ConfigMgr: Unable to configure WSUS when running on Windows Server 2008 with NLB

Applies to: Microsoft System Center Configuration Manager 2007System Center Configuration Manager (current branch)Microsoft System Center 2012 Configuration Manager

Symptoms


Configuration Manager 2007 and later versions will not be able to configure WSUS in a network load balanced configuration when the WSUS\SUP nodes are running on Windows Server 2008.  The WCM log will contain the following message:

System.Net.WebException: The request failed with HTTP status 401: Unauthorized.

Cause


In Server 2008 and IIS 7, windows authentication happens in kernel mode by default, and the SPN requests would go for the computer account instead of the appPool identity

Resolution


To resolve this issue using the following steps to turn off Kernel-Mode authentication which is new and on by default in IIS 7.

1.  Go to the Default Web Site (or other web site if you are not using the default)
2.  Select ApiRemoting30
3.  Double click Authentication (in the right pane)
4.  Right click windows authentication
5.  Advanced Settings
6.  Clear the check box for Enable  Kernel-Mode authentication
7.  Repeat for each server in the NLB Cluster