SelfUpdate Tree is Not Working

I have been through all of the 'fixes' for the selfupdate tree and this is what I have surmised......

I am not using the default port 80 OR 8530 for my wsus install 

I restart the 'update service' on the w2k3 box, the service restarts, but fails immediately (however, I am able to browse the wsus admin page just fine)

IF I point the default site to port 80, restart IIS, THEN restart the 'update service' the system runs fine, but clients cannot connect (caused by firewall rule)

IF I do the above mentioned change, THEN put the default site back to the port I am using (non 80 or 8530) the system works just fine (at least as far as I know, I am still testing but do not seem to be able to create the 'seolfupdate service is not working Event Id 506 issue).

More on this item later, will see how long it will be stable.

So, it appears that WSUS only wants port 80 OR 8530 and you cannot put it through a port restricted firewall in order for it to correctly do its job. Why is that?  If MS lets you port an IIS config to something wacky like 49324 why will it not make the changes at a global level and make the default site talk?

IF anyone can 'splain this to me I would appreciate it.

vman 

I experienced this error after a failed attempt to install wsus service pack 1 [http://support.microsoft.com/kb/919004]

what happened was the folder /program Files/update services/selfupdate had somehow been removed.  i recreated the folder and rebooted. no more problem. wsus runs fine now but the problem returns every time i attempt to install the update listed

Im not sure but i think that wusus didnt even need this update because i installed from the 'wsus with sp1' self installer.  My current wsus build is: Build 2.0.0.2472  if i am current i will just deny access to install that update in the future.

Well after loads of messing around I finally figured out what was happening with my particular issue with the selfupdate and 506 error.

I could see it was definatly permissions but no matter what combination I tried I still had the error. I finally tracked it down to a setting in the local system policy that Denied Guests the ability to logon to this computer from the network, changed setting, reapplied policy and lo and behold, away we go. Worth checking if you still have this issue, particulary on a fresh server, the sharepoint issue is different. 

Well guys, the comments you all posted are great.

We found a problem with the site requiring ssl encryption at the root of the tree. Once remove selfupdate started working on its own. It is worth a try !!!

I believe our issue was related to having SharePoint installed on the same server.  I did quite a few of the of the things mentioned in this post, but did not resolve the issue until I followed the steps in this article:

http://technet2.microsoft.com/WindowsServer/en/Library/b23562a8-1a97-45c0-833e-084cd463d0371033.mspx

Symptoms: on wsus admin page, you get a error stating that the SelfUpdate service is not started.  When you restart the "update services" service refresh the page, the error goes away and the WSUS admin page looks fully functional.  Then after about 10 minutes, it breaks again.
Immediately after you restart the service you get the following event in the application log. Event 506.

Summary of the solution that fixed it for me.

These are the sections in the article I started with and my results for each.

Check for the selfupdate tree on the WSUS server

- ran vbs script (my directory was different than the one in the article, so check yours - just find the script and run it!)

Check IIS logs on the WSUS Server

- I had the 401 error in my IIS logs, so I went onto the next step.

If you have installed Windows® SharePoint® Services on the default Web site in IIS, configure it to not interfere with Self-update

- After I did this section, I restarted the update service and did not receive the 506 event.  It works!

Now I have to go work on my group policy problem.  It never ends, but boy, it feels good when you fix something.

Thanks for all your help above. 

I've followed the advice in many forums and have done the same using the posts here.  I have narrowed it down to a permissions problem.  My WSUS is a standalone (W2k3 SP1) and is set to run on port 80.  It is in AD, but the local Anonymous account is being used, not one at the Domain level.  I've used the following to verify that it is permissions causing the problem:

 tinyget -uri:/selfupdate/iuident.cab -srv:127.0.0.1 -a:0 -h

When using Anonymous it fails everytime.  I've even gone back through and prefaced the IUSR_servername account with the servername\ and have change the password in user manager and in IIS to match.  When I enable NT Authentication in IIS on the SelfUpdate folder tree and use my domain account it works (I modded the perms on the folder tree to include Everyone read access.)  Even with Everyone and the IUSR_Servername account explicately given  NTFS perms, it still fails with a 401 error.  I just don't get it.  I've unistalled and reinstalled twice now.  This has to be an IIS thing, what else could it be?

I got this error message after changing the default website to redirect to the exchange server logon page via ssl.

The fix (as above) was to run C:%ProgramFiles%/Update Services/Setup/InstallSelfupdateOnPort80.vbs and then change the ip address that  "Internet maintenance" was listening on to 127.0.0.1

I found another way to fix this problem. 

Grant Read, Read&Execute, and List Folder Contents NTFS permissions to the entire tree for C:\Program Files\Update Services\SelfUpdate and all subfolders and files of Selfupdate to the IUSR_<ServerName> account.  This seemed to fix the problem for me since I have to control permissions on a granular level and I modified the default permissions. 

If you have ever modified the permissions for any of the higher levels, and propogated them down, that may be the source of your problem.

Hi

I had faced the same problem.

What I did is, In IIS direcory security ,  insteaed of IUSR_Machine name I have given a user of the group "WSUS ADMIN". It worked fine.

Rahees 

I also had Event id 506 in my Event log and the homepage in SUS said Selfupdate service was not started.

This happened to me the next day I uninstalled SUS from our server.  Seems it changed some path in the IIS for WSUS.

The fix:  I ran C:%ProgramFiles%/Update Services/Setup/InstallSelfupdateOnPort80.vbs on the server and voila!  worked!

This problem also can be caused by file system ACCESS DENIED error for Anonymous web user (IUSR_xxx). This error can be result of:

1. Not enought rights in \Program Files\UpdateServices\Selfupdate

2. Explicit deny rights in same catalog

3. User cannot reach \Program Files\UpdateServices\Selfupdate because used do not have Bypass Traverse Checking right.

To solve this situation you need to (depends of what is really caused problem) add user read rights to Selfupdate directory, or remove deny read rights. In last situation you have two methods: you can add list right to all parent directories of Selfupdate (to root of drive, to "Program Files", and to "Update Services") or you can grant Bypass Traverce Checking right to this user (this is set in your local or domain policy).

I just figured this one out...  This isn't technically a problem with WSUS, but with IIS in general.

1.  Verify IIS Auth on the SelfUpdate tree uses anonymous (I took off Windows Auth for the heck of it)

2.  Add a Server Binding for 127.0.0.1:80 in IIS to your WSUS site (if you are using a specific IP for your WSUS site)

If using IIS 6 Secure Process Isolation mode (also do 3,4 and 5) -- try it anyway if you don't know what secure process isolation mode is -- it won't hurt (unless you are using anonymous elsewhere in your website, and then do step 5 for those webs/nodes also):

3. Verify the username for anonymous access in the ISM (ISM->WSUS Site->Properties->Directory Security->Edit)

4.  Change the IIS user password to a new PW in AD (from step 3)

5.  Change the Anonymous user password in the "ISM->WSUS Site->Properties->Directory Security->Edit" and "ISM->WSUS Site->SelfUpdate->Properties->Directory Security->Edit" to match it's newly defined password from step 4.

Optional: use IIS Resource Kit tool tinyget like so (from the WSUS Server) for additional troubleshooting:

tinyget -uri:/selfupdate/iuident.cab -srv:127.0.0.1 -a:0 -h

(You should get a HTTP 1.1 200 OK if it is all working correctly)

-a:0 forces anonymous

-h sends back header info only

If you are getting back a 401 it's a permissions or password problem (Verify that permissions allow the IUSR_SERVERNAME on the SelfUpdate directory).