Can't access WSUS console from local system; can access it from another host?

It appears I had a mismatch in my server certificate and the domain name I have been using.

I didn't mention this before, but doing "Wsusutil configuressl certificateName" did not help.

When the WSUS console opens, it attempts to connect using the hostname, and ONLY the hostname. This used to work...back in the day, our GPO pointed to the old WSUS server (predating either of these) at "http://server-wsus-desk:8530". I enabled ssl and updated that to "http://server-wsus-serv:8531". For the clients to connect, the ssl cert was for just the hostname. Somehow, this just doesn't work.

What DID work was creating a new domain cert for the FQDN (server-wsus-serv.ad.domain.org). Then I updated the GPO to point to "https://server-wsus-serv.ad.domain.org:8531". When I load the console on that host, by default, it opens up a connection to "server-wsus-serv" which does the whole "show 0 computers and updates" thing. However, I can initiate a NEW connection to the FQDN "server-wsus-serv.ad.domain.org" on port 8531, and it shows right up on both servers as you would expect. Clients connect without errors, and server manager shows no issues in the event log.

This is still not ideal though. What I ended up doing was creating an alternative certificate template on my CA that allows for multiple DNS aliases. I went to my CA, duplicated the "Web Server" template, then called it "WSUS Web Server Certificate". In the "Security" tab, add the actual WSUS server either by a group or by the computer name (you need to enable the computer object type) and give it "Enroll" and "Read" permissions. Then, go to the CA in the server manager, expand the "Certificate Templates" folder, then right click, go to "New" and select "Certificate Template To Issue." Choose your new template and click ok. Now, go back to your WSUS server, open up mmc and load the certificate snap-in for the computer account. Expand "Certificates" and "Personal" and click the "Certificates" folder. Right click in the whitespace, select "All Tasks" -> "Request New Certificate". Click "Next", "Next", then you'll see the new web certificate template with a link saying "More info is required to enroll fo rthis certificate". Click that.

In "Subject Name" select the type "Common Name" and put in your FQDN and hit Add. In "Alternative name", select the DNS type, then enter ANY other names you might use (for us, it's server-wsus-serv.ad.domain.org, server-wsus-serv.domain.org, and server-wsus-serv). Click ok, check the box next to the certificate template, then hit Enroll. Click finish, then go back into the certificate MMC snap-in, and refresh to see your new certificate. I like to double click on it and enter a friendly name like "WSUS Web Server Certificate".

Go back to IIS manager. Under the web server, select "Server Certificates" and you should see your new certificate there. Expand your sites, choose your WSUS Admin site, and edit your bindings so that the new cert is bound to 8531. Restart the site. Then, open powershell, and navigate to "C:\Program Files\Update Services\Tools" and run ".\Wsusutil configuressl server-wsus-serv.ad.domain.org" Then restart update services. I can now connect locally and remotely from both the server name AND the FQDN.

Related videos on Youtube

32 : 36

Windows Installation (Part 1)

darey

956

31 : 09

Install and Configure WSUS Server with Group Policy

Cyber Manny

137

22 : 33

12.1 Installing and configuring Windows Server 2016 Update Services (Step by Step guide)

NLB Solutions

105

03 : 57

Configuring the WSUS Client

Jim Dickson

11

11 : 54

Server 2019 Training 16 – Fatal Error Post Installation Troubleshooting WSUS, Windows Server 2019

CCNA MCITP

6

Author by

surfrock66

Updated on September 18, 2022