I have an SCCM 2012 single primary site infrastructure with two DPs configured for HTTP. Test clients are not joined to the domain. Network Access Account is properly configured.
All deployments configured to run directly from DP work fine.
Issue: Deployments configured to “Download content from distribution point and run locally” including all Windows Updates fail.
Errors (example – a windows update):
| UpdatesHandler.log |
CAS failed to download update (4dfda4a4-f124-4589-bd1b-a6f45b71db16). Error = 0x80070005. Releasing content request. |
| DataTransfer.log |
Error sending DAV request. HTTP code 401, status ‘Unauthorized’ |
| CAS.log |
Download failed for content 0e47d69c-240c-44e1-89c5-12333cd5fcf9.1 under context System, error 0x80070005 |
I am not sure why Network Access Account was not used. But it looks like it tried to use Local System Account for the Workgroup machine and failed with “Access Denied”.
Resolution: I enabled Anonymous Authentication for SMS_DP_SMSPKG$ folder in IIS and verified it set for IUSR user (I am using Server 2008 R2)
Note: the settings periodically flipped back to “Disabled” 
I finally found a KB explaining the behaviour. http://support.microsoft.com/kb/2682514 . You basically need to enable anonymous connection in properties of DP:
Cheers,
Alex
Like this:
Like Loading...
Related
IT Consultant Everyday Notes 
Thanks, Alex. This saved my bacon!
great thx
Hi there, I have the exact same issue that you have on a Win7 workstation machine in our environment and about to do the same thing as you mentioned above. However as soon as I have found these post – http://myitforum.com/myitforumwp/2013/09/24/error-401-while-connecting-to-dp/ then applied hotfix http://support.microsoft.com/kb/2522623, without ticking the option in SCCM 2012 or changing anything on IIS, all windows updates are now applying to the machine.
Sorry I was mean Win7 Workgroup machine in the above
Thanks Alex 🙂