I have been tearing my hair out recently (since 7.4). My clients all fail when manually directed at Windows or Microsoft update. The error that comes back on all of them (I've looked at all of the XP and Win2k ones anyway) is "Your computer's date and time appear to be out of sync with an update certificate."

My client dates and times are definitely in-sync with the rest of the world. I operate an SNTP server here, which syncs with the our national NTP pool. All clients are set to "GMT" time zone with Summertime switched on.

Yet.... Every time I point a machine at windows update, I get Error Number 0x80072F8F.

I have my Astaro set-up as an HTTP/HTTPS Proxy and have installed the Astaro Proxy CA certificate as a Trusted Root certification Authority in all client machines. The date and time on the ASG are also set to synchronise from the National NTP Pool, so that time is also accurate.

So Why-oh-Why is the Bl**dy Microsoft update request failing?

Has anyone else seen this or similar problems and has anyone solved it/them?

Any suggestions would be greatly appreciated!

JB

The first article Google found was 0x80072f8f Windows Update error - FIND a Solution HERE in this article!

It's hard to see how the Astaro would be involved in that error. I can't tell from your post, but have you installed the Astaro cert both in the browser and using mmc?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Thanks for that BAlfson. Unfortunately and as I mentioned in my post, I have already tried all of the time-adjusting bits. Although not mentioned in the post, I had also already done the re-registering of those DLL files as well.

However I do have news to report... I did get a little further through some research done independently.

The problem seems to be that the Astaro is proxying all SSL traffic. Not just traffic from the user session. What this means is this:

When you use MS Update, much of the traffic is secured and signed. We don't get to see this, it is handled by the MS Update DLLs. These DLLs are operating under the system account on the computer, they are therefore independent from the User account. When the user imports the Astaro's Webadmin Proxy CA certificate to the Trusted Root Certification Authorities container, it only applies to his user account and not to the whole computer.

This means that when the Update software attempts to authenticate the Microsoft update files, it fails because all it sees is a Certificate signed by the Astaro's Proxy CA. That CA is only recognised under the user account and not under the machine's system account, and so the authentication fails and we get the standard Microsoft certification error which incorrectly burbles-on about time synchronisation issues.

What needs to happen is the Astaro's Proxy CA certificate, needs to be installed to the machine's Trusted Root Authority container. To do this you need to import the Astaro's Proxy CA Certificate using the the Microsoft Management Console (MMC).

The steps are these...
1.) Firstly save a PKCS#12 copy of the Astaro's Proxy CA certificate somehere on an accessible drive.
2.) Open the Microsoft Management Console by typing "MMC" in the run box (Start>Run>"MMC")
3.) Add the certificates Snap-in by selecting FILE>ADD/REMOVE SNAP-IN...
4.) Hit the Add button and select certificates from the list
5.) Select the "Computer Account" radio button
6.) Click Finish and close the list of snap-ins
7.) Click OK to add the certificates snap-in, which should now be visible in the Add/Remove Snap-ins window
8.) Expand the list of certificate containers, right click "Trusted Root Authorities" and choose "Import"
9.) Now brows to the PKCS#12 file you exported from the Astaro earlier and select it, (you may need to mess with the file types at this point)
10.) A message pops up saying the import was successful
You are done.

This for me took away the cert time issue but brought up another error, which I'll detail in my next post once I've kicked it for a bit...

Thanks for the "cookbook" - That's exactly what I meant in post #2 above. You might search more on microsoft update, as others have posted extensively about such issues.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Sorry Bob. I didn't see the 2nd part of your first post. You were right on the money there.

Unfortunately, having sorted that problem I'm now faced with a different failing message: 0x8024400A "The website has encountered a problem and cannot display the page you are trying to view"

I'm assuming its still a firewall problem as I have 7 Machines and they are all reporting the same error when trying to update by going to MS Update manually from the Web Browser.

Any ideas?

JB

Are you running WSUS on a Win 2003 server?

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Ah You've seen the same postings... That is my problem, no - I'm not running a WSUS server which makes me veru confused about the error message.

Have you seen this elsewhere?

BTW my Astaro is set to allow all ports outgoing so it's not the packet filter. Also I have Microsoft update set up in the HTTP proxy Exceptions as well. ie all of these domains are set to:
Skipping: Authentication / Antivirus / Extension blocking / MIME type blocking / Content Removal / Certificate Trust Check / Certificate Date Check
For:
Target Domains
windowsupdate.com
microsoft.com
Microsoft Windows Update
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
Microsoft Download Center
http://*.download.windowsupdate.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.com

So what else can I do????

Beginning sometime after V7.0 (I think it was 7.2), the following are all that is necessary for all of the target domains listed in your previous post:

windowsupdate.com
microsoft.com

I googled on 0x8024400A -wsus; the first link was Xperience Xp: Error 0x8024400A and it suggests:

1]Disable antivirus.
2]Start > Run > regsvr32 MSXML3.DLL > OK
3]Reboot.
4]Retry Windows/Microsoft update.

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Hi all,

I just want to confirm that this issue seems to be directly related with the HTTP/S Proxy working in transparent mode.

CASE A

1.- HTTP/S Proxy active in transparent mode
2.- Astaro Cert. installed on Internet Explorer (v6 SP1, v7 and v8)

RESULT 1: On Windows Update you'll get the Cert. time error.
RESULT 2: Won't be able to activate your Windows XP copy.

CASE B

1.- HTTP/S Proxy active in transparent mode
2.- HTTP/S Proxy exceptions for: windowsupdate.com and microsoft.com skipping: Antivirus / Extension blocking / Certificate Trust Check / Certificate Date Check
3.- Astaro Cert. installed on Internet Explorer (v6 SP1, v7 and v8)

RESULT 1: On Windows Update you'll get the Cert. time error.
RESULT 2: Able to activate your Windows XP copy.

CASE C

1.- HTTP/S Proxy active in transparent mode
2.- Astaro Cert. installed on Internet Explorer (v6 SP1, v7 and v8)
3.- Skipp the HTTP Proxy for a Windows computer

RESULT 1: NO problems on Windows Update (for the skipped Computer).
RESULT 2: Able to activate your Windows XP copy (for the skipped Computer).

__________________
Swiss Guard - The Official Army of the Vatican City State since 1506

Not having found this thread until now I can verify that all of suzzyx's results are true. It seems clear that the proxy is the problem but I have no idea how to resolve it...