Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Error when adding or modifying a WSUS server in Patch Manager

Error when adding or modifying a WSUS server in Patch Manager

Updated Sept 13th, 2018

Overview

When you add or modify a WSUS server in Patch Manager, the following error displays:

Unable to connect to the WSUS Server using the account: domain\admin. Request for principal permission failed.

error-message.png

Environment

  • Patch Manager version 2.1.x

Cause 

Resolution

  • Verify if Do not allow storage of passwords and credentials for network authentication GPO is Enabled on the PM server, if so then make an exception to the PM server about this policy or set the policy to either Disabled or Not Defined. 
  • If you had to disable/make the change to the policy, then don't forget to reboot the PM server for the changes to take effect. This solution has been validated

Technically speaking, the Service which does the work is the "DataGrid Service" which runs as a local (NOT a domain) user account on the Patch Manager server.  This account needs NO rights to other machines unless those are granted via the Credential Ring.  If the above policy is in place, the credential ring has no access.

If the policy is kept in place, security violations can be further mitigated by adding domain users to the "EminentWare Users" role within Patch Manager and granting them no further access.  Those users do NOT have access to the Credential Ring.  Only members of the "EminentWare Security Administrators" (and higher) have access to the Credential Ring.

 

If the above is not applicable to your case, then continue the troubleshooting steps below:

  1. Log in to the Patch Manager Admin Console as an administrator.
  2. In the navigation pane, expand Enterprise > Update Services and select the WSUS server.
    SPM-Admin-Guide-Select-WSUS-Server.png
  3. In the center pane, select your WSUS server.
  4. In the Actions pane, click Add or Configure WSUS Server.
  5. In the Add or Modify WSUS Server window, complete the Hostname or FQDN and Canonical Name fields.

    add-or-modify-wsus-server2.png

    For the Canonical Name field, you can enter an IP address in the following format:

    \xxx.xx.xxx.xxx

  6. Test the connection.

    If the connection passes, click Save. You are finished.

    If the connection does not pass, elevate the service account in Local Users and Groups.

Elevate the Service account

  1. Navigate to Local Users and Groups.
  2. Go to ewdgssvc-xxxx and join in the WSUS Administrator and Administrator Group.
  3. Save your changes.
  4. Restart the EminentWare Data Grid Service.
    If the error message does not display, you are finished.
    If the error message displays, check the WSUS server logs to verify the connection.

Check the WSUS server logs to verify the connection

  1. Open the Event Viewer on the WSUS server.
  2. Expand Windows Logs and select Application.
  3. Search the recent events for any error events related to WSUS.
    The service account used by Patch Manager may have experienced a logon failure or access denied event.
  4. Add the Patch Manager Service Account to the WSUS Administrators group on the WSUS server.
    If the WSUS server is an Automation server, you may need to add the local account that you created when you installed the Automation Server role. 
  5. Verify that the error no longer displays.
    If the error does not display, you are finished.
    If the error displays, verify that the Primary Application Server (PAS) and WSUS are on the same server

Verify that the PAS and WSUS are on the same server

  1. Log in to SQL Server Management Studio.
    Use SQL Server Management Studio 2008 for Patch Manager 2.1.3 and earlier.
    Use SQL Server Management Studio 2014 for Patch Manager 2.1.4 and later or the appropriate version if they are using enterprise SQL.
  2. Review the dbo.device and dbo.gc_device tables for duplicate entries for the WSUS server.
    Be sure not to delete the PAS entry. You can confirm the PAS Device ID in the console by expanding Patch Manager System Configuration and selecting Patch Manager Servers.
  3. Delete the duplicate entry.
  4. Restart the EminentWare Data Grid Server Service.
  5. Launch the console and re-add the WSUS server.
  6. Verify that the error no longer displays.
    If the error does not display, you are finished.
    If the error displays, check the PAS and Application server or contact Support

 

 

Last modified

Tags

Classifications

Public