Title: Error updating Windows XP clients from console Post by: shaun on June 16, 2008, 03:30:29 PM In a strange twist, I am having issues updating the avast! VPS database on Windows XP SP2 clients (ALL of them) from the avast! antivirus tab of the Windows Home Server console. Each of my Vista clients works with no issues.
Error Details When attempting to update, I get the following error returned in the WHS Console: "Error during communication with WORKSTATION; whsUpdate : Error 0xFFFFFF9D. (4294967197)" The avastWHS log provides the following corresponding error: "Error during communication (whsUpdate) with WORKSTATION : 4294967197." No other logs on the server have any errors which even come close to correlating with the time periods of the above errors. avast! Software Details
Environment Details
Firewalls have been completely disabled on the Windows XP SP2 machines (again, ANY XP SP2 machine I connect fails). I have verified all levels of communication between the server and clients (via telnet, shares, etc.). Also, everything else works (scheduled scans run without issue on the failed clients, the WHS console shows the clients and their status without issue, I can look at scan logs on the clients from the console without issue, etc.). I had this issue on the original public release of WHS AND it continued after I updated WHS to the PP1 beta. Finally, the clients can update themselves without issue. Automatically or manually, I have no issues on the XP SP2 boxes with updating the VPS or Program (for example, right clicking on the tray icon and navigating throught the Update menu). The problem is only with updating the XP SP2 client VPS from the WHS console. Any help is appreciated. Title: Re: Error updating Windows XP clients from console Post by: shaun on June 16, 2008, 04:02:56 PM Figured it out, although it doesn't make any sense. I decided to review the forums for the Server Edition and found the answer. Keep in mind, I have 2 different environments, one with a proxy server and one without. This solution fixed the XP SP2 issues in both environments.
Basically, I finally found a post about reviewing the Alwil Software Setup Log: %PROGRAMFILES%\Alwil Software\Avast4\Setup\Setup.log In it, I found the following errors of interest: Code: 11:45:02 min/pkg Download servers.def, servers.def.vpu failed with error 0x20000005. 11:45:02 min/pkg Tried to download servers.def but failed with error 0x20000005. 11:45:02 min/gen Err:The proxy needs authentication. Now, the proxy server does NOT require authentication. Additionally, I don't have a proxy server in one environment. So, I tried a variety of configuration changes in the Update Settings (such as Direct connected, etc.). The only thing that worked was using the "Specify proxy server" option AND include a user for authentication in both environments. Makes absolutely no sense to me, but it works now... Title: Re: Error updating Windows XP clients from console Post by: Vlk on June 16, 2008, 05:25:41 PM It makes some sense to me though. :)
What proxy server are you using? (and what authentication types does it support?) Maybe you only think that the proxy doesn't need authentication, but in fact, it is using NTLM (implicitly)? The main idea behind NTLM is that you don't have to specify any usernames/passwords anywhere as your Windows security token is used instead (ie. you're using the identity of the logged-on user). The thing is, when you invoke an update from the WHS console, it takes place (on the client) in the context of the avast! system service. This service runs under the LocalSystem account. Therefore, NTLM authentication cannot be used as the users identity makes no sense to the proxy. Thanks Vlk Title: Re: Error updating Windows XP clients from console Post by: shaun on June 20, 2008, 01:56:13 PM Thanks for the comments!
The environments I am testing can use SurfControl, ISA and WebSense. I agree with what you are saying about NTLM authentication, but if I create a new local user account on the box, that account can get out on the Internet without issue. It isn't part of any groups other than the local USERS group. Why would it be able to do so, but not the Local System account? Title: Re: Error updating Windows XP clients from console Post by: Vlk on June 20, 2008, 03:46:05 PM LocalSystem is a special account that has unlimited access to local resources, but no access to remote resources (as far as NTLM authorization is concerned). That's by definition.
Well, in fact, it acts as the machine account with respect to NTLM authorization (unlike normal User account). So, in theory, if you granted the MACHINE account some rights (on ISA), it should work, too... Cheers Vlk Title: Re: Error updating Windows XP clients from console Post by: shaun on June 23, 2008, 02:03:48 PM Ahhh... that makes some sense now. I was about to say that a local user account is no different from LocalSystem when it comes to "network" rights. I can't get to a network resource with a newly created local account any easier than LocalSystem, but the proxy piece still worked.
However, if you're saying that LocalSystem acts more like a Machine account, than a User account, this starts to make some sense now. Thanks for the tip. I'll research some more with Microsoft. Title: Re: Error updating Windows XP clients from console Post by: Vlk on June 23, 2008, 07:41:18 PM However, if you're saying that LocalSystem acts more like a Machine account, than a User account, this starts to make some sense now. Thanks for the tip. I'll research some more with Microsoft. That's what I'm saying. See e.g. here http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx Cheers Vlk |