove WSUS completly and use local administrator for the installation/postinstallation as AjTek suggested. Ended up with reinstallation of the whole Windows 2022 server and fresh started with the exactly same results.

I'm not new to WSUS, I'm administrating two WSUS servers for over 10 years now .. this new setup should replace old box with Windows server 2012 R2 (IIS8).. On that WSUS server I don't see any WSUS related EventID errors and I only see EventID 10000: WSUS is working correctly.
When i go to IIS8 to check Reporting web service (for example) I do see the very same error about pass-through auth.

Can someone point at where my problem is ? Obviously, pass-through auth is not working on old server either and not throwing any EventID problems

Maybe a better question, should I even care? I'm not happy to see these errors in EventLog but I don't see a single working issue with my new WSUS server.. nothing at all on tie clients site either. Should I promote it to the real environment?

PS: I had tried tons of tips from this forum before reinstalling the whole 2022 Server again.. also, there is just small % of the articles on 2019+ .. everything is old, mostly for IIS6-8.. nothing was making this errors to dissaepar.

https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl
https://www.ajtek.ca/?s=ssl+wsus
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939903(v=ws.10)?redirectedfrom=MSDN
https://www.reddit.com/r/sysadmin/comments/cjru5y/wsus_reporting_web_service_not_working/
https://lenhoman.wordpress.com/2013/10/31/authorization-cannot-verify-access-to-path/
https://social.msdn.microsoft.com/Forums/en-US/c1491e76-9d39-4ee3-b165-e674925018d2/wsus-errors-12002-12012-12032-12022-12032-12042-12052?forum=winserverwsus
(and 10 more msdn technet pages about Event ID 12002-12072)

PS2: Is it just me but following the Microsoft tutorial step-by-step twice, twice the same errors ..

Thank you for any relevant answer

Windows development | Internet Information Services
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Staman 1 Reputation point
    2022-12-22T12:06:23.14+00:00

    Just to add few more details..
    Among others, there is EventID 12072

    In my case: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

    I don't see any problems with SSL .. it's 3rd party certificate..
    CA is imported in Trusted Root Certification Authorities
    SSL certificate for WSUS is imported in Web Hosting Certificates, it is valid until 2032, Intended purposes ALL, friendly name is not set.
    IIS has binding set to use SSL, all the web services SSL Required has been set like MS docummentation required..

    As I said previously, WSUS is downloading updates with autosync just fine, clients are able to communicate with it using SSL, console is working using Local/SSL:8531
    All seems to be working

    273256-eventid12072.png

    From previous testing, I was getting 12002-12052 errors with SSL disabled .. so not really convinced that 12072 is also causing 12002-12052 errors..
    Anyone?

    0 comments No comments

  2. Adam J. Marshall 10,356 Reputation points MVP
    2022-12-22T16:36:10.507+00:00

    Try rerunning the wsusutil configuressl along with the step before it.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/

    # 3. Require SSL for the following virtual roots only:  
        'SimpleAuthWebService','DSSAuthWebService',  
        'ServerSyncWebService','APIRemoting30',  
        'ClientWebService' | ForEach-Object {  
            Set-WebConfigurationProperty -Filter 'system.webserver/security/access' -Location "WSUS Administration/$($_)" -Name sslFlags -Value 8  
        }  
       
    # 4. Switch WSUS to SSL  
        & 'C:\Program Files\Update Services\Tools\WsusUtil.exe' configuressl $($FQDN)  
    
    0 comments No comments

  3. Staman 1 Reputation point
    2022-12-23T09:18:43.597+00:00

    Adam, thank you for your reply.
    Yesterday, late afternoon I've managed to solve the issue.

    The problem was indeed in that 3rd party certificate, exactly in the Issued to field. I'd misstyped the FQDN for my pre-production server running WSUS.
    Everything has been configured as it should, simply a human error

    This was the best tutorial to help me with the problem solving:
    https://forums.ivanti.com/s/article/How-To-Configure-IIS-to-Use-SSL-Connections-on-Your-WSUS-Server-Self-Signed-Certificate?language=en_US

    I was reading this article before just haven't seen my own typo error

    Once I issued the new certificate with the correct FQDN (Issued to field), installed the certificate, changed it in IIS, restarted IIS and WSUS .. checkhealth was giving me no more errors

    273607-rtaimage.png

    273688-rtaimage-1.png

    WSUS eventlog is now looking like this:

    273650-event10000.png

    All others 12002-12052 errors are gone.
    From this very experience, most important point is to solve 12072 EventID error .. all other WSUS errors dissapeared afterwards.
    I haven't had much time to play with it afterwards .. I only distributed new certificate to two lab rats .. all is working as previously, but this time without any errors. WSUS seems to be finally healthy.

    Also, from what I can tell, MS documentation is missing these important steps and should be adjusted.
    Thank you for your help anyway

    0 comments No comments

  4. Sean O'Brien 11 Reputation points
    2022-12-29T14:09:08.703+00:00

    ello there,

    Although there are no issue with the services now it is always advisable to look into the event ID and find the root cause, also there are some event ID which can be safely ignored.

    Have you tried checking the health condition of WSUS role?

    Try increasing the available memory of "Private Memory Limit (KB)" in the AppPool, of IIS Server.

    Also check if your IIS configuration is good.

    -------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  5. Staman 1 Reputation point
    2022-12-30T09:19:33.653+00:00

    Sean, I don't currently see any issue with it whatsoever.
    Eventlog is clean regarding WSUS operations
    Do you recommend to look for something especial?

    I did set the "Private Memory Limit (KB)" to 0 previously based on some MS article that I found.
    If you have some exact recommendation what values should I check, name it please.

    To maybe add a tought or two while configuring SSL for WSUS:
    Make sure your GPO is also reflecting the FQDN of the certificated you issued
    Computer Configuration > Administrative templates > Windows components > Windows Update > Specify intranet Microsoft update service location:
    Set the intranet update service for detecting updates: (have to be the same as Host name field in IIS binging)
    would be: https://Vikes-WSUS.vikes.local:8531 (based on previous printscreen)

    If you client doesn't have the SSL cert imported in root certificates (Trusted Root Certification Authorities) you should see Errors while trying to Check for updates
    0x800b0109 or 0x80240442

    275019-wsus-ssl-error.png

    Also, when you test the WSUS funcionality from your client computer without a SSL imported, you should see this error in Chrome (sorry, SK language)
    (in my case address is: https://FQDN:8531/selfupdate/wuident.cab

    275018-fqdn-url.png

    You can use loginscript/gpo or something smarter like PDQ Deploy to deploy your SSL cert to the client computers
    certutil.exe -addstore root \Certificate_location\CertificationName.der

    once you do that, you should see Windows update check working against your SSL WSUS

    Also, once you succesfully imported SSL certificate to the client, you can check WSUS funcionality opening URL from your Chrome browser: https://FQDN:8531/selfupdate/wuident.cab
    (just like that, wihtout any SSL error in your browser will download wuident.cab )
    275081-wsus-ident.png

    I can't mark my own conclusions as an answer, but this is SOLVED and FIXED. My SSL WSUS is working just fine without any errors

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.