buttino
asked on
RPC over HTTP only working with TCP/IP internally
Got a strange one here!
Single server Windows 20003 / Exchange 2003 solution, OWA over SSL works fine, but I cannot get RPC/HTTP to work correctly.
I've read through most of the articles on here and checked and double checked my setup but still can't get it to work.
RPC/HTTP seems to work only internally using TCP/IP even when the "on slow / fast connections use HTTP first then connect using TCP/IP" boxes are ticked and unticked. Externally I appear to authenticate ok but can't actually connect to the exchange part of the server.
outlook /rpcdiag shows me that I'm getting past the server.externaldomain.co.u
Outlook send/receive gives me the error message of Task "Microsoft Exchange Server" reported error (0x8004011D) : "the server is unavailable" contact your adminstrator if the condition persists.
Any thoughts?
Thanks
Trev
Single server Windows 20003 / Exchange 2003 solution, OWA over SSL works fine, but I cannot get RPC/HTTP to work correctly.
I've read through most of the articles on here and checked and double checked my setup but still can't get it to work.
RPC/HTTP seems to work only internally using TCP/IP even when the "on slow / fast connections use HTTP first then connect using TCP/IP" boxes are ticked and unticked. Externally I appear to authenticate ok but can't actually connect to the exchange part of the server.
outlook /rpcdiag shows me that I'm getting past the server.externaldomain.co.u
Outlook send/receive gives me the error message of Task "Microsoft Exchange Server" reported error (0x8004011D) : "the server is unavailable" contact your adminstrator if the condition persists.
Any thoughts?
Thanks
Trev
ASKER
Hi Simon,
I get this message, slighty different....
HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.
Internet Information Services (IIS)
Trevor
I get this message, slighty different....
HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.
Internet Information Services (IIS)
Trevor
You will get 401.3 if you have Windows service pack 1 installed plus this will appear after 3 logon attempts. How many exchange Servers are we talking about? Which server is the RPC Proxy server? How many global catalog servers running Windows 2003 do you have? Can you telnet to the GCs on port 6004 from the RPC PROXY server? Where was your certificate obtained from?
On the RPC Proxy server check the registry at HKLM\SOFTWARE\MICROSOFT\RP
On the RPC Proxy server check the registry at HKLM\SOFTWARE\MICROSOFT\RP
ASKER
This is a single server solution i.e Exchange, GC & DC are on the same box
This is the registry entry - Server:6001-6002;Server:60
Server is the internal netbios name and Mail is the external name.
I've run rpccfg /hd on the server and it check out ok.
This is the registry entry - Server:6001-6002;Server:60
Server is the internal netbios name and Mail is the external name.
I've run rpccfg /hd on the server and it check out ok.
Is that all there is on the registry entries?
You should have at least one more line:
server:100-5000;
server:6001-6002;
server:6004;
server.domain.local:6001-6
server.domain.local:6004;
mail.external.com:6001-600
mail.external.com:6004;
Simon.
You should have at least one more line:
server:100-5000;
server:6001-6002;
server:6004;
server.domain.local:6001-6
server.domain.local:6004;
mail.external.com:6001-600
mail.external.com:6004;
Simon.
ASKER
That's all I had, now I did have the 100-5000 entry but on this site http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm it doesn't have it in, but on others it does.
I've checked outlook /rpcdiag and it's still connecting via tcp/ip. I can see all my emails and send/receive etc etc but surely it should connect via HTTP?
I've re-added the 100-5000 entry
I've checked outlook /rpcdiag and it's still connecting via tcp/ip. I can see all my emails and send/receive etc etc but surely it should connect via HTTP?
I've re-added the 100-5000 entry
Ok i see a few problems. First of all ports 100-5000 are only needed if you have actually manually changed the information store and directory service ports in the registry on the exchange server. By default these are set to 6001 and 6002 according to article 833401. So please check those.
Another thing you may want to check on the server properties in Exchange System Manager/RPC over HTTP and make sure it is set to "Not part of an Exchange Managed..."!
Finally port 6004 is for the NSPI port on a global catalog server. So if you have this set in the validports key to be an external name of the exchange, it will definitely fail! Make sure you can telnet to the GC on that port first of all. Since you have a single server, the ValidPorts key should technically have 2 entries. Change the validports key to reflect the following:
EXCHANGE_NETBIOS:6001-6004
Another thing you may want to check on the server properties in Exchange System Manager/RPC over HTTP and make sure it is set to "Not part of an Exchange Managed..."!
Finally port 6004 is for the NSPI port on a global catalog server. So if you have this set in the validports key to be an external name of the exchange, it will definitely fail! Make sure you can telnet to the GC on that port first of all. Since you have a single server, the ValidPorts key should technically have 2 entries. Change the validports key to reflect the following:
EXCHANGE_NETBIOS:6001-6004
RPC over HTTPS either works or it doesn't.
When it doesn't work it is caused by one of three problems.
1. Outlook cannot find the server listed in the RPC proxy settings.
2. The certificate doesn't work (name, trust etc).
3. The registry settings are wrong or incomplete.
Now you shouldn't need to add the following lines to the registry, but I would try them anyway...
dc:593;dc.domain.local:593
Replacing dc and dc.domain.local with the correct names for your domain controller.
Also make sure that you have the domain controller entry in
HKEY_LOCAL_MACHINE\SYSTEM\
Type: REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004
Simon.
When it doesn't work it is caused by one of three problems.
1. Outlook cannot find the server listed in the RPC proxy settings.
2. The certificate doesn't work (name, trust etc).
3. The registry settings are wrong or incomplete.
Now you shouldn't need to add the following lines to the registry, but I would try them anyway...
dc:593;dc.domain.local:593
Replacing dc and dc.domain.local with the correct names for your domain controller.
Also make sure that you have the domain controller entry in
HKEY_LOCAL_MACHINE\SYSTEM\
Type: REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004
Simon.
ASKER
Ok, here's what I've tried from the above two posts
1. I've remove ports 100-5000
2. I can telnet to ports 6001-6004
3. I've added port 593 to the registry and can telnet to that too.
4. The registry entry for NTDS\parameters is there as stated
5. The RCP/HTTP GUI setting was set to a backend server, setting it to "not part of..." has no effect
Here's a section from the w3svc log when I'm connecting via outlook
2006-02-23 20:13:51 192.168.0.100 RPC_IN_DATA /rpc/rpcproxy.dll server.domain.co.uk:593 80 - 192.168.0.3 MSRPC 403 4 5
2006-02-23 20:13:51 192.168.0.100 RPC_OUT_DATA /rpc/rpcproxy.dll server.domain.co.uk:593 80 - 192.168.0.3 MSRPC 403 4 5
The 403 errors worry me, can anyone tell me if similar entries are in your webserver logs when connecting to RPC/HTTP?
Thanks guys
Trev
1. I've remove ports 100-5000
2. I can telnet to ports 6001-6004
3. I've added port 593 to the registry and can telnet to that too.
4. The registry entry for NTDS\parameters is there as stated
5. The RCP/HTTP GUI setting was set to a backend server, setting it to "not part of..." has no effect
Here's a section from the w3svc log when I'm connecting via outlook
2006-02-23 20:13:51 192.168.0.100 RPC_IN_DATA /rpc/rpcproxy.dll server.domain.co.uk:593 80 - 192.168.0.3 MSRPC 403 4 5
2006-02-23 20:13:51 192.168.0.100 RPC_OUT_DATA /rpc/rpcproxy.dll server.domain.co.uk:593 80 - 192.168.0.3 MSRPC 403 4 5
The 403 errors worry me, can anyone tell me if similar entries are in your webserver logs when connecting to RPC/HTTP?
Thanks guys
Trev
If there is an authentication issue you will usually be re-prompted for credentials.
403 is forbidden, not even access denied. I am getting 200 which is access allowed.
You will need to look at the permission on the virtual directory, along with authentication.
Simon.
403 is forbidden, not even access denied. I am getting 200 which is access allowed.
You will need to look at the permission on the virtual directory, along with authentication.
Simon.
ASKER
I'm not being repeated requests for credentials, I'm only being asked once and then mail downloads correctly.
The permissions for the RPC directory are.....
adminstrators - full control
authenticated users - read
creator owner - full control (subfolders and files only)
server operators - modify
system - full control
Authentication is basic
All computers are granted access.
The permissions for the RPC directory are.....
adminstrators - full control
authenticated users - read
creator owner - full control (subfolders and files only)
server operators - modify
system - full control
Authentication is basic
All computers are granted access.
It asks once and then fails over to TCP/IP. If you disable the failover then you will get repeated prompts for credentials.
Try enabling integrated authentication on the /rpc virtual directory and see what happens then.
Simon.
Try enabling integrated authentication on the /rpc virtual directory and see what happens then.
Simon.
ASKER
Hi,
Still nothing, I've enabled integrated authentication, connect but get repeated requests for my password. Might be worth re-installing RCP/HTTP?
Thanks
Trevor
Still nothing, I've enabled integrated authentication, connect but get repeated requests for my password. Might be worth re-installing RCP/HTTP?
Thanks
Trevor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Yes, the machine (laptop) is a member of the domain, I'll try the reg fix later and report back
Thanks
Trev
Yes, the machine (laptop) is a member of the domain, I'll try the reg fix later and report back
Thanks
Trev
What happens when you browse to https://servername.domain.com/rpc - where servername.domain.com is the name on the certificate? You should get NO certificate prompts and then a username and password prompt. After entering credentials three times it should fail with "403.2 - Forbidden: Read access denied".
If any of the above doesn't work as outlined, then the Outlook client will not work.
Simon.