PATCH MY PC DOCS

Knowledge Base

We’re here to help if needed

Request for Principal Permission failed (0x80131500 or 0x8013150A)

We recently encountered this error when running a sync on a remote Software Update Point.

In this example, we are using CM1.corp.contoso.com as the primary site server and SP1.corp.contoso.com as the remote site system with the software update point role configured.

Topics covered in this article:

Determine if You are Affected

You will see the following error in wsyncmgr.log:

MessageSync failed: Request for principal permission failed. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer

STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=CM1.corp.contoso.com SITE=CHQ PID=2836 TID=9640 GMTDATE=Fri Aug 02 20:54:26.571 2024 ISTR0=”Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer” ISTR1=”Request for principal permission failed” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 LE=0X8013150a

Sync failed. Will retry in 60 minutes

 

Understanding 0X8013150A or 0X80131500

The 0x80131500 error typically means that you are unable to connect to the Software Update Point. This can be due to several different reasons. The primary logs we will look at during this sync are wsyncmgr.log and WCM.log.

Unfortunately, the CMTrace error lookup feature (Ctrl + L) cannot help with the error code.

 

More InformationNote: This error message is different from a previous build of ConfigMgr. When setting up this scenario, we were running the latest build of ConfigMgr. Configuration Manager 2403. In older builds, the error was 0x80131500 instead of 0x8013150A.

Troubleshooting Steps

Merge WCM.log and wsyncmgr.log in CMTrace.

Review the connecting account. In this case, the credentials for CORP\Service-SCCM are being used for the network connection.

This account is unable to connect to the remote WSUS server.

The account used to connect to the Software Update Point is found under Administration > Servers and Site System Roles > (Your Software Update Point) > Properties > Proxy and Account Settings

Resolution

The minimum permissions required for this account is to be in WSUS Administrators on the Software Update Point Site Server (in this example, we added SRVC_SCCM to the WSUS Administrators on SP1.corp.contoso.com).

If you were to uncheck the box for “Use Credentials to connect to the WSUS Server” the computer name of your primary site server would need to be added to the WSUS Administrators group on the Software Update Point.

This scenario may have occured as a result of the Software Update Point (SP1.corp.contoso.com) being set up when the service account (SRVC_SCCM) was a Domain Admin or had higher privileges. The account was then removed from Domain Admins, and the SUP began to fail.

Once the appropriate permissions were added. The Software Update Point synced correctly.

More InformationNote: Minimum permissions for all ConfigMgr accounts can be found here: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts

Published On September 18, 2024