Changes for page Windows Server 2012 R2
Last modified by Sebastian Marsching on 2022/05/29 14:04
From version 8.1
edited by Sebastian Marsching
on 2022/05/29 12:57
on 2022/05/29 12:57
Change comment:
There is no comment for this version
To version 9.1
edited by Sebastian Marsching
on 2022/05/29 14:04
on 2022/05/29 14:04
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -89,7 +89,7 @@ 89 89 90 90 If you want to force clients to use SSL for some of the services, you should also follow the [instructions on TechNet](http://technet.microsoft.com/en-us/library/bb633246.aspx). 91 91 92 -This leaves us with only one problem: If you want to connect from the WSUS console on the same host, you have to use the regular host name of the server, not the virtual host name for WSUS. However, you cannot use SSL for the connection, because the name in the certificate will not match (after all it is using the virtual host name). If you force SSL like described in the [TechNet](https://sebastian.marsching.com/wiki/TechNet)article, the connection from the local host will not work. This is the point where the trouble starts and while trouble-shooting this, I messed up the configuration where WSUS would not work at all. If this happened to you as well, see the [[instructions below||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] on how to fix things.92 +This leaves us with only one problem: If you want to connect from the WSUS console on the same host, you have to use the regular host name of the server, not the virtual host name for WSUS. However, you cannot use SSL for the connection, because the name in the certificate will not match (after all it is using the virtual host name). If you force SSL like described in the TechNet article, the connection from the local host will not work. This is the point where the trouble starts and while trouble-shooting this, I messed up the configuration where WSUS would not work at all. If this happened to you as well, see the [[instructions below||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] on how to fix things. 93 93 94 94 This problem is caused because by default NTLM authentication does not work if the client is the same host and the request uses a host name that is different from the system's host name (or FQDN). There are [two](http://support.microsoft.com/kb/896861) [articles](http://support.microsoft.com/kb/926642/en) in Microsoft's knowledge base and a [more detailed blog post](http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx) describing this problem. The solution is adding your virtual host-name (`wsus.example.com` in the example) to the list of allowed host names. This list is stored in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` and is a Multi-String Value with the name `BackConnectionHostNames` and taking one host name per line as a value. You edit the registry using the registry editor or [using the PowerShell](http://sharepointadam.com/2010/07/20/add-backconnectionhostnames-to-the-registry-via-powershell/). After making this change, you should restart the server. Maybe it is sufficient to restart IIS, but I did not test this. 95 95