Using WSUS Admin Console from outside domain

Question

Environment:

I have a workstation on our primary domain. We have a primary WSUS Server that is the upstream server of 8 different testing domains. The Primary WSUS server is not part of any domain. Routing is configured between my workstation and the Primary WSUS server. I can RDP to the Primary WSUS sever without any problem. The router is configured to forward any any between my workstation and the Primary WSUS server. This WSUS server cannot be part of a domain due to external requirements (I can't change them) on the lab I work in. The version of WSUS is WSUS 3.0 SP 2

What I want to do:

I need to connect to the WSUS server with the WSUS Admin console from my local workstation. The end goal is to connect via Powershell and manage with that. I also need to take what I do here and port it to the 8 test domains so I can manage those WSUS servers. The routing is all in place so I can talk to the servers, it's just connecting to the WSUS console that is causing problems.

The problem:

I cannot get my workstation to connect to the WSUS Console.

I get one of the following errors depending on the setup.

1st error:

Cannot connect to 'WSUS'. You do not have the permissions required to access this WSUS server.
To connect to the server you must be a member of the WSUS Administrators or WSUS Reporters security groups

I also get the warning 7012 from the event log that says the same thing.

2nd error:

Cannot connect to 'WSUS'. The server may be using another port or different Secure Sockets Layer setting.

What I have tried:

So far I have configured IIS for Anonymous Authentication on both the WSUS Administration and ApiRemoting30 using an account will call WSUS_User. With this in place, I get the 1st error. When I do this though, the local WSUS Console cannot be used either.

Reverting back to only Windows Authentication allows the local console to work, but the remote console now give the 2nd error.

I have confirmed the port, and that there is no SSL in use (which is a policy that is pushed from above, that I cannot effect).

I have placed WSUS_User in the groups mentioned above, but it still does not connect.
I made sure WSUS_User has full access on C:\Program Files\Update Services and C:\Program Files\Update Services\WebServices

I am not very familiar with the workings of WSUS or IIS, and have gone as far as I can figure out on my own. Googling these errors all take me to the same steps about Anonymous Authentication and configuring permissions on folders.

Please don't cross-post. It will no doubt get sent back here from SO because this is not a programming question, resulting in duplicate questions. — John Gardeniers, Oct 30 '12 at 19:34

Mitch · Answer 1 · 2012-10-30T19:32:39.820

0

Map a drive to the server(s) you need to connect to using an account created and given WSUS Admin access. Then connect to the WSUS server with the Admin console.

edited Oct 30 '12 at 19:32

answered Oct 30 '12 at 19:27

Mitch

1,127
11
19

I tried this, and it still gives the same errors. – Nick Oct 30 '12 at 19:41

score 0 · Accepted Answer · edited Nov 03 '12 at 22:35

0

If your end goal is to use PowerShell, have you attempted to make use of modules such as PoshWSUS and/or use PS remoting to the servers in question and run commands via that? This is how we manage multiple WSUS servers. They aren't on domains, just workgroups, but it works just fine. I would just verify that you have all required TCP ports open for communication.

http://poshwsus.codeplex.com/

http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx

edited Nov 03 '12 at 22:35

Skyhawk

14,149
3
52
95

answered Nov 01 '12 at 17:41

floyd

1,530
4
18
30

I have verified the ports are open all the way through. The traffic gets to the WSUS server, it just won't connect. I was using PoshWSUS and getting the same results, so I went to the console to see what I could do with that. I haven't tried the PS remoting because several of the domains are still Windows 2003 that don't have PowerShell installed, and I can't install it on them due to requirements of the domain. – Nick Nov 01 '12 at 17:55

score 0 · Answer 3 · answered Nov 05 '12 at 16:42

This sounds like the same issue I had when just trying to login to my WSUS server remotely as my normal account is not an admin. I use the following command as a shortcut to launch WSUS from a different user than my logged in user account:

C:\Windows\System32\runas.exe /user:domain\admin-user "cmd /c start c:\progra~1\update~1\administrationsnapin\wsus.msc"

This will popup a command line prompt asking you for your admin password. If I read your issue correctly the WSUS server isn't on the domain, which means you should use /user:\admin-user.

score 0 · Answer 4 · answered Nov 08 '12 at 02:33

For the GUI you can use the runas.exe tool that Zac Garrett noted or you can hold down the Shift key while right clicking the WSUS Console and selecting "Run as different user" from the menu that comes up, then input the domain\user that you wish to run it as.

As for PowerShell my guess is that you will need to use the Get-Credential command and pass those credentials with the command you are trying to run. You can also do the hold shift and right click trick with the PowerShell script or PowerShell console.

Using WSUS Admin Console from outside domain

4 Answers4

Linked